Weaknesses from a host of makers pose risks to military, aviation, shipping.
High-speed trading: Where the rich get richer.
NEWS ANALYSIS: Though experts are still assessing the full impact of Heartbleed, police in Canada made the first arrest related to the SSL encryption flaw. The Heartbleed bug has dominated the security headlines for the past week as organizations around the world scramble to limit the risk. Although the impact of Heartbleed globally is still being calculated, the first arrest in the world related to the Secure Sockets Layer encryption flaw has now been made. On April 16, the Royal Canadian Mounted Police (RCMP) announced that it had arrested a 19-year-old student in connection with exploitation attacks against the Canadian Revenue Agency (CRA) targeting the Heartbleed flaw. "The RCMP treated this breach of security as a high-priority case and mobilized the necessary resources to resolve the matter as quickly as possible," the RCMP noted in a statement. Charged with one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data is Stephen Arthuro Solis-Reyes. The police seized Solis-Reyes' computer equipment on April 16, and he is scheduled to appear in an Ottawa, Canada, courtroom on July 17. The actual Heartbleed flaw was first publicly revealed on April 7 by the OpenSSL project. The flaw is technically a vulnerability in the Heartbeat SSL monitoring function in the open-source OpenSSL cryptographic library. OpenSSL is widely deployed on Linux servers, Websites and technologies around the world to secure data in transit. While patches for the Heartbleed flaw did emerge quickly after the initial disclosure on April 7, there was a window of exploitability. For the Canada Revenue Agency (CRA), which is the Canadian equivalent of the U.S. Internal Revenue Service (IRS), the window of exploitability was in fact a real risk. The CRA admitted on April 14 that its Website was attacked with the Heartbleed bug over a six-hour period, before the site was shut down and patched. During the six-hour attack, the information of approximately 900 Canadian taxpayers was stolen. It is not clear at this stage what the intent of the alleged attacker Solis-Reyes was in relation to the stolen data or the attack on the CRA. The speed with which the RCMP first reported the attack on the CRA and then announced an arrest in connection with the Heartbleed attack is quite stunning. The early speculation is that Solis-Reyes was not a professional hacker and did not properly take the necessary steps to hide his identity or IP address, which is what enabled the RCMP to act quickly. While the incident in Canada is the first in the world to result in an arrest, given the global impact of Heartbleed, it is likely that other organizations around the world were in fact exploited, as well. Whether those exploitations will ever be discovered and publicly disclosed is something that only time will tell us. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Russian leader assures world that “According to our law, it cannot exist.”
France's antitrust authority got Nespresso to be nice to its competitors.
Tony Pepper, CEO of Egress Software, discusses how his firm's victories in previous years' UK IT Awards have charted the growth of his business. Egress Software won Cloud Provider of the Year in 2013, and Security Innovation of the Year in 2011. Entri...
Browser extension checks if site you're visiting is still at risk.
The Heartbleed bug, an OpenSSL cryptographic library flaw that allows attackers to steal sensitive information from remote servers and devices, affected nearly two-thirds of websites. Ever since the bug was made public, hardware, software and internet service providers have moved quickly to apply patches and advise customers to change passwords. But what datacentre lessons can be learnt from Heartbleed? Heartbleed was introduced to the OpenSSL code in December 2011, but the bug was only made public on 8 April 2014 after researchers at Google and Finnish security firm Codenomicon discovered that a coding flaw could enable hackers to access unencrypted data repeatedly from the memory of systems using vulnerable versions of OpenSSL. The bad news with the Heartbleed bug is that there is no data on the server than can be used to determine if you have or have not been compromised, said Erik Heidt, Gartner research director. This means response has to be fast, holistic and strategic. “Organisations that just apply the patch and do not take other remedial actions will regret it later,” Heidt warned. “Applying patches and changing passwords does not mean victory. A patch is just like a Band-Aid – it does not cure the sore.” Application automation, datacentre orchestration and access management One important lesson datacentre professionals could learn from the Heartbleed bug incident is to enable application automation in datacentres. Application automation offers a better response to security breaches across servers, the Gartner expert said. This is because a datacentre is home to thousands of web servers and updating the servers with automation will be easier and quicker. “Having a good privilege access management strategy and datacentre orchestration are other ways datacentre professionals can respond better to such crises,” Heidt added. Such an unprecedented security breach requires holistic action. IT professionals must have good relationships with technical experts inside and outside the company to solve the problem, he further advised. Companies that had provisioned for datacentre orchestration and centralised server management, as well as having up-to-date management tools, were able to respond quickly to the Heartbleed bug crisis. Datacentre disaster recovery strategy While at a technical level Heartbleed had fewer lessons, it offered lessons on how datacentre owners should react when the news broke, some experts have said. Companies that had provisioned for datacentre orchestration and centralised server management, as well as having up-to-date management tools, were able to respond quickly to the Heartbleed bug crisis Another important lesson for datacentre managers is that open source hardware isn’t necessarily risk-free. “Any datacentre operator should have been able to provide cool, calm advice to its customers, and should have had the tools in place to rapidly and effectively patch OpenSSL to get rid of the problem – and then advise customers to change their passwords,” said datacentre expert and Quocirca director Clive Longbottom. "There was far too much FUD [fear, uncertainty and doubt] around this – too much ‘advice’ to change all passwords now – which only makes the problem worse, as the changed password could be compromised,” he added.Server virtualisation provider VMware, which has nearly 500,000 customers, started issuing Heartbleed patches this week. As many as 27 VMware products were affected by Heartbleed. “Throughout the week commencing 14 April, VMware will be releasing product updates that address the OpenSSL Heartbleed issue. VMware expects to have updated products and patches for all affected products by 19 April,” its security announcement email to users read. But some VMware users took to Twitter to moan about the provider’s security patches – that the update was slow and came late. Each operator should have been able to rapidly evaluate the scale of the issue and advise accordingly, experts said. Such a datacentre disaster recovery strategy and processes should have already been in place and datacentre professionals must only be scaling that up to respond to the Heartbleed incident, not modifying it or devising a new strategy after the incident, added Heidt. Ethical hacking tests A well-run professional datacentre should have consultancy services available to help its customers test their systems in advance, and it should implement training for staff to make them aware of information security threats, according to London-based datacentre provider City Lifeline. An example is “penetration testing”, otherwise known as “ethical hacking”, where a benign expert attempts to evade the security precautions taken by the target company and gain access to confidential information. The expert reports back to the company on its success, with recommendations for improvements, said Roger Keenan, City Lifeline’s managing director. “Although on this occasion the process would not have identified Heartbleed, it provides datacentre users with confidence that it has identified and mitigated against many other, more common, more well-known threats,” he said. Managing customer service expectations amid the crisis For datacentre operators, how they manage customer services and how they deal with the OpenSSL vulnerability appropriately are the big issues. “If an operator was affected and believed customers’ passwords had been put at risk, they have to clearly state that they will fix the problem and the appropriate time users must change passwords,” said Andrew Kellett, principal analyst, infrastructure