heartbleed

This week saw the internet, Twitterverse and my inbox explode as the full scale of the Heartbleed flaw come to light.

It was on Tuesday morning when I first became aware of the issue and since then I have heard a mixed bag of thoughts on it, and had the chance to read varying stories that offer a combination of FUD, decent analysis and advice on changing passwords prematurely.

In case you took the week off, managed to avoid all the news and have been completely unaware of the story (it can be done), then Heartbleed, also known as the OpenSSL flaw or to be completely technical, CVE-2014-0160, affects a website’s OpenSSL library and the major threat is that many websites have deployed this in their login process. This means that if the software is vulnerable, so is your login and therefore if an attacker has intercepted the flaw, they will have captured your login details.

According to a blog by Zscaler’s Michael Sutton: “Heartbleed impacts the most common implementation of SSL/TLS (OpenSSL), which is used on the majority of web servers. In fact, according to Netcraft, in April 2014, Apache and nginx, two of the most popular web servers that both include vulnerable Open SSL implementations, account for 66 per cent of active web servers.”

Advice began to flow in, advising users to change their passwords. However the stance we took on IT Security Guru was that this was premature if the flaw exists, as the new password users have securely crafted and remembered could be intercepted too.

As for who is affected, the company names roll off like a who’s who in technology: Cisco, Juniper, BlackBerry, Apple, Google and Facebook. There is a full list at mashable.

Does it seem like a big deal? Depends on who you listen to. Security expert Bruce Schneier called it a “catastrophic bug” and “on the scale of 1 to 10, this is an 11”, TK Keanini, CTO of Lancope, said: “This is one of the most major vulnerabilities to happen this year and it will be with us for quite some time as everyone who is vulnerable will need to remediate”, while Edward Felten, a computer security expert at Princeton University, told the New York Times that “Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security.”

One of the areas that interested me was the impact upon open source software. Philip Lieberman, CEO of Lieberman Software called it “really serious and a big blow to the credibility of open source”, while Mark Brown, director of information security at EY, said: “This vulnerability is a major blow for security on the internet and for open source development.The idea behind open source is that issues like these are resolved by the developer community at an early stage. A bug like this should never have got this far and it fundamentally undermines trust in the system.”

The story has achieved huge amounts of press attention, not just from the technical press, but from the nationals around the world. Perhaps one of the most interesting was in the Sydney Morning Herald, who managed to speak to Robin Seggelmann, who was outed as the man whose coding mistake, left servers vulnerable.

He said the bug was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago, “so the error made its way from the development branch into the released version.”

So we know about how many are impacted, and there are reports that the flaw is being impacted, with national CERTs issuing advice on it, while rumours have also circulated that phishing messages regarding it have also been detected. Not really surprising while legitimate emails appear encouraging users to change their passwords.

Dr. Mike Lloyd, CTO of RedSeal, said that vulnerabilities “are nothing new” and while security teams everywhere are scrambling, “some scrambles are more significant than others”. He said: “All these questions are hard to answer when you’re already in crisis. What you need is automation – not just vulnerability scanning (which can find those unpatched machines), but also a pre-built map, and a way to automate and speed up the query for ‘Where are these machines suffering from Heartbleed, and what are they exposed to?’ Wise organisations plan for this – we know it’s going to happen again.”

Toyin Adelakun from Sestus advises users is to  if possible, not login to any online accounts if you are not sure if the service provider is still vulnerable. It doesn’t help to change passwords either, because if the service provider is still vulnerable, your credentials could still be leaked. (If you feel you have to login before receiving the all-clear, the only logical risk-containment strategy would be to change passwords frequently — perhaps after each use!)   GoDaddy and BitCoin are supposedly still in the process of patching. Facebook, DropBox, Gmail and Yahoo claim to have fixed the vulnerability. Apple, Amazon, Ebay, Hotmail and LinkedIn claim to have not had the vulnerability in the first place.

For the future, a blog by Trustwave said that as this has been present for two years, it’s likely that sophisticated attackers have identified the bug and widely exploited it. “Organisations will be hard pressed, if not unable, to glean whether their SSL certificate is compromised until an attacker is caught performing a man-in-the-middle attack,” said John Miller, security research manager at Trustwave. “Every server that is or was vulnerable to the Heartbleed attack is potentially compromised. As a result, certificate owners must act to protect their users and their reputations.”

So what can you do to protect yourself? I’d suggest looking at the great website built by

Codenomicon who discovered the flaw, reading the excellent analysis by Australian researcher Troy Hunt and changing your password, once you have figured out that the website has been fixed.

If you are managing servers, take the time to apply fixes and get yourself secure again. Of course if you really want to make a difference, why not make a donation to the OpenSSL foundation, and make sure things like this do not get repeated.

 

Dan Raywood is editor of The IT Security Guru

panel_heart

With information security making headline news more than ever before, we have seen an increase in quantity and quality of coverage for our clients. With over 1200 clippings this quarter (and counting) publications we have featured in include:

  • Reuters
  • The Guardian
  • The FT
  • BBC
  • The Daily Mail
  • The Observer
  • The Telegraph
  • The Register
  • SC Magazine

It’s safe to say it’s an exciting time to be in the industry – and we’re looking forward to what the next quarter brings!

IT Sec Analyst Forum Logo NEW

The seventh IT Security Analyst & CISO Forum will take place in London in June. The event is available to just 10 vendors and gives you a unique opportunity to brief most of the world’s top IT Security analysts on how you differ from your competitors, your product roadmap and to explain why you’re a leader in your space.

Thirteen analysts attend the event, but you get to choose which of these you’d like to brief.  The analyst meetings happen all on day one.

The second day is based around the CISO roundtable, which has grown in popularity amongst the CISO community, with many attending year after year and now bringing their CISO colleagues as they find it so fruitful.  During this day, you get to join in their roundtable discussion and you choose who you’d like to sit with at the roundtable lunch.

The event is limited to just 10 IT security vendors; however there are 2 places still available so if you would like to attend please give Yvonne a call on 0207 183 2832.

ITguru_logo

We are delighted to report that the IT Security Guru has gotten off to a flying start. With Dan Raywood at the helm, we have had a new Guru every day sharing their opinion and insight, plenty of videos and all the latest breaking news. Twitter followers are up by 335% and content is flooding in – but the growth doesn’t stop here! We have a couple of new features coming up on the site.

A to Z of the Infosecurity community

The IT Security Guru was built to be the site for our community – and what community doesn’t have an address book? We are putting together the A to Z of who’s who in the IT security community – the major players, who their competitors are and what products they have to offer. If you would like your company featured, please email editor@itsecurityguru.org for a submission form with all the details.

Product reviews

And finally, the site wouldn’t be complete without reviews, so we have teamed up with the UK’s top IT security reviewer Dave Mitchell to provide honest, impartial reviews on IT Security Guru. The package will include a 600-1000 word review with images/logo and a pdf version that you can use for marketing purposes. We will offer these initially for a low introductory rate, so please get in touch for more details.

Bhkpcp1IcAAbp1F

This month sees one of Eskenzi’s longest standing clients, Varonis Systems, succeed with the most successful IPO of the year in the big data arena.  So a huge congratulations to our dear friends at Varonis.

The unstructured data specialist’s shares soared after making its public trading debut, with investors snapping them up in their droves. The shares rocketed as much as 91% to $42.02 in midday trading, after its 4.8 million shares were originally priced at $22 a share.

A number of tech companies have boasted highly successful initial public offerings in recent months. Twitter Inc. shares surged 73% from their IPO price in the first day of trading, while cybersecurity firm FireEye Inc. climbed 80%.

According to data from Dealogic, Varonis’ high would place it fourth in the technology sector among one-day increases for U.S.-listed IPOs since the beginning of 2013.

Image

The Mail on Sunday this past weekend saw an anonymous whistleblower hand a journalist a memory stick with the personal data of 2,000 Barclays customers, saying information on a further 25,000 was also available.  

 

It has the security industry conflicted on  where the responsibility ultimately lies, with many citing that Barclays be liable and pay large fines.  However, others such as Dominique (DK) Karg, chief hacking officer for AlienVault commends Barclays for not burying its head in the sand and actually thanking the Mail on Sunday for bringing the leak to its attention. He said:  

 

“… it all comes down to organisations sharing this kind of intelligence openly so that others can learn from it. At this point, the damage to Barclays image is huge, but in this case, it is clearly the work of one or two people that had legitimate access to the data. What the authorities need to do is go for these guys and make an example of these malicious insiders.”

 

And I tend to agree.  All Barclays can do now is go back and launch a full investigation and take the appropriate steps after the fact.  I think the point is that people will always be the weakest link in an organisation’s security.  Without a doubt,  it is a slippery slope when we start losing the ability to make individuals accountable for their own actions – it’s all too easy to put blame squarely on an organisation. 

 

- Beth

The security industry is a hot bed of acquisitions and this week saw one of Eskenzi’s clients, Imperva, acquiring not one, but three firms.

In particular the acquisition of Incapsula sees Imperva move into a whole new sector, with the addition of DDoS mitigation technology to its suite. The interest of this addition is that, not only does it add a new sector of technology, but it puts it up against some major firms in that space. DDoS attacks are not a new concept, and the prevention by mitigating traffic not a new technology, but what this means for Imperva customers is the capability to mitigate application-layer attacks.

As a leader in the web application firewall space, Imperva is already well versed in the application protection sector, but this move allows it more leeway in the industry in a fairly open space. The acquisition of Prolexic by Akamai, and the arrival in the UK of another Eskenzi client, DOSarrest, in the past year show that this is a moving space.

Back to acquisitions though; what I find interesting about them is that it puts money back into a pretty cash-rich market. Companies buy and sell all of the time, and from time to time there are major acquisitions which take skilled people from start-ups into IT powerhouses. Sometimes they are a great fit, sometimes the secondment is carried out and the person takes their cash and invests into or begins a new start-up in an area they’ve always wanted to work in.

What this means is that there is always movement in the IT security industry. Nothing that is static is dynamic, and this industry thrives on creativity and ideas. Look at the £5 billion acquisition of McAfee by Intel in 2010 – I am sure that there were some shaky moments, but look at what has happened since: former McAfee CTO George Kurtz has formed the “attack back” firm Crowdstrike, while former McAfee executives joined another vibrant company, FireEye, who made their own headlines this year with the acquisition of Mandiant for a billion dollars.

For Imperva, Incapsula, Tomium and Skyfence, this is likely to be an exciting time. Incapsula are a well known brand, while the other two companies will see the opportunity to work with one of the industry’s most vibrant and important companies. For Imperva, this bolsters them further and will strengthen them further with a wider offering and footprint.

 

On the tube on my way into work last week I noticed an advert for the government’s Cyber Streetwise Campaign. At first I had to do a double take, in amongst the adverts for Match.com and the Belgravia Hairloss Centre it was a bit surprising to see a poster about cybercrime. But then it occurred to me that the tube, in amongst a load of consumer adverts, was the perfect location to place the poster as it gave across a very clear message – cybercrime affects everyone.

 

The campaign has received a bit of a mixed reception among the security industry. While most agree it’s worthwhile, many have argued that it’s nothing new and has been done before. However, given that cybercrime is at an all-time high, I think that a bit of consumer-aimed cyber-education is a great thing.

 

I receive between 10 and 12 phishing emails a day at work, my personal inbox receives about 30 spam emails a day and I’ve lost count of the number of Nigerian kings that have asked me to keep their millions safe while they try to flee their country for political reasons. Obviously all these emails get swiftly deleted and forgotten about, but I often wonder if I only know to do that because I work in security and can instantly recognise them as scams. If that’s the case, what happens to the consumers who have absolutely no knowledge of cybersecurity? Will they fall victim to one of the ever sophisticated phishing attacks that have been hitting my inbox recently?

 

This is why I believe the government’s Streetwise campaign has been launched at a good time. Not only does the campaign give out good and well thought advice, it also teaches consumers the dangers of posting sensitive information online and how to identify suspicious emails. I am well aware that similar campaigns have been done in the past. However, let’s be honest, when a vendor launches a ‘Cyber Safe’ campaign people get cynical and just think they’re trying to sell you products, and when an independent body launches one, it will never have the funding to reach a mass consumer audience. The Streetwise project is being funded by a pretty big pot of money from the Government’s National Cyber Security Programme meaning it has the ability to make a big impact.

 

Consumers need to know more about cybercrime. I obviously can’t guarantee it will make them any more cyber-savvy but at least the government is trying. 

 

 

Yahoo

Yahoo has confirmed that it has been hacked by a person or group of people trying to gain unauthorised access (as if there was any other kind when hackers are involved) to mail accounts.  The precise number is unknown, but apparently those that were impacted have been asked to change their password details. 

 

Yahoo said that the information leak likely came from a third-party database that featured a list of usernames and passwords and not a compromise in its own systems.  Which begs the question- what were the third party databases holding passwords? How can we be smarter about what sites we give our information to – often with little thought to where it’s going and what these third parties’ security is like? 

 

Everyone talks about stronger passwords, but in this case, I’m not sure a stronger password would have helped, as obviously it was stored on a database somewhere- taking all the guess-work out of the hacker’s job.  One thing is for sure, I will definitely be thinking a little harder about what kind of sites I sign up to and what password I use.

 

Best advice in this situation is to make sure that your email password is not the same as every other password you use on the web.  I did not get an alert, but I can assure you, I have changed my Yahoo password and urge everyone else to do the same to be on the safe side- especially if it is your “old faithful” that you use frequently.  I’m sure we all know by now how NOT to pick a password, but in case you need some guidance about strong passwords, check this out.  Possibly a little over the top, but you can get the idea.

happydataprivacyday

Today is Data Privacy Day- why not take a moment to review your online behaviour and make sure that you are happy with the amount of personal information you potentially share online or via mobile apps?  Especially in light of the latest Snowden leaks which revealed the NSA uses mobile apps to spy on people. It’s a good opportunity to evaluate where you could be leaking information you might not necessarily want lurking around cyber space for criminals to find. Think of all the different identities you have online: Facebook, Linked In, Twitter, Google+, Instagram, Pinterest… I could go on and on.  Make sure you take a glance at your privacy settings and see that you really are happy to share your profile and personal details and photos with just anyone, or whether you want to limit the reach.

You may also want to take this quiz to find out your privacy IQ.

Our client, ISACA, offers some very sensible advice for protecting your privacy and security:

  • Read privacy policies. Understand what personal information websites and mobile apps are requesting and how it will be used. If there is no privacy policy, it’s a red flag—your personal data may be sold without permission.
  • Be smart about location-based services. Don’t opt-in to beacon-type mobile apps unless you trust the retailer and their security and privacy practices.
  • Don’t shop from public wi-fi hotspots. When you surf the Internet on an open hotspot, hackers can spy on your activities and steal data such as passwords and credit card information as you enter it.
  • Beware of phishing. If you receive an e-mail asking for financial information because there is a problem with your order or account, call the retailer to confirm. Don’t reply to the email and don’t provide confidential information, like your credit card number.
  • Check it out before you check out. Before you pay, confirm that the site is secure by looking for the “s” in https:// in the site’s URL and check the lower-right corner of the page for the lock symbol. Do not reply to unsolicited emails from companies you don’t recognise.
  • Safeguard and remember the password you have chosen for the extra verification services used on some websites, such as Verified by Visa.
  • Always log out of sites into which you have logged in or registered details. Simply closing your browser is not enough to ensure privacy.

Also, note that some websites will redirect you to a third-party payment service (such as WorldPay). Ensure that these sites are secure before you make your payment.

And then, heck, why not make every day after that Data Privacy Day!

Follow

Get every new post delivered to your Inbox.