Why Doesn’t Anybody Fire Those Responsible for Heartbleed Getting by OpenSSL? Because Nobody Hired Them! Just a Few Volunteers Maintain This Critical Software.

Posted on April 29th, 2014 by Dan Rampe

Open SSL

When the Heartbleed glitch left hackers a wide-open back door in OpenSSL, the software that protects banks, email, social media, government and just about everything else online, it even got the attention of people who were still using Windows 95.

No one has a handle on how much damage may have been caused. Or if the majority of cybercriminals were as clueless about the Heartbleed flaw as the rest of us. One thing is certain. Heartbleed virtually had the entire virtual world in crisis mode. And when an event of this magnitude occurs, there is always a call for finding out who’s responsible and making them pay. So why hasn’t this happened?

Writing on money.cnn.com, Jose Pagliery explains who was holding their fingers in the dike and why holding them (the people, not their fingers) responsible would be like blaming a friend who was house-sitting for a burglary that took place while he was at work. (Note: The following has been modified to fit our format.)

They’re all volunteers. And only one does it as a full-time job.

Their labor of love is OpenSSL, a free program that secures a lot of online communication. And it was a tiny coding slip-up two years ago that caused the Heartbleed bug, a hole that allows attackers to peer into computers. The bug forced emergency changes last week at major websites like Facebook, Google and Yahoo.

But security experts say OpenSSL is severely underfunded, understaffed and largely ignored.

The bug wasn’t caught until recently, because the OpenSSL Software Foundation doesn’t have the resources to properly check every change to the software, which is now nearly half a million lines of code long. And yet that program guards a vast portion of our commerce and government — including weapon systems and smartphones, the foundation claims.

“The mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often,” Steve Marquess, the foundation’s president, said in an open letter.

When weighed against its critical importance to Internet security, OpenSSL has a shoestring budget. It has never received more than $1 million a year, Marquess said. The only federal support listed online was a single $20,000 renewal contract from the Department of Defense.

While the foundation receives money from the Department of Homeland Security, Citrix and others, the vast majority of its funding is from specific work-for-hire contracts. A company wants a certain feature added here, a specific function there. It keeps developers busy. But Marquess said there’s no money going toward reviewing the code or performing audits.

In fact, the only person working on this full-time is Stephen Henson, an extremely private mathematician living in England who referred to Marquess for comment. Only a handful of other developers pitch in with any consistency, and Marquess told CNN their total labor amounts to maybe two full-time workers.

Even in the aftermath of Heartbleed, the foundation has received only $9,000 — sparking Marquess to publicly call out companies that use OpenSSL for free.

“I’m looking at you, Fortune 1000 companies,” he wrote.

In the wake of Heartbleed, this lack of funding for OpenSSL may prove a wake-up call.

Startups and major corporations frequently use open-source software because it’s freely distributed and costs nothing. But they rarely contribute back in dollars or donated time. Without significant outside help — donating dedicated staff and money without strings attached — open-source projects like this are at risk of fizzling out or blowing up in our faces, said Azorian Cyber Security founder Charles Tendell.

“If you bought your car and knew it was put together by volunteers, how would you feel about that?” Tendell asked.

A select few firms provide some help. Facebook and Microsoft sponsor bug bounties via the HackerOne program — essentially paying hackers to find mistakes that need fixing. And it was a Google security researcher, Neel Mehta, who discovered the Heartbleed bug.

Others are convinced it’s time to chip in. The initial response by Marc Gaffan, cofounder of cloud-security provider Incapsula, was: “What do you expect? You got this for free. You get what you pay for.” But it turns out his company relies on OpenSSL too. When asked if he would lead by example, Gaffan promised his firm would make its first donation.

This recent scare has gotten the White House’s attention. The Obama administration is now “taking a hard look at widely used tools such as OpenSSL to see if there is more that the federal government needs to do — including supporting research and development,” said National Security Council spokeswoman Laura Lucas Magnuson.

There’s a catch, however. The government can only get so close without triggering fears that it’s actually undermining the security of online communications, especially after Edward Snowden’s disclosures about the National Security Agency’s extensive surveillance programs. Former NSA crypto engineer Randy Sabett, now a tech privacy attorney at the Cooley law firm, expects the open-source community will be apprehensive.

“The public does not want the government involved in the design of the commercial Internet,” he said. “They don’t want back doors put in.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

Why Doesn’t Anybody Fire Those Responsible for Heartbleed Getting by OpenSSL? Because Nobody Hired Them! Just a Few Volunteers Maintain This Critical Software.

Posted on April 23rd, 2014 by Dan Rampe

Heartbleed

When the Heartbleed glitch left hackers a wide-open back door in OpenSSL, the software that protects banks, email, social media, government and just about everything else online, it even got the attention of people who were still using Windows 95.

No one has a handle on how much damage may have been caused. Or if the majority of cybercriminals were as clueless about the Heartbleed flaw as the rest of us. One thing is certain. Heartbleed virtually had the entire virtual world in crisis mode. And when an event of this magnitude occurs, there is always a call for finding out who’s responsible and making them pay. So why hasn’t this happened?

Writing on money.cnn.com, Jose Pagliery explains who was holding their fingers in the dike and why holding them (the people, not their fingers) responsible would be like blaming a friend who was house-sitting for a burglary that took place while he was at work. (Note: the following has been modified to fit our format.)

They’re all volunteers. And only one does it as a full-time job.

Their labor of love is OpenSSL, a free program that secures a lot of online communication. And it was a tiny coding slip-up two years ago that caused the Heartbleed bug, a hole that allows attackers to peer into computers. The bug forced emergency changes last week at major websites like Facebook, Google and Yahoo.

But security experts say OpenSSL is severely underfunded, understaffed and largely ignored.

The bug wasn’t caught until recently, because the OpenSSL Software Foundation doesn’t have the resources to properly check every change to the software, which is now nearly half a million lines of code long. And yet that program guards a vast portion of our commerce and government — including weapon systems and smartphones, the foundation claims.

“The mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often,” Steve Marquess, the foundation’s president, said in an open letter.

When weighed against its critical importance to Internet security, OpenSSL has a shoestring budget. It has never received more than $1 million a year, Marquess said. The only federal support listed online was a single $20,000 renewal contract from the Department of Defense.

While the foundation receives money from the Department of Homeland Security, Citrix and others, the vast majority of its funding is from specific work-for-hire contracts. A company wants a certain feature added here, a specific function there. It keeps developers busy. But Marquess said there’s no money going toward reviewing the code or performing audits.

In fact, the only person working on this full-time is Stephen Henson, an extremely private mathematician living in England who referred to Marquess for comment. Only a handful of other developers pitch in with any consistency, and Marquess told CNN their total labor amounts to maybe two full-time workers.

Even in the aftermath of Heartbleed, the foundation has received only $9,000 — sparking Marquess to publicly call out companies that use OpenSSL for free.

“I’m looking at you, Fortune 1000 companies,” he wrote.

In the wake of Heartbleed, this lack of funding for OpenSSL may prove a wake-up call.

Startups and major corporations frequently use open-source software because it’s freely distributed and costs nothing. But they rarely contribute back in dollars or donated time. Without significant outside help — donating dedicated staff and money without strings attached — open-source projects like this are at risk of fizzling out or blowing up in our faces, said Azorian Cyber Security founder Charles Tendell.

“If you bought your car and knew it was put together by volunteers, how would you feel about that?” Tendell asked.

A select few firms provide some help. Facebook and Microsoft sponsor bug bounties via the HackerOne program — essentially paying hackers to find mistakes that need fixing. And it was a Google security researcher, Neel Mehta, who discovered the Heartbleed bug.

Others are convinced it’s time to chip in. The initial response by Marc Gaffan, cofounder of cloud-security provider Incapsula, was: “What do you expect? You got this for free. You get what you pay for.” But it turns out his company relies on OpenSSL too. When asked if he would lead by example, Gaffan promised his firm would make its first donation.

This recent scare has gotten the White House’s attention. The Obama administration is now “taking a hard look at widely used tools such as OpenSSL to see if there is more that the federal government needs to do — including supporting research and development,” said National Security Council spokeswoman Laura Lucas Magnuson.

There’s a catch, however. The government can only get so close without triggering fears that it’s actually undermining the security of online communications, especially after Edward Snowden’s disclosures about the National Security Agency’s extensive surveillance programs. Former NSA crypto engineer Randy Sabett, now a tech privacy attorney at the Cooley law firm, expects the open-source community will be apprehensive.

“The public does not want the government involved in the design of the commercial Internet,” he said. “They don’t want back doors put in.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

Tired of Hearing about Heartbleed? Do Something About It. ThreatMetrix Strategies for “Staunching” Heartbleed and Any Similar Threats in the Future.

Posted on April 16th, 2014 by Dan Rampe

Heartbleed

After going unnoticed for two years, researchers discovered Heartbleed, the flaw that could let a hacker defeat OpenSSL, the most common encryption technology on the Internet. Another way of saying it is Heartbleed put 66 percent of servers worldwide at the mercy of cybercriminals. And another way of saying that is email, instant messaging, e-commerce transactions and more were being jeopardized in every corner of the planet, exposing passwords, credit card numbers and other personal data.

The Heartbleed security flaw was a danger to websites and the mobile applications and networking equipment that connect homes and businesses to the Internet, including such things as routers and printers. In short, the flaw presented a danger to the entire Internet of Things, i.e., any device from air conditioners to refrigerators that could be connected online.

After putting in a patch to fix the flaw, many, if not most online businesses, only had one strategy to offer users: change your passwords.

“Today it’s Heartbleed and tomorrow it will be another data breach or vulnerability,” said Alisdair Faulkner, chief products officer, ThreatMetrix.

“Passwords are a static means of security and are frankly obsolete as a stand-alone authentication solution in today’s cybersecurity landscape. Once account login information is obtained, cybercriminals have access to personal data used for committing bank fraud or falsifying credit card transactions – the possibilities are endless. Security should not just rely on point-in-time authentication solutions. Instead, continuous evaluation of trust is required based on what the user is attempting to do.”

ThreatMetrix’s preventative cybersecurity strategies offer protection that goes well beyond passwords and other forms of static authentication:

Real-time trust analytics – Move beyond just big-data collection and improve effectiveness of controls with real-time analysis of device, location, identity and behavioral context for every authentication attempt. Real-time trust analytics offer unprecedented identity authentication policies for businesses and enterprises by comparing against global benchmarks derived from peers in their industry, the size and scale of the enterprise, geographic location and more.

Enhanced mobile identification – Detects jailbroken devices and offers location-based authentication, protecting mobile transactions by indicating when the mobile operating system has been breached and the security of applications has been compromised.

“To protect against future attacks like Heartbleed, businesses need to move beyond legacy verification and authentication solutions and recognize the benefits of leveraging a collective approach to cybersecurity,” said Faulkner. “The ThreatMetrix® Global Trust Intelligence Network (The Network) delivers real-time intelligence, providing customers with consistent risk assessments of data and creating a digital persona of users by mapping their online behaviors and devices.”

Consumers can protect their online identities and personal information from threats like Heartbleed by ensuring location information on social networks is encrypted and by using different passwords across sites and never storing them on devices.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

Heartbleed Vulnerability Underscores the Need for Real-Time Trust Analytics in Place of Static Authentication

Posted on April 16th, 2014 by Dan Rampe

ThreatMetrix® Announces Strategies to Protect Consumers and Businesses from Future Vulnerabilities and Cybercrime Risks

San Jose, CA – April 16, 2014 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announces several strategies for consumers to stay protected following the recent Heartbleed vulnerability, which has potentially exposed millions of passwords, credit card numbers and other personal identifiers. These strategies aim to help businesses and customers avoid being compromised by similar threats in the future.

Last week, a major lapse in Internet security – known as the Heartbleed vulnerability – was uncovered after going undetected for nearly two years. The flaw created an opening in OpenSSL, the most common encryption technology on the Internet. OpenSSL is designed to protect data in transit including email, instant messaging and e-commerce transactions. The vulnerability in OpenSSL enables hackers to access server memory that could allow hijacking of accounts or theft of private keys used to decrypt communications.

Since Heartbleed went undetected for so long, the scope of compromised information is still unclear, but many online businesses are urging users to change their passwords as a precautionary measure.

“Today it’s Heartbleed and tomorrow it will be another data breach or vulnerability,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Passwords are a static means of security and are frankly obsolete as a stand-alone authentication solution in today’s cybersecurity landscape. Once account login information is obtained, cybercriminals have access to personal data used for committing bank fraud or falsifying credit card transactions – the possibilities are endless. Security should not just rely on point-in-time authentication solutions. Instead, continuous evaluation of trust is required based on what the user is attempting to do.”

