Heartbleed and Marketing Vulnerabilities

Within days of discovery, Heartbleed burst into popularity on the news and social media. This named bug eclipsed previous vulnerabilities in terms of impact and awareness — alerting engineers, HeartbleedSpreadtechnicians, and IT personnel to protect their vulnerable systems. However, most do not remember Heartbleed for the exact technical details, but rather the colossal awareness campaign that rocked mainstream media, which normally does not concern itself with software bugs. Other serious software glitches in the past have been cause for alarm; what warranted, or enabled, the massive “media explosion” of coverage for Heartbleed? How does the usage of marketing tactics help or harm the cause of vulnerability reporting? Finally, two years later, how have companies attempted to imitate this style of vulnerability marketing popularized by Heartbleed?

Heartbleed is a vulnerability in the cryptographic software library OpenSSL, often used to encrypt internet traffic between a user and a web service like Facebook or Twitter. When exploited, this bug allows attackers to steal chunks of data that may include usernames, passwords, cryptographic keys, and other sensitive material. The exploit was discovered on the same day by engineers at security company Codenomicon and Google. Heartbleed was immediately recognized as a serious issue, due to its ease of exploitation without detection, and it being a zero-day vulnerability, as it had already existed for many years unbeknownst to the security community. The combination of these factors startled companies who had no indication if they had been victims of debilitating attacks.

Marketing the Exploit

Researchers at Codenomicon realized Heartbleed was extremely dangerous to the point where companies and involved personnel needed to be informed as swiftly and effectively as possible. To start, the engineers assigned it a memorable name and worked with an internal artist to develop an eye-catching logo. Richard Nieva writing for CNET said,

“If the name sounds a bit too catchy for a security glitch, that’s exactly the point.The team at Codenomicon wanted something press friendly that could spread quickly, to warn more people of the flaw. Soon after they named the bug, they bought the domain Heartbleed.com to educate the Web about the glitch.”

The ominous, striking logo and dangerous-sounding name were explicitly designed to catch people’s attention and subtly communicate the nature of the vulnerability (information bleeds to an attacker who exploits a fault in OpenSSL’s Heartbeat protocol). Finally, Codenomicon’s researchers established a web presence equally as memorable, accessible, and visible as the name and logo at www.heartbleed.com. Curious laypersons and experienced technicians alike could easily navigate to the new website that was circulating, grasp the situation, and distribute the URL via word-of-mouth. At the time, John Biggs, investigating Heartbleed’s marketing tactics, wrote for TechCrunch:

“The idea of a branded exploit – one that is carefully curated for easy consumption – is a new one. Historically obfuscation, either real or inadvertent, has been the watchword in computer security mostly because not everyone cared about major exploits. Heartbleed, in a way, was different. It was worldwide, very dangerous, and oddly photogenic.”

News and social media apparently agreed; within days news of Heartbleed was plastered everywhere, with the symbolic bleeding heart logo alongside every article, status, tweet, or blog post. The logo was made “free to use, rights waived via CC0”, which means it was released into the public domain, and effectively served as a “focal point” to identify the concept and spread awareness. Administrators, engineers, programmers, and others in the IT field were all alerted to the vulnerability almost simultaneously thanks to the huge media presence. Solutions were developed and applied in record time. Even those inexperienced with web security could understand the seriousness of the bug; undoubtedly many read about Heartbleed on the news, social media, or the official website and informed those who could apply fixes. Software developer Patrick McKenzie wrote on his blog,

“People will generally try to link to something to describe a project / vulnerability / etc, and having an easy and obviously linkable canonical description is both best for clarity and best for your own personal interests as the project/etc creator. Heartbleed.com is the canonical explanation of Heartbleed, both because people trust $8.95 domain names and because it was first published, came with a design/logo and comprehensive information, and is suitably authoritative in character.”

McKenzie goes on to argue that more marketing similar to Heartbleed would contribute positively to the Open Source Software community. He alleges that although the community produces fixes for problems, that they exist and are critical will not be communicated effectively towards the masses without memorable, concise, and informative methods of communication. McKenzie recalls the handling of another critical vulnerability. CVE-2013-0156, the “Rails YAML deserialization vulnerability”, was obviously not named in a catchy fashion, and the best reference he found was “an archived copy of a plain-text email, hosted on Google Groups.” In spite of these factors, countless web servers running Ruby on Rails were susceptible to arbitrary code execution, or hijacking. Administrators could have undoubtedly patched their systems quicker had warnings been trending on social media.

What consequences exist?

