Showcase Your Business as a Thought Leader » Publish Your Blog, Videos and Events on ALL EC » Save 25% Now
Welcome Guest | Sign In

Heartbleed-Weary Tech Firms Show OpenSSL a Little Love

By Erika Morphy
May 30, 2014 2:29 PM PT

Remember Heartbleed? Several weeks ago, the exposure of this security bug chilled the Internet, highlighting once again that even the seemingly unbreakable can be hacked. In the case of the Heartbleed vulnerability, encrypted data was at risk of theft.

Heartbleed-Weary Tech Firms Show OpenSSL a Little Love

Sites potentially vulnerable to Heartbleed urged users to change their passwords. They ranged from Canada's Revenue Agency to Amazon Web Services to Yahoo to Reddit.

Although angst waned following the launch of a massive initiative to patch the vulnerabilities that could permit malware attacks, Heartbleed has emerged from its bunker.

Hello Cupid

Luis Grangeia, security services manager at SysValue, this week identified a new attack vector that opens wireless routers and Android devices to infiltration. In this case, the attack is carried out via WiFi, targeting both the client and the server.

The vector, called "Cupid," is a new twist on Heartbleed. Previously it was believed Heartbleed could be exploited only over TCP connections or after the TCP handshake, Grangeia noted. Cupid essentially killed those "sacred cows."

Another lesson learned from Cupid, Grangeia said, is that "openSSL sucks."

OpenSSL Sucks

The tech industry may be inclined to agree, albeit in less blunt language, but there's an effort under way to improve OpenSSL.

The Core Infrastructure Initiative, a group of tech companies gathered together by The Linux Foundation in response to Heartbleed, this week announced funding for several open source projects to shore up security.

The group has prioritized Network Time Protocol, OpenSSH and OpenSSL for the first round of funding, with OpenSSL slated to receive funds for two full-time core developers.

Companies participating in the initiative include Adobe, Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, HP, Huawei, IBM, Intel, Microsoft, NetApp, Rackspace, and VMware.

Too Little, Too Late?

How much this initiative will help matters remains to be seen.

"There's little doubt that additional support for OpenSSL will improve the situation, but it's hard to know whether it's too little, too late," Tim Erlin, director of IT security and risk strategy at Tripwire, told LinuxInsider.

"Additional support only improves the code going forward -- it doesn't magically patch deployed instances of the cryptography library," he continued. "This means consumer safety still depends on continued mitigation and patching efforts."

In fact, the risk from Heartbleed is still high despite the efforts of the security industry over the last month, said Lamar Bailey, director of security research at Tripwire.

"It often takes organizations a long time up apply patches because of testing and change control limitations," he told LinuxInsider. "Unfortunately for consumers, these long patch cycles mean that successful Heartbleed attacks will keep taking place for months, and perhaps even for years."

The next big Heartbleed-style attack is nearly impossible to predict, said Andrew Avanessian, VP of global professional services at Avecto.

For that reason, "IT must take a proactive stance to security in order to reduce an organization's exposure to the next attack," he told LinuxInsider.

"Defense-in-depth security strategies should include both reactive and proactive measures, including regular patching and removing elevating privileges from all users," Avanessian suggested.

"This would ensure that if an attacker managed to gain access to a user's credentials via a Heartbleed-style bug, they would be limited in the damage they could cause," he explained.

"After all diligent remediation steps have been taken, Heartbleed remains a waiting game," observed Paul Martini, CEO of Iboss Network Security.

"Having users change their passwords was a good idea, as was changing certificates," he told LinuxInsider. "However, as we have discovered, there are no foolproof methods."

Erika Morphy has been writing about technology, finance and business issues for more than 20 years. She lives in Silver Spring, Md.

How do you feel about government regulation of the U.S. tech industry?
Big tech companies are abusing their monopoly power and must be reined in.
Stronger regulations to protect consumer data definitely are needed.
Regulations stifle innovation and should be kept to the barest minimum.
Over-regulation could give China and other nations an unfair advantage.
Outdated antitrust laws should be updated prior to serious regulatory efforts.
Tech companies should regulate themselves to avoid government intervention.