The Heartbleed security flaw does not only impact websites, but also mobile applications and networking equipment that connects homes and businesses to the Internet (also known as the Internet of Things), such as routers and printers. As more and more devices move online through the Internet of Things, hacks and cybersecurity breaches are becoming more common.

Businesses need to stay one step ahead of threats such as Heartbleed and implement preventative cybersecurity strategies in place of passwords and other forms of static authentication. Suggested strategies include:

Real-time trust analytics – Move beyond just big-data collection and improve effectiveness of controls with real-time analysis of device, location, identity and behavioral context for every authentication attempt. Real-time trust analytics offer unprecedented identity authentication policies for businesses and enterprises by comparing against global benchmarks derived from peers in their industry, the size and scale of the enterprise, geographic location and more.

Enhanced mobile identification – Detects jailbroken devices and offers location-based authentication, protecting mobile transactions by indicating when the mobile operating system has been breached and the security of applications has been compromised.

“To protect against future attacks like Heartbleed, businesses need to move beyond legacy verification and authentication solutions and recognize the benefits of leveraging a collective approach to cybersecurity,” said Faulkner. “The ThreatMetrix® Global Trust Intelligence Network (The Network) delivers real-time intelligence, providing customers with consistent risk assessments of data and creating a digital persona of users by mapping their online behaviors and devices.”

In addition to businesses implementing real-time trust analytics and other collective cybersecurity strategies, consumers can also take responsibility for protecting their online identities. Specifically, consumers can protect against threats such as Heartbleed by ensuring location information on social networks is encrypted, using different passwords across sites and not storing passwords on any devices.

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2014 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts
Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
WalkerSands Communications
Tel: 312.241.11178
Email: beth.kempton@walkersands.com

Heartbleed Part III: No Tourniquet for Heartbleed. Now the Flaw Turns Up in Devices (for Example Routers) That Connect to the Internet.

Posted on April 15th, 2014 by Dan Rampe

Heartbleed

If you thought you heard all the news there was about risks associated with Heartbleed — uh-uh. There’s more. But only hackers and masochists will be pleased to hear it. (On the very remote chance you haven’t heard about Heartbleed, the flaw found OpenSSL, which helps encrypt information on the Internet, please see our blog Heartbleed Part II.)

Here’s the latest. According to a story by Nicole Perlroth and Quentin Hardy in The New York Times, Heartbleed could cause damage to the guts of the Internet and the wide variety of devices that connect to it. (The following has been edited to fit our format.)

Cisco Systems, the dominant provider of gear to move traffic through the Internet, said its big routers and servers, as well as its online servers …were not affected. If they had been, that would have had a significant impact on virtually every major company that connects to the Internet.

Certain products the company makes were affected, it said — some kinds of phones that connect to the Internet, a kind of server that helps people conduct online meetings, and another kind of device used for office communications. Cisco also posted a list of products it had examined for the vulnerability, which it was updating as it continued inspecting its equipment.

Juniper Networks, also said its main products were not affected. The only problem it found was in a kind of device for creating private communications on the Internet.

“Besides [the] one product, the exposure for our customers is minimal, if any,” said Michael Busselen, vice president of corporate communications at Juniper.

Chuck Mulloy, a spokesman for Intel, said his company had been looking through its products for vulnerabilities for several days and so far had found nothing. He said, however, that the search was not yet done.

Qualcomm, a maker of mobile technology, said it was still checking its products….

For most people, the web — with sites like Facebook and Google — is the most visible part of the Internet. But hardware like home routers and printers is also connected to the Internet, and OpenSSL is built into some of this hardware.

“That’s why this is so nasty,” said [security expert] George Kurtz…. “OpenSSL goes far beyond just websites. It’s implemented in email protocols and all kinds of embedded devices.”

Most of the equipment made by Cisco and Juniper was unaffected because the companies did not use OpenSSL for their encryption.

[Other security] experts say personal home routers often incorporate OpenSSL, which could make them vulnerable. But they note that because many home routers are configured to block outside traffic, the risk of a hacker using the Heartbleed bug to lift data like passwords to online banking and email accounts is low. This is particularly so, they said, when there are still thousands of vulnerable websites where this data could be pulled from much more easily.

