HOME     MENU     SEARCH     NEWSLETTER    
CUSTOMER RELATIONSHIP MANAGEMENT NEWS. UPDATED 2 MINUTES AGO.
You are here: Home / Data Security / Is Heartbleed the Biggest Threat Ever?
Is Heartbleed the Biggest Web Security Threat Ever?
Is Heartbleed the Biggest Web Security Threat Ever?
By Barry Levine / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
APRIL
11
2014

Even as the Heartbleed bug that has infiltrated Web sites and threatened millions of users runs its course, its impact is being assessed. And, as the extent of the vulnerability increases, a question is whether Heartbleed has set a milestone in Web security threats.

On Monday, a critical vulnerability was made public in some versions of the encrypting technology OpenSSL, which is used by hundreds of thousands of Web sites. The vulnerability was apparently undetected for nearly two years, and hackers can exploit it without leaving any sign they did so.

OpenSSL uses SSL/TLS encryption for security and privacy in Web sites, e-mails, instant messaging and other applications. The vulnerability could allow a hacker to steal sensitive data, including user names, passwords, and the keys used to decode encrypted transmissions.

'Implementation Problem'

A fix has been released and is being implemented by many sites. According to The Heartbleed Bug site, the bug is not a design flaw in the SSL/TLS protocol spec, but rather is an "implementation problem, i.e., programming mistake in popular OpenSSL library that provides cryptographic services."

On Friday, Reuters news service reported on recent warnings from security experts that the bug may be greater than just Web servers. The reason is that the unpatched OpenSSL code is also used in some e-mail servers, users' computers, smartphones and firewalls. There are also reports that version 4.1.1 "Jelly Bean" of Google's open-source operating system, Android, also has the same vulnerability, which, if accurate, would magnify the problem by millions of smartphones.

Security expert Jeff Moss, for instance, told Reuters that he is waiting for an enterprise firewall patch from McAfee. Cisco, Intel and other major technology companies are reportedly reviewing their products now to see if they are affected by the vulnerability.

Given the extent of the vulnerability, one question is whether Heartbleed represents the biggest security threat yet for the Web.

'As Long as It's Fixed'

Lawrence Orans, vice president for research at industry research firm Gartner, told us that "the problem with Heartbleed is that the burden is on the consumer to change passwords on multiple Web sites." He added that "it's a bigger pain in the neck than upgrading to the next level of iOS. Most consumers won't change their passwords, but they will be at risk."

John Grady, program manager for security products at IDC, said that "any time there's a vulnerability this broad, its a huge deal because of the lack of awareness among many consumers relative to best practices for online safety." He noted that "there's always the risk that vulnerabilities like this are going to be discovered, but I don't think that this is going to open the floodgates."

On the question of whether this is the biggest threat, Gartner security analyst Avivah Litan commented to us that "it depends how you look at it." She pointed out that, "as long as it's fixed," it is a manageable issue. On the bright side, Litan said, the disclosure of the bug and the quick fix "is what open source is all about."

The NSA?

"Who knows," she said, "if a big company had discovered this kind of error, would they have [similarly] publicized it?"

Litan also said that cybercriminals apparently were equally in the dark about the existence of this flaw, because, if they had known, they would have been using it over the last two years "to grab everything in memory." But, she said, "cybercriminals have not been using this vector, as far as we've been told."

Half-jokingly, she noted that it remains to be seen if the U.S. National Security Agency has been tapping into sites over the last two years through Heartbleed.

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
ISACA® offers a global community of more than 115,000 IS/IT constituents in over 180 countries. We develop and deliver industry-leading certifications, education, research and business frameworks. We equip individuals to be leaders in the fast-changing world of information systems and IT - Learn More>
MORE IN DATA SECURITY
Product Information and Resources for Technology You Can Use To Boost Your Business

NETWORK SECURITY SPOTLIGHT
The federal government has issued an advisory warning that large swaths of critical industrial-control infrastructure could be vulnerable to hacks that take advantage of the Network Time Protocol.

ENTERPRISE HARDWARE SPOTLIGHT
Remember the classic BlackBerry that took the cell phone market by storm in its heyday? Well, it’s retro time at the Canadian handset maker as it rolls out the aptly-named BlackBerry Classic.

© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.