Posts Tagged ‘Internet’

Internet security bug is as bad as it sounds

April 10th, 2014

The word “Heartbleed” meant nothing at the start of the week. Today it is one of the hottest topics on the Internet — a simple security bug in an obscure piece of software that could compromise the personal information of millions. And while the Internet’s biggest companies scramble to fix the problem, users had better get ready to upgrade their own security practices.

“It’s not an academic exercise,” said Trey Ford, global security strategist at network security firm Rapid7 LLC in Boston. “I think this is a really big deal.”

So big that Ford thinks people should take a time out from online retailers, financial services sites, or online destinations that require entering sensitive information — names, addresses, credit card numbers. “I probably wouldn’t log into those for a couple of days or so,” he said.

To Ford, this isn’t another exaggerated Internet scare. Heartbleed really is that bad. But what is it?

Heartbleed is a bug that was accidentally added to a vital piece of software called OpenSSL, which secures thousands of Internet sites worldwide. OpenSSL software is built into Apache, the server software used by about two-thirds of the world’s websites to deliver Web pages to your computer. It sets up an encrypted data channel between your machine and the remote server. When it’s working properly, data traveling between the two machines looks like gibberish except to the authorized computers, which have keys for decoding the information.

OpenSSL is vital to Internet commerce, making it safe to move financial information online. But in 2012, during a software upgrade, someone wrote a bit of bad code that makes it possible to read unencrypted information from the memory of the remote server. This can include the encryption keys needed to decode the data stream, and e-mails, financial data, phone numbers — pretty much anything.

A security engineer at Google Inc. and a team of researchers at Finnish security company Codenomicon Ltd. uncovered the problem and raised the alarm on Monday. In the process, they kicked off an online panic that is quite justified.

OpenSSL “is at the cornerstone of trust on the Internet,” said Ford. It’s not just buying and selling. For instance, Internet e-mail services such as Yahoo Mail use OpenSSL to ensure the confidentiality of personal messages. So much for that: A security researcher was able to steal a Yahoo username and password from the company’s servers by using the Heartbleed trick.

Yahoo says it has fixed the problem on its servers. Meanwhile, other major Internet companies are also offering reassurances. I pinged, Facebook, tax preparation company Intuit Inc., and the Internal Revenue Service. All replied that their computers are not vulnerable to the Heartbleed problem.

But before you relax, consider that this bug was introduced two years ago. All this time, our “secure” data has been vulnerable. If some criminal gang had exploited the bug, I think we’d recognize them by a trail of emptied bank accounts, so this probably hasn’t happened. But if you worked at a spy shop like the National Security Agency or China’s Ministry of State Security, you’d be dead quiet about this handy little exploit. Instead, you’d use it to quietly scoop up intelligence on carefully selected targets.

Has this happened? Who knows? Exploiting a security flaw will often leave traces behind; you’ll know you’ve been hit, even if you can’t do anything about it.

But Heartbleed doesn’t leave a mark. Our passwords and personal data may already have been leaked out, scooped up, and filed away. Or not. It’s impossible to be sure.

Which is why Ford and other security analysts say there’s only one thing to do — change your passwords. Every last one, or at least every one that logs you onto financial, shopping, or social networking sites, the places where you share sensitive information. It’s also a good idea to delete all cookies from such sites.

But even this won’t protect you unless the sites you visit have upgraded their own software. Log onto a Heartbleed-affected server, and your new password could be as compromised as the old one. So Ford recommends taking your time. “Wait a day or two,” he said, “and then start changing passwords.”

In the early days of the Internet, global security scares came like clockwork; the Melissa virus of 1999, the I Love You virus of 2000 or 2001’s Code Red attack. Today the Internet is less vulnerable to sabotage. But as Heartbleed proves, there will never be a cure for carelessness.


Nginx: this Russian software is taking over the internet

September 10th, 2013

Automattic was replacing the web server software that underpins its popular WordPress blogging platform, and things weren’t going well.

This was 2008, and the company was intent on moving WordPress to software in line with its open source philosophy. The world’s best-known web server, Apache, was the obvious choice, but when engineers started tinkering with the way the software was setup, Apache would crash, especially when WordPress was really busy. “We realised that it wasn’t super-stable under production traffic,” says Barry Abrahamson, a WordPress “systems wrangler” who helped manage the transition.

So Automattic pulled the plug on its Apache migration and bet the company on a then-unknown open source project called Nginx. Five years later, WordPress still runs on Nginx — pronounced “Engine X” — and so many others have followed suit.

At a time when the world’s best-known web servers are losing marketshare, Nginx is growing, fuelled by a no-frills philosophy and its knack for handling myriad web connections at the same time. Apache is still the king of all web servers, but use of Nginx has nearly doubled over the past two years, according to internet research outfit Netcraft.

It now runs about 15 percent of all websites, including everyone from startups such as CloudFlare and Parse (bought by Facebook earlier this year) to web giants such as Automattic and Netflix. “We use it for everything,” says Automattic’s Abrahamson. “We run as much of our software stack as possible on top of Nginx.”

In many ways, it’s an unlikely success story, but one that underscores the global power of open source software, software that anyone can use and modify — for free.

Nginx was created as a pet project by a Russian systems administrator named Igor Sysoev. The 42-year-old started work on the project in 2002, and the first public code came out that October. Like many open source project leaders, he was trying to scratch an itch. At the time, he worked for Rambler, a fast-growing Russian internet portal, and he needed a server that could handle more traffic than the open source alternatives.

