Posts Tagged ‘security’

Digital heart attack

April 11th, 2014

THE Heartbleed bug sounds like a nasty coronary condition. But it is in fact a software flaw that has left up to two-thirds of the world’s websites vulnerable to attack by hackers. “This is potentially the most dangerous bug that we have seen for a long, long time,” says James Beeson, the chief information security officer of GE Capital Americas, an arm of GE. Since its existence was revealed on April 7th by researchers at Codenomicon, a security outfit, and Google, countless companies around the world that rely on the internet for part or all of their business have been scrambling to fix the flaw.

Ironically, the bug was discovered in OpenSSL, encryption software that was designed to make the internet more secure. Available free, this open-source code is popular with businesses and governments, which use it to help secure everything from online credit-card transactions to public services. On April 9th, for instance, Canada’s tax authority shut off public access to its online services while it checked the security of its systems in the light of news about the bug.

The flaw makes it possible for hackers to trick a server into spewing out data held in its memory. OpenSSL has a feature known as a “heartbeat” that allows a computer at one end of an encrypted link to send occasional signals to the computer at the other end of it, to check that it is still online. The researchers discovered that a hacker with knowledge of the bug could replicate this signal and use it to steal all manner of data from a remote computer.

Those data could include encryption keys that let hackers decipher traffic. To make matters worse, the researchers found that the bug, which is present in some versions of OpenSSL that have been available since March 2012, allows attacks to be mounted without leaving a trace in targeted computers’ “server logs”, so victims are unaware their systems have been compromised. That means it is impossible to tell for sure what damage has been done.

The bug has forced companies to find out fast how many of their systems employ the vulnerable versions of OpenSSL. “Everyone knows they have to patch their customer-facing internet websites, but that is only the tip of the iceberg,” says Jonathan Sander of STEALTHbits Technologies, a security firm that is helping one of America’s biggest banks work out where it has deployed the buggy software. Web-connected systems that handle things such as accounting and personnel data will also need to be checked for the bug.

Mr Sander likens the discovery of the Heartbleed bug to finding a faulty part in nearly every make and model of car. The problem is that the internet cannot be recalled. Big web companies such as Google and Yahoo have moved fast to deal with the bug. But millions of smaller e-commerce sites and other businesses face the worrying prospect of being attacked by hackers alerted to the bug’s existence as the firms race to fix the problem.

The cure includes applying a software “patch” and then choosing new encryption keys to replace those that may have been compromised. Once this has been done, customers will often need to change their passwords too. Tumblr, a blogging service owned by Yahoo, has urged its users to change the passwords they use for all of the secure online services that hold sensitive data about them. Some companies even chose to suspend services while they were working on a fix. Bitstamp, a Bitcoin e-currency exchange, temporarily suspended new account registrations and logins to its existing accounts.

Another Y2 K?

Perhaps the risk posed by the Heartbleed bug will turn out to be overblown. But if it emerges that companies’ systems have indeed been hacked because of it, this could open a legal can of worms. Firms could argue that they ought not to be punished for using widely trusted security software. But aggrieved customers—and their lawyers—may see things differently.

Quite how the bug got into the OpenSSL software in the first place is a mystery. Bruce Schneier, an internet-security expert, argues in a blog post that “the probability is close to one” that intelligence agencies have exploited the glitch to nab the encryption keys needed to decipher information about their targets. His guess is that the glitch is the result of a coding error rather than the handiwork of spies, though he says he cannot be sure.

No matter who is to blame, this episode is another reminder of the security challenges companies face as ever more economic activity shifts online. According to eMarketer, a research outfit, worldwide business-to-consumer e-commerce sales are likely to grow by just over a fifth this year, to $1.5 trillion. That is a huge commercial opportunity, but it will also encourage cyber-crooks to target businesses even more vigorously. Expect more computer-security heartburn in boardrooms.


Internet security bug is as bad as it sounds

April 10th, 2014

The word “Heartbleed” meant nothing at the start of the week. Today it is one of the hottest topics on the Internet — a simple security bug in an obscure piece of software that could compromise the personal information of millions. And while the Internet’s biggest companies scramble to fix the problem, users had better get ready to upgrade their own security practices.

“It’s not an academic exercise,” said Trey Ford, global security strategist at network security firm Rapid7 LLC in Boston. “I think this is a really big deal.”

So big that Ford thinks people should take a time out from online retailers, financial services sites, or online destinations that require entering sensitive information — names, addresses, credit card numbers. “I probably wouldn’t log into those for a couple of days or so,” he said.

To Ford, this isn’t another exaggerated Internet scare. Heartbleed really is that bad. But what is it?

Heartbleed is a bug that was accidentally added to a vital piece of software called OpenSSL, which secures thousands of Internet sites worldwide. OpenSSL software is built into Apache, the server software used by about two-thirds of the world’s websites to deliver Web pages to your computer. It sets up an encrypted data channel between your machine and the remote server. When it’s working properly, data traveling between the two machines looks like gibberish except to the authorized computers, which have keys for decoding the information.

OpenSSL is vital to Internet commerce, making it safe to move financial information online. But in 2012, during a software upgrade, someone wrote a bit of bad code that makes it possible to read unencrypted information from the memory of the remote server. This can include the encryption keys needed to decode the data stream, and e-mails, financial data, phone numbers — pretty much anything.

A security engineer at Google Inc. and a team of researchers at Finnish security company Codenomicon Ltd. uncovered the problem and raised the alarm on Monday. In the process, they kicked off an online panic that is quite justified.

OpenSSL “is at the cornerstone of trust on the Internet,” said Ford. It’s not just buying and selling. For instance, Internet e-mail services such as Yahoo Mail use OpenSSL to ensure the confidentiality of personal messages. So much for that: A security researcher was able to steal a Yahoo username and password from the company’s servers by using the Heartbleed trick.

Yahoo says it has fixed the problem on its servers. Meanwhile, other major Internet companies are also offering reassurances. I pinged, Facebook, tax preparation company Intuit Inc., and the Internal Revenue Service. All replied that their computers are not vulnerable to the Heartbleed problem.

But before you relax, consider that this bug was introduced two years ago. All this time, our “secure” data has been vulnerable. If some criminal gang had exploited the bug, I think we’d recognize them by a trail of emptied bank accounts, so this probably hasn’t happened. But if you worked at a spy shop like the National Security Agency or China’s Ministry of State Security, you’d be dead quiet about this handy little exploit. Instead, you’d use it to quietly scoop up intelligence on carefully selected targets.

Has this happened? Who knows? Exploiting a security flaw will often leave traces behind; you’ll know you’ve been hit, even if you can’t do anything about it.

But Heartbleed doesn’t leave a mark. Our passwords and personal data may already have been leaked out, scooped up, and filed away. Or not. It’s impossible to be sure.

Which is why Ford and other security analysts say there’s only one thing to do — change your passwords. Every last one, or at least every one that logs you onto financial, shopping, or social networking sites, the places where you share sensitive information. It’s also a good idea to delete all cookies from such sites.

But even this won’t protect you unless the sites you visit have upgraded their own software. Log onto a Heartbleed-affected server, and your new password could be as compromised as the old one. So Ford recommends taking your time. “Wait a day or two,” he said, “and then start changing passwords.”

In the early days of the Internet, global security scares came like clockwork; the Melissa virus of 1999, the I Love You virus of 2000 or 2001’s Code Red attack. Today the Internet is less vulnerable to sabotage. But as Heartbleed proves, there will never be a cure for carelessness.


Security and quality top companies’ reasons for using open source

April 8th, 2014

Why should you use open source software? The fact that it’s usually free can be an attractive selling point, but that’s not the reason most companies choose to use it. Instead, security and quality are the most commonly cited reasons, according to new research.

In fact, a full 72 percent of respondents to the eighth annual Future of Open Source Survey said that they use open source because it provides stronger security than proprietary software does. A full 80 percent reported choosing open source because of its quality over proprietary alternatives.

Sixty-eight percent of respondents said that open source helped improve efficiency and lower costs, while 55 percent also indicated that the software helped create new products and services. A full 50 percent of respondents reported openly contributing to and adopting open source.

Results of the survey, conducted by Black Duck Software and North Bridge Venture Partners, were released Thursday and paint an even rosier picture for open source than did last year’s results. A record-breaking 1,240 industry influencers took part in this year’s survey, answering questions about open source trends, opportunities, adoption drivers, community engagement, and the business problems open source solves.

“We are witnessing a sea change in the way enterprises organize their infrastructure, throwing out proprietary brands in favor of highly efficient and cost-effective open platforms,” said Mark Shuttleworth, founder of Ubuntu and Canonical, which participated in the survey.
A competitive advantage for small firms

I had a chance earlier this week to speak with Lou Shipley, Black Duck’s CEO, along with Michael Skok, general partner at North Bridge, about what the results mean for those in SMBs.

Smaller companies are “driven by cost, like everybody,” Shipley told me. “The use of open source lets you drive your costs down. It also helps you to recruit the best employees.”

Organizations must understand that “it’s about more than just cost-cutting or any of the traditional reasons to use open source software; it’s about participating and managing the logistical challenges to gain competitive advantage, attract top talent and influence project direction.”

Overall, “small firms can have a competitive advantage by standardizing on open source,” he said.
’Stand on the shoulders of giants’

Indeed, “for small to medium-sized businesses, the last thing you can afford to do is build up a large IT department,” North Bridge’s Skok said. “A much better plan is to use the available open source software to run your business and then customize it as appropriate for your needs.

“The beauty of the open source world is you get both: low cost and and the ability to expand with your own customization and differentiation,” he added.

As the end of Windows XP approaches, meanwhile, small business should “think about the advantage you have” over larger enterprises, Shipley concluded, and consider trying an option like Ubuntu or another Linux instead.

“The risk is a lot less,” he concluded. “You can stand on the shoulders of giants rather than having to reinvent the wheel yourself.”


Get Adobe Flash player