Image Image Image Image Image Image Image Image Image Image

The Blue & Gray Press | August 17, 2017

Scroll to top

Top

No Comments

Heartbleed starts dialogue for the actual safety of online

By KRISTEN LAWRENCE

heartbleed2

Two recent incidents seeded the public with suspicions as to how effective anti-theft measures are: the Target security breach that occurred late last year: and the University of Maryland data breach of this year.

The latest in this string of online security breaches is dubbed the Heartbleed bug, and it has the potential to cause a devastating amount of damage.

The Target security breach in 2013 lost security for thousands of customers’ credit card information during the busy holiday season.

The store chain could now face class-action lawsuits from the banks that had to replace affected and potentially affected cards.

No less distressing was the breach of the University of Maryland’s systems that netted its assailants the secured records and social security numbers of over 300,000 faculty, staff and students who were signed up for identification cards with the school. The pool of people included those whose studies dated back to the 1990s.

PC World, an online news resource for technology, said the latest iteration, the Heartbleed bug, is the exploitation of a flaw in the OpenSSL key, which is part of the security certificate on popular sites such as Facebook and Yahoo.

It is used to verify that a client’s computer is not connecting with a fake website instead of the actual thing. An indication of OpenSSL functioning on a given website is a secured padlock in the address bar.

Fortunately, this exploit was discovered by way of testing via researchers, rather than implementation by criminals, but there is still the question of just how secure any information is over the internet.

The frequency of online burglary is highlighted by these two major breaches in the span of only a few months, and the thwarting of a third possible avenue of attack serves to show just how flawed the online security is.

Perhaps researchers were quicker to respond to another threat due in part to a deficiency of action by Target when the first breach occurred.

According to Reuters, the popular shopping chain declined to respond when the first wave of warnings about malicious activity went out. A moment’s of ignorance cost Target a fair chunk of their good reputation and the upward mobility of their stocks, with good reason.

In the case of the University of Maryland, the thieves in question had to jump through a number of hoops for a copy of the information they stole. “The Washington Post” reported that the information was locked behind several layers of security and was only accessible due to concentrated efforts.

Someone studied and planned for that heist for some time, which is worrying when we consider our own social security numbers and other sensitive information that we have shared with our own school.

It is fortunate that this most recent iteration of online hacking was foiled in its earliest stages, but it does not diminish the potential for another attack to occur at any moment.

Companies are just now starting to scan for weaknesses and flaws in their security programming, but we are still left to scramble and worry that the next breaking news will be of some breach that lost our vital information, if we have not already lost it before.

Companies need to step up their game, to hold themselves more accountable for the very real potential of malicious activity.

As customers of these banks and shops, and members of these schools and organizations, we need to be on the lookout and be mindful of the not-so-secure security of these places.

 

Comments

  1. J

    Despite its title, this article does a poor job of discussing heartbleed and the supposed dialogue it has started. The author focuses an inordinate amount of time discussing recent breaches at Target and the University of Maryland. While both events were serious, they were breaches caused by the exploitation of one or more vulnerabilites. Heartbleed is one such vulnerability and must be exploited in order to cause a security breach. Attempting to compare vulnerabilities and breaches is akin to apples and oranges. Furthermore, the small amount of information presented about heartbleed is inaccurate. Secure Sockets Layer (SSL) was a cryptographic protocol developed in order to make internet traffic more secure. It has since been superceded by Transport Layer Security (TLS). Heartbleed is not a vulnerability with the x509 certificates used by TLS/SSL. Instead, heartbleed is a coding error within OpenSSL, a cryptographic library used to implement TLS/SSL, resulting from incorrectly checking boundary limits. XKCD has an incredibly simple explanation of how heartbleed works that can be read at https://xkcd.com/1354/. There are numerous other libraries that implement TLS/SSL which remain unaffected by heartbleed. The reason heartbleed is seen as such a big issue is that OpenSSL is used in several common server implementations (mainly Apache and nginx) and the bug has been present in OpenSSL for the last two years. Usage of the heartbleed bug does not leave any logs or other identifying information, so it is nigh impossible to know if any servers using OpenSSL were exploited prior to its discovery. This is contrary to the author’s position that heartbleed was discovered in its infancy.

    Lastly, companies and organizations have been auditing their own security for some time. Most businesses are required to protect their data by law (HIPAA, PCI, Gramm-Leach-Bliley, etc) and have been doing so for some time. If anything, it is a technological naivete on the part of individuals which results in the vast majority of security breaches. The most common examples of clicking on a phishing email, creating simple passwords, and reusing a password for multiple services. The Target breach is a prime example because it started with a phishing email to an HVAC contractor. Once the contractor’s credentials were stolen, the attackers had unfettered access into Target’s systems through a flaw in Target’s network design. While both companies may not have been following best security practices, it was the lack of human judgement over the original phishing email which allowed the attack to take place.

Submit a Comment