http://temim-tm.blogspot.com/
ManageEngine OpManager, a powerful NMS for monitoring your network, physical & virtual (VMware/ HyperV) servers & other IT devices. Deploy and start monitoring in less than an hour. Trusted by over a million admins world-wide. Try it for free.
Heartbleed Threat Won't Fade Away
 |
As applications, virtual machines and servers are replaced, new keys will be created, so Heartbleed will bleed out in the long term -- "but that could take years," said Venafi VP Kevin Bocek. "It'll be a long tail of death." Meanwhile, consumers -- who may need their memories refreshed -- need to take precautions should they run into a website compromised by Heartbleed.
|
ManageEngine OpManager, a powerful NMS for monitoring your network, physical & virtual (VMware/ HyperV) servers & other IT devices. Deploy and start monitoring in less than an hour. Trusted by over a million admins world-wide. Try it for free.
This week marks the first anniversary of the Heartbleed vulnerability that caused a panic across the Internet last year. While the flaw appears to have faded from the recollections of Net denizens, it still poses danger at many sites in cyberspace.By John P. Mello Jr.
04/09/15 5:00 AM PT
04/09/15 5:00 AM PT
Heartbleed was discovered in April 2014 in an open source library, OpenSSL, used by the SSL protocol. SSL is used to encrypt data in transit on the Net. By exploiting the flaw with a specially crafted packet, hackers could extract data from a server's memory in 64K chunks.
The vulnerability got its name from the "heartbeat" servers send out at short intervals to let other servers on the Net know that they're alive and well. However, by exploiting a bug in the heartbeat function, an attacker can get the heartbeat to bleed more information than just "I'm alive" -- information such as passwords, credit card data, Social Security numbers and anything else hanging around in memory at the time of the attack.
Despite grabbing lots of attention when it was first discovered, Heartbleed seems to have fallen victim to short-attention-span syndrome. Eighty-six percent of Americans said they'd never heard of Heartbleed in a March poll of 2,000 U.S. adults conducted by the Harris organization for Dashlane.
"There was a lot of coverage at the time, so it was hard not to hear about it," Dashlane CEO Emmanuel Schalit told TechNewsWorld. "People just seem to have forgotten it."
Meanwhile, consumers -- who may need their memories refreshed -- need to take precautions should they run into a website compromised by Heartbleed.
"The only real thing the consumer can do is limit the risk by protecting personal digital information that sits in the cloud," said Dashlane's Schalit.
"The only thing under the consumer's control to do that is having a unique password on every website," he said. "At least then if one password is stolen, it doesn't spread to other accounts and other websites."
"About 66 percent of all servers connected to the Internet use some version of the OpenSSL library, but virtually no one is maintaining it," said Pavel Krcma, CTO of Sticky Password.
"There can be problems hidden in these libraries for years, just because there are so few people taking care of these critical libraries," he told TechNewsWorld.
The vulnerability got its name from the "heartbeat" servers send out at short intervals to let other servers on the Net know that they're alive and well. However, by exploiting a bug in the heartbeat function, an attacker can get the heartbeat to bleed more information than just "I'm alive" -- information such as passwords, credit card data, Social Security numbers and anything else hanging around in memory at the time of the attack.
Despite grabbing lots of attention when it was first discovered, Heartbleed seems to have fallen victim to short-attention-span syndrome. Eighty-six percent of Americans said they'd never heard of Heartbleed in a March poll of 2,000 U.S. adults conducted by the Harris organization for Dashlane.
"There was a lot of coverage at the time, so it was hard not to hear about it," Dashlane CEO Emmanuel Schalit told TechNewsWorld. "People just seem to have forgotten it."
Not Bled Out Yet
That kind of memory lapse could prove dangerous to consumers, as many servers remain vulnerable to Heartbleed attacks. Eighty-four percent of the external servers of Global 2000 organizations remain vulnerable to cyberattacks due to Heartbleed, suggests a surveyVenafi Labs released this week.
"Folks did a really great job of patching after Heartbleed was discovered," said Kevin Bocek, vice president for security strategy and threat intelligence at Venafi.
However, Heartbleed also put at risk the certificates and the encryption keys used to sign those certificates. The quick and dirty solution to that problem was to reissue certificates for a website.
"The problem with Heartbleed was that you have to assume that the key itself was compromised," Bocek told TechNewsWorld. "If you don't change the key, you're not fixing the problem, because an attacker can use the key to spoof a site or perform a man-in-the-middle attack."
Long Tail of Death
The problem can be worse for larger organizations.
"It's a very simple equation," Bocek noted. "The more servers that were vulnerable, the more keys and certificates you have, the less time, effort and capability you have to fix it."
As applications, virtual machines and servers are replaced, new keys will be created, so Heartbleed will bleed out in the long term -- "but that could take years," Bocek said. "It'll be a long tail of death."Meanwhile, consumers -- who may need their memories refreshed -- need to take precautions should they run into a website compromised by Heartbleed.
"The only real thing the consumer can do is limit the risk by protecting personal digital information that sits in the cloud," said Dashlane's Schalit.
"The only thing under the consumer's control to do that is having a unique password on every website," he said. "At least then if one password is stolen, it doesn't spread to other accounts and other websites."
Bigger Problem
Heartbleed is a symptom of a larger problem, though, and that's the dependence of the infrastructure of the Internet on under-resourced open source projects."About 66 percent of all servers connected to the Internet use some version of the OpenSSL library, but virtually no one is maintaining it," said Pavel Krcma, CTO of Sticky Password.
"There can be problems hidden in these libraries for years, just because there are so few people taking care of these critical libraries," he told TechNewsWorld.
"More companies have to invest in developing and testing OpenSSL," added Krcma. "They need to share some of the money they make on products built on it."
EmoticonEmoticon