As he developed Nginx, he was able to test the code on Rambler’s web properties. But that wasn’t where it first went live. It got picked up first by the MP3 download site Zvuki — that was back in 2003 — and then an Estonian online dating service, and finally, it powered Rambler’s own photo-sharing site.

By 2005, there were maybe 100 users, but it was hard for English speakers to figure out how to get up and running. Most of the project’s documentation was in Russian and so was the its most active discussion list. But in 2006, English speakers started posting to Ngnx’s discussion list, even as Russian language speakers in the US and other countries helped the project spread, sharing configuration files on blogs and helping to translate the complex documentation so others could pick it up.

When sites like YouTube and Facebook started taking off, Nginx remained obscure, but it was perfectly positioned for the next generation of internet companies, and by the end of decade, it was roping in companies like Automattic and CloudFlare.

In 2009, CloudFlare was building a company that sold websites protection from cyber attacks and services that sped up their performance, and it needed web server software that would work with modern machines that used multi-core processors — computer chips that behave like many chips. According to CloudFlare CEO Matthew Prince, Nginx worked better on multi-core and multiprocessor systems, and it could connect with many more web clients without overwhelming the computer’s memory.

Would they have considered obscure Russian software if they hadn’t been able to examine the source code? “Never in a million years,” Prince says. “If it hadn’t been open-source, we wouldn’t have trusted it.”

Instead, CloudFlare offered Sysoev a job (he declined) and bet the company on the project. Today, the company serves more than one trillion web requests per month using Nginx. “The great thing about tech is great tech rises to the top,” says Prince. “If it solves the problem… and if it’s open source, you can go in and read the source and, worst-case, you can change it.”

Today, Nginx is particularly popular among startups like CloudFlare. According to Netcraft, Nginx accounts for more than 40 percent of the 12 million websites that run on Amazon’s cloud computing service, which is a mainstay in the startup world. A lot of this growth has come at the expense of Apache, which, like Microsoft’s IIS web server, was created back in the 1990s — back when web servers were powered by much simpler chips and operating systems.

Sysoev was serving a real need. “The problem he was solving was really common. It wasn’t really a Russian problem,” says Andrew Alexeev, director of business development at Nginx. “Everything started to transition more and more to online services, and that meant a bigger number of users per server and more complex architectures.”

After Automattic switched to the platform in 2008, founder Matt Mullenweg sent Sysoev an unsolicited donation of $3,500 (£2,268). “Let me know if I can do anything to help,” he wrote. “It is very well done.”

That’s when Sysoev says he knew the project had hit the big time. “It was the largest donation I ever saw,” he remembers.

Two years ago, he quit his job at Rambler, and now — with investors including Michael Dell’s MSD Capital — he’s chief technology officer at a newly formed company that aims to sell a souped-up version of Nginx to corporate users. In August, the company introduced their first commercial product: Nginx Plus. After more than a decade of development and 100 million web sites, Sysoev is finally ready to cash in.


60 percent of vehicles to be Internet-enabled by 2025

September 2nd, 2013

By 2025, it is estimated that 60 percent of cars on the road will be connected to the Internet, according to the Institute of Electrical and Electronics Engineers (IEEE).

According to a statement by the organization on Friday, the Internet connectivity will promote better vehicle safety features and autonomous vehicles but will also make them more vulnerable to software hacking.

There are already car manufacturers implementing connected car technologies with cars being equipped with bluetooth and the ability to interact with mobile devices, Jeffrey Miller, IEE member and associate professor in the University of Alaska’s computer systems engineering department, noted in a statement.

“The widespread adoption of connected cars will allow consumers to treat their vehicles as just another one of their devices. Hosting mobile operating systems and purchasing data packages from wireless providers will be commonplace in the future,” Miller said.
Improved vehicle safety and convenience, rise of autonomous vehicles

Internet-connected vehicles will give drivers better safety and convenience, since the technology supports communication between people and vehicle-to-vehicle communication.

Through vehicle-to-vehicle communication, cars can travel in closer proximity at higher speeds, and automatically reroute to avoid hazardous weather conditions or congested highways, Christoph Stiller, IEEE member and professor at Germany’s Karlsruhe Institute of Technology, pointed out in the statement.

“Because of these features, human error will nearly be removed from driving, therefore making it a safer and more enjoyable experience,” Stiller said.

The dependence on connected devices and Internet-enable vehicles also mean consumers will start increasing their trust on automated systems. This will lead to increased adoption of autonomous vehicles.

In the next five years for example, there will be lanes dedicated for the specific use of autonomous vehicles, Alberto Broggi, IEEE senior member and professor of computer engineering at Italy’s University of Parma, noted. Driving will be more of a “novelty”, where “people will actually pay to drive cars manually similar to go carts.”
Vehicles will also be more vulnerable to hacking

That said, with vehicles being more connected, they will also be more vulnerable to software hacks.

According to Kevin Curran, IEEE senior member and professor of computing and engineering at University of Ulster, hackers can potentially affect audio features, disable the vehicle’s ignition, override braking systems and infect software with Trojans and viruses.

To cope with this, manufacturers must start setting firewalls to restrict access from integrated systems, he pointed out. “There is a strong presence of interconnectivity between vehicle networks, so a breach in one network may cause havoc in another,” Curran said.


Get Adobe Flash player