14 DAY TRIAL // The Heartbleed vulnerability is so widespread that the Australian Privacy Commissioner Timothy Pilgrim has admitted that there’s no way for his office to investigate organizations vulnerable to the bug, unless there are allegations that private information has been stolen.
Hundreds of thousands of sites, if not more, have been forced to patch up their systems following last week’s revelations. Not only did they have to update, but they had to reissue SSL certificates in order to make sure that sensitive data couldn’t be extracted from the servers, something that has messed up browser speeds.
Part of the companies and organizations that had to go through this came from Australia and delaying the patching process can only be a risk for them since customer information can be hacked. One example is Canada, which managed to lose 900 social insurance numbers in a recent hack because it did not move fast enough to fix the Heartbleed bug.
During an event that took place in Sydney, Tim Pilgrim admitted that due to the extent of the vulnerability, his office had no intention of starting to investigate random sites.
“The Heartbleed issue is obviously an extraordinarily complex one for all of us to be dealing with,” he said. “At this point in time we won't be going out and undertaking an assessment or an investigation at the moment randomly of any particular organisation because of the sheer volume of organisations that have been impacted by this particular issue,” Pilgrim explained.
It will, however, look into the issue if something comes up, or if there’s an allegation that data has been lost from either an organization or a government agency. In that case, the Information Commissioner would look into what steps were taken by the affected entities to patch Heartbleed.
Heartbleed was revealed last week as OpenSSL issued a patch that fixed the vulnerability. The bug had been affecting several OpenSSL versions that had been around for a couple of years.
Since the error has gone unnoticed, any amounts of data could have been stolen, especially since attacks taking advantage of this malleability leave no traces on the affected servers.
These two combined provide a frightening situation in which no one has any idea if the vulnerability was exploited and if so, how much information has been stolen in the past two years.