Nevertheless, Mr. Kurtz said, users would be wise to check with their home router manufacturers to upgrade their devices if they want to be absolutely secure.

Security researchers say that while hackers have been posting lists of vulnerable websites, there does not appear to have been an increase in black market sales of sensitive data, like passwords.

Security experts say that upgrading and cleaning up those systems, if they are affected, could take years.

“It’s one thing to get all of these servers at Yahoo, Google and everyone else fixed, but it’s a whole other thing to get these embedded devices fixed up,” Mr. Kurtz said. “I don’t see them getting updated any time soon.”

Here’s hoping there’s no need for a Heartbleed, Part IV.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Heartbleed Part II: Some Online Passwords That Do and Don’t Need Changing to Relieve Some of the Heartburn Caused by Heartbleed

Posted on April 11th, 2014 by Dan Rampe

Heartbleed

The Heartbleed flaw: In no time, it went from “That the name of a band?” to “The sky is falling. The sky is falling.” Now, if by chance you’ve been on Mars or in a marketing meeting (or in a marketing meeting on Mars) the last few days, Heartbleed is an encryption flaw in the Open SSL cryptographic software library.

Two-thirds of web servers worldwide use the Open SSL cryptographic software library to connect with end users and guard against digital eavesdropping. While the flaw was just discovered, it has been open to hackers for approximately two years. Best of all (that, of course is sarcasm) if a hacker were stealing data, nobody would know because the flaw made it possible to steal logins and passwords without leaving evidence the hacker was even there.

If you’re over 23 (give or take), you’re aware of the Y2K computer flaw when it was predicted that at 12:01 a.m. New Year’s Day 2000, planes would fall out of the sky, commerce would cease and there would be rioting, looting and chaos worldwide. And worst of all: no 2000 Super Bowl!

The point is no one exactly knows if data has been compromised or if hackers even knew about the flaw. Now, there is a fix and affected companies have either implemented it or are in the process of implementing it.

Mashable.com surveyed some of the most frequented sites on the web to find out the status of their fixes and whether they advised customers to change their passwords. Following is a partial list. You may find their complete list on mashable.com, “The Heartbleed Hit List: The Passwords You Need to Change Now.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

It’s Dubbed “Heartbleed” and Is about as Serious as a Heart Attack. Security Flaw Opens Up Two-Thirds of Web Servers Worldwide to Hackers

Posted on April 9th, 2014 by Dan Rampe

Heartbleed

OpenSSL researchers announced the release of a fix for the “glitch” discovered in the Open SSL cryptographic software library that two-thirds of web servers worldwide use to connect with end users and guard against digital eavesdropping. UNFORTUNATELY, the fix may be coming a couple of years too late — because that’s about as long as the flaw has been available to hackers.

In his piece on policymic.com, Tom McKay says that the bug that allows for easy untraceable breaches of secure systems, which control everything from banking to retail to email, was originally discovered by Google researcher Neel Mehta.

The OpenSSL team reports McKay described the difference between this software flaw and others. “Bugs in single software or library come and go and are fixed by new versions. However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously.”

Or putting it in language a farmer might use—Is this fix like closing the barn door after the cows have gotten out?

To demonstrate how the flaw could be used, the research team was able to breach Yahoo security and steal email logins and passwords without leaving evidence it was ever there.

In the OpenSSL team’s own words, “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

“Anyone who noticed and exploited the bug since it was introduced on March 14, 2012 could have easy access to an incomprehensible number of secure systems.”

TechCrunch noted that “even encrypted data illegally stolen from servers could eventually be forced open either with more stolen data or other methods, depending on server configuration.”

Until servers are updated worldwide, data remains at risk. So until the servers are updated does everybody just go fishing (and we mean fishing not phishing)?

Well, Tumblr sent out this alert to its users:

Urgent security update

Bad news. A major vulnerability, known as “Heartbleed,” has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr.

We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.

But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.

This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.

You’ll be hearing more in the news over the coming days.

Take care.

Besides change your passwords, “take care” is always good advice. However, in this situation it may not be all that useful.

Something that is useful to know comes from the technology news and media network, The Verge, which says “Google, Apple, and Microsoft are all unaffected, as well as most major e-banking services.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.