While McKenzie looks favorably upon using such marketing tactics, concerns have been raised by others that the extent of such coverage could also assist those with malicious intent. Alternatively, companies could abuse bug reporting as a marketing strategy. Steve Hoffenberg writes on the VCD Research blog,

“…Codenomicon undoubtedly got a huge boost in its profile by virtue of its role in publicizing Heartbleed. Therefore, we anticipate that other security firms will seek similar attention when they discover significant vulnerabilities. We wouldn’t be surprised if discoverers prepare websites and logos before they even disclose the bugs, then flip the switch to launch their sites instantly upon disclosure. That may again produce rapid, coordinated reaction to fix the problem, but it raises questions about possibly overstating the risks associated with lesser vulnerabilities in the name of garnering publicity.”

Hoffenberg goes on to suggest that hackers “could conceivably set up fake vulnerabilities web pages” as pranks, or as distractions. Real exploits could be used while heads are turned.

Although Hoffenberg is worried about companies exaggerating the seriousness of a bug for publicity’s sake, Heartbleed’s media campaign was highly compounded by the confirmation and consensus of other researchers or organizations in the web security community. OpenSSL and other suites are open source, and as such are freely available to download and browse. Any companies that “cry wolf” will likely be rebuked by others who will immediately check the same code. Concerns that publicity campaigns could act as distractions should not cause much concern for the same reason. Targeted distractions towards specific companies or persons would fall under the realm of phishing, which most organizations actively guard against.

What about now?

Two years later, there have been many attempts to market software vulnerabilities similarly to Heartbleed, all with logos, web presences, and copious “hype”. The main website for another vulnerability, BadLock, responds to the widespread criticism of being overhyped with a response to “Yet Another Bug With A Logo?” in their Q&A, answering (perhaps ironically), “It is a thin line between drawing attention to a vulnerability that should be taken seriously and overhyping it.” Meanwhile, the consensus concerning Badlock is that this bug is nowhere near as serious as its website claimed. SerNet, the company behind marketing Badlock, attempted the “Bugs 2.0” method perfected by Heartbleed’s marketers, but lacked the community confirmation.

Already, many have become tired of the “Bug With A Logo” cliché as, more often than not, the bugs depicted as apocalyptic may not necessarily concern scores of internet users, or just aren’t that serious at all. Duo Security state on the satirical web page http://backronym.fail,

“A new and serious vulnerability has been identified in a popular software library. How do we know it’s serious? Because the vulnerability has a clever name, sweet logo, and as much hype as we can generate from a single web page.”

Although the anonymous authors of Duo Security poke fun of serious bugs for apparently having these marketing qualities, keep in mind that ideally only serious bugs will be marketed as such. Mark Wilson for Co.Design seemingly predicted the present state of Pop-Bug-Reporting when he wrote two years ago,

“Don’t be surprised if the next major bug has many names and many logos, all linked by   private security companies looking to cash in first on the free press. But at the end of the day, is this branding really a bad thing?”

Indeed, at the end of the day, although there are many examples of overhyped bugs that may cause frustration, each one is worth investigating. It is preferable that there are too many marketed vulnerabilities than too many unknown or ignored. These marketing methods are being used universally because it is proven that they are effective at spreading awareness. Groups that are committed to informing the masses about a vulnerability that may concern them need look no further than marketing, or Heartbleed, for inspiration.

For more information about Heartbleed:

http://heartbleed.com/


This post was written by: John Luke Navarro

References

“The BACKRONYM Vulnerability.” The BACKRONYM Vulnerability. DUO Security, n.d. Web. <http://backronym.fail/>.

“Badlock Bug.” Badlock.org. SerNet, Apr. 2016. Web.

Biggs, John. “Heartbleed, The First Security Bug With A Cool Logo.” TechCrunch. N.p., 09   Apr. 2014. Web.

“The Heartbleed Bug.” Heartbleed Bug. Codenomicon, Apr. 2014. Web. <http://heartbleed.com/>.

Hoffenberg, Steve. “Exploiting the Exploit: The Marketing of Heartbleed.” ‘On Target: Embedded Systems’ VDC Research, 23 Apr. 2014. Web.

Nieva, Richard. “Heartbleed Bug: What You Need to Know (FAQ).” CNET. CBS Interactive Inc., 11 Apr. 2014. Web.

Patrick McKenzie. “What Heartbleed Can Teach The OSS Community About Marketing.” Kalzumeus Software. N.p., 09 Apr. 2014. Web.<https://www.kalzumeus.com/2014/04/09/what-heartbleed-can-teach-the-oss-community-about-marketing/>.

Wilson, Mark. “Why The Security Bug Heartbleed Has A Catchy Logo.” Co.Design. N.p., 11   Apr. 2014. Web. <https://www.fastcodesign.com/3028982/why-the-security-bug-heartbleed-has-a-catchy-logo>