The SANS Internet Storm Center dialed down the panic on Monday, resetting the Infocon to “Green” and citing the increased awareness of the critical OpenSSL vulnerability known as Heartbleed as the reason. Still, the drumbeat of news about a serious vulnerability in the OpenSSL encryption software continued this week. Among the large-font headlines: tens of millions of Android mobile devices running version 4.1 of that mobile operating system (or “Jelly Bean”) use a vulnerable version of the OpenSSL software. Also: more infrastructure and web application players announced patches to address the Heartbleed vulnerability. They include virtualization software vendor VMWare, as well as cloud-based file sharing service Box. If history is any guide: at some point in the next week or two, the drumbeat will soften and, eventually, go silent or nearly so. But that hardly means the Heartbleed problem has gone away. In fact, if Heartbleed follows the same […]
Recent Posts
IDS And The IoT: Snort Creator Marty Roesch On Securing The Internet of Things
Martin Roesch is one of the giants of the security industry: a hacker in the truest sense of the term who, in the late 1990s created a wide range of security tools as a way to teach himself about information security. One of them, the open source SNORT intrusion detection system, turned into one of the mostly widely used and respected security tools in the world. SNORT became the foundation for Sourcefire, the company Marty helped found in 2001. And Sourcefire went on to fantastic success: first as a startup, then as a publicly traded company and, as of October of last year, as part of Cisco Systems, after the networking giant bought Roesch’s company for $2.7 billion. These days, Marty serves as a Vice President and Chief Architect of Cisco’s Security Business Group, where he’s helping shape that company’s strategy for securing the next generation of enterprise (and post-enterprise) networks. […]
Heartbleed For Poets And Other Must-Reads
It’s H-Day + 2 – two full days since we learned that one of the pillars of online security, OpenSSL, has contained a gaping security hole for the past two years that rendered its protections illusory. As I wrote over on Veracode’s blog today: this one hurts. It exposes private encryption keys, allowing encrypted SSL sessions to be revealed. Trend Micro data suggests around 5% of one million Internet top-level domains are vulnerable. IOActive notes that Heartbleed also appears to leave data such as user sessions subject to hijacking, exposes encrypted search queries and leaves passwords used to access online services subject to snooping, provided the service hasn’t updated their OpenSSL instance to the latest version. In fact, its safe to bet that the ramifications of Heartbleed will continue to be felt for months – even years to come. In the meantime, there is a lot of interesting coverage and […]
The Heartbleed OpenSSL Flaw: What You Need To Know
There’s a serious vulnerability in most versions of the OpenSSL technology that requires an immediate update to avoid exposing sensitive information and Internet traffic to snooping. In response, the SANS Internet Storm Center (ISC) has raised its InfoCon (threat) level to “Yellow,” indicating that…well…the Internet’s not as safe a place today as it was yesterday, before the vulnerability was released. Here’s what we know right now: + Researcher Neel Mehta of Google Security discovered the vulnerability, which was apparently introduced with a OpenSSL update in December, 2011, but only fixed with the release of OpenSSL 1.0.1g on Monday. + Dubbed “heartbleed” (thank the Codenomicon marketing department for that one), the vulnerability (CVE-2014-0160) is described as a TLS heartbeat read overrun. TLS stands for Transport Layer Security. According to OpenSSL.org, vulnerable versions of the OpenSSL software have version numbers ranging from 1.0.1 and 1.0.2-beta. + Codenomicon described the vulnerability as an “implementation problem” […]
Vint Cerf: CS Changes Needed To Address IoT Security, Privacy
The Internet of Things has tremendous potential but also poses a tremendous risk if the underlying security of Internet of Things devices is not taken into account, according to Vint Cerf, Google’s Internet Evangelist. Cerf, speaking in a public Google Hangout on Wednesday, said that he’s tremendously excited about the possibilities of an Internet of billions of connected objects, but said that securing the data stored on those devices and exchanged between them represents a challenge to the field of computer science – and one that the nation’s universities need to start addressing. “I’m very excited,” Cerf said, in response to a question from host Leo Laporte. He cited the Philips HUE lightbulb as an example of a cool IoT application. “So you’re going to be able to manage quite a wide range of appliances at home , at work and in your car. Eventually, that will include things you’re […]