and software, at Ovum. Such communication was not very clear this time around, he said. “Some operators and big tech giants reassured customers, saying they are not at risk, but it was not clear whether there was a breach and it was fixed or whether their servers were not affected at all,” said Kellett. “A holding page on their website could explain what it means to customers and what steps the operator is taking,” added Longbottom. If the operator is dealing with highly sensitive data, then it should suspend logins and deal with each customer separately, experts advised. There will always be another Heartbleed, and it is likely that the Googles and Amazons will handle the problem very efficiently. It is the smaller, medium-sized datacentre providers that may take time to respond, Kellett said. His advice to CIOs: “Look towards your service level agreements and see what it says on security and check with datacentre providers that they have, if they had the problem, dealt with it.” Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
The average peak bandwidth of distributed denial of service (DDoS) attacks increased by 114% from the last quarter of 2013 and the first quarter of 2014, a report has revealed. Attackers chose reflection rather than infection techniques to achieve larger attacks, according to the latest global DDoS attack report by Proxlexic Technologies, now part of Akamai Technologies. “In the first quarter, DDoS attackers relied less upon traditional botnet infection in favour of reflection and amplification techniques,” said Stuart Scholly, senior vice-president and general manager of security at Akamai. “Instead of using a network of zombie computers, the newer DDoS toolkits abuse internet protocols that are available on open or vulnerable servers and devices,” he said. This well-established trend raises concerns that this approach could lead to the internet becoming a ready-to-use botnet for malicious actors. Prolexic found the most abused protocols include Character Generator (CHARGEN), Network Time Protocol (NTP) and Domain Name System (DNS). These protocols, all based on the User Datagram Protocol (UDP), may be favoured, as they allow attackers to hide their identity. Amplification-based attacks are popular with attackers because they can deliver a massive flood of data at the target while requiring only a relatively small output from the source. According to Prolexic, new reflection and amplification attack tools can deliver a powerful punch. The report said that the first quarter saw a 39% increase in average bandwidth and the largest-ever DDoS attack to cross the Prolexic DDoS mitigation network. This attack involved multiple reflection techniques combined with a traditional botnet-based application attack to generate peak traffic of more than 200 gigabits per second (Gbps) and 53.5 million packets per second. This first quarter of the year also saw more than half of the DDoS attack traffic aimed at the media and entertainment industry, which was targeted by 54% of the malicious packets mitigated by Prolexic during active DDoS attacks in the first quarter. Comparing the first quarter of the year with the same period in 2013, the report showed: 47% increase in total DDoS attacks 9% decrease in average attack bandwidth 68% increase in infrastructure (layer 3 & 4) attacks 21% decrease in application (layer 7) attacks 50% decrease in average attack duration: 35 v 17 hours 133% increase in average peak bandwidth Comparing the first quarter of the year with the last quarter of 2013, the report showed: 18% increase in total DDoS attacks 39% increase in average attack bandwidth 35% increase in infrastructure (layer 3 & 4) attacks 36% decrease in application (layer 7) attacks 24% decrease in average attack duration: 23 v 17 hours 114% increase in average peak bandwidth The report said innovation in the DDoS marketplace has given rise to tools that can create greater damage with fewer resources. The first quarter's high-volume, infrastructure-based attacks were made possible by the availability of easy-to-use DDoS tools from the DDoS-as-a-service marketplace. These tools are designed by malicious hackers to deliver greater power and convenience into the hands of less skillful attackers. For example, in the first quarter, NTP reflection attacks surged, probably owing to the availability of easy-to-use DDoS attack tools that support this reflection technique. The NTP flood method went from accounting for less than 1% of all attacks in the previous quarter to reaching almost the same popularity as SYN flood attacks, a perennial favourite among DDoS attackers. Neither CHARGEN nor NTP attack vectors were detected in the first quarter of 2013, but accounted for 23% of all infrastructure attacks mitigated by Prolexic in Q1 2014. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
When German programmer Robin Seggelmann claimed that he was "responsible for the error" that led to the flawed OpenSSL code - now better known as Heartbleed - it was a brave move, as the IT industry sneered at the "simple" mistake that had led to widespread condemnation. But it was what Seggelmann said next that signalled where the real error occurred. "I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version," he told The Guardian newspaper. The mantra of the open source community is that "no bug is too obscure or difficult for a million eyes" - so how did all of them miss this? Seggelmann defended the use of open-source development claiming that the mistake highlights the need for more people to help out on such projects. "It has been said that 90 per cent of websites are using this code but very few are contributing," Peter Pizzutillo, director of product marketing at software quality analysis firm CAST, explained. "The open source communities aren't as deep and robust as they should be, there are pockets of passionate developers out there so it is hard to fault them, there is no open testing community so the model only works if the takers are giving back on the code," he said. And by takers, he means some of the biggest companies that are using the OpenSSL code for their own benefit - the likes of Google, Cisco, BlackBerry and Juniper Networks, for example. The president of not-for-profit information security assurance organisation CREST, Ian Glover, told Computing that the blame lies with these big firms, and the initial developers for a lack of testing. "I don't care if it's ‘shrink-wrapped' or open source; firstly, it should have been developed correctly, and then tested by the organisation that uses it, even if it is of low value to them. If it is critical to the business then that needs even more stringent testing," he said. The OpenSSL Software Foundation, which funds development of OpenSSL, is underfunded, while the project itself is volunteer-run, according to Roland Dobbins, an analyst at security firm Arbor Networks, who believes it is "in desperate need of major sponsorship and attendant allocation of resources". The funding, Pizzutillo suggested, should come from firms like Google, and the government. "The likes of Google should be contributing their share; they have a lot of commercial users, the majority of which are going to pay a penalty for it if their personal details are absorbed by those who exploit the flaw," he said. Yahoo's servers, for example, could have been exploited for usernames, passwords, and other sensitive information, before the web giant fixed the bug across all of its properties. Some of the funding from organisations that use the OpenSSL code could cover a dedicated team of hackers to ensure that vulnerabilities like Heartbleed are found before they appear in the wild. Pizzutillo suggested that organisations only take action in response to publicised issues and that clients only become proactive when compliance becomes a driver instead of risk. But while open source code has to go through a certification process to be used by the US government, among other organisations, and third party certification for coding is emerging, CREST's Glover encouraged firms to run their own websites from a coding perspective. "It's going to take retrospective action on websites for a long time because of bad code that's been there for many years that shouldn't have been there in the first place, and that's just dreadful," he said. Glover said that organisations that run their own code on their websites - or at least test the code they use stringently enough - will be able to get more threat intelligence, which will serve them well in the long term. CREST has worked alongside CESG (Communications Electronics Security Group, the UK's information assurance body) for the government's Cyber Essentials scheme, which attempts to give an independent assessment of the essential security controls that organisations should have in place to have a level of confidence that they are mitigating risks and web threats. Despite this element of certification, Glover warned against the idea of setting up certification for organisations that are meeting coding standards. "Just because you pass your driving test, doesn't mean that you're a good driver," he said. The ease of receiving the certification concerns Glover, but of more immediate concern to the industry will be whether Heartbleed has caught the attention of technology giants enough for them to put money back into the ecosystem. In the video below, we hear from the firms behind 'Blackphone', a product designed to offer more secure mobile computing using the Android platform.
[unable to retrieve full-text content]Upgrades include expanded hosted email security for protection of Microsoft Office365 deployments and browser exploit detection.
The Heartbleed bug exposes the private encryption keys of virtual private network (VPN) servers running the OpenVPN application with a vulnerable version of OpenSSL, a Swedish VPN service warns. Last week, developers who maintain the open-source OpenVPN software warned of the vulnerability, which has now been confirmed by VPN service provider Mulvad. “We have successfully extracted private key material multiple times from an OpenVPN server by exploiting the Heartbleed bug,” said Mulvad co-founder Fredrik Strömberg in a Hacker News blog post. The test server was running Ubuntu 12.04 that was virtualised using the KVM application, OpenVPN 2.2.1, and OpenSSL 1.0.1-4ubuntu5.11. “The material we found was sufficient for us to recreate the private key and impersonate the server,” wrote Strömberg, warning that users of OpenVPN should assume others have created exploits for “nefarious purposes”. Mulvad’s confirmation means that organisations using an OpenVPN server or servers that rely on OpenSSL should take immediate steps to remove the vulnerability. According to the community wiki, OpenVPN is affected if it is linked against OpenSSL versions 1.0.1 to 1.0.1f and anyone running those versions of OpenSSL should: 1. Update the OpenSSL library 2. Revoke the old private keys 3. Generate new private keys 4. Create certificates for the new private keys Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK