Professor – Computer Science at CSU Channel Islands
The encryption flaw that punctured the heart of the Internet this week underscores a weakness in Internet security: A good chunk of it is managed by four European coders and a former military consultant in Maryland.
Most of the 11-member team are volunteers; only one works full time. Their budget is less than $1 million a year. The Heartbleed bug, revealed Monday, was the product of a fluke introduced by a young German researcher.
Hackers could crack email systems, security firewalls and possibly mobile phones through the “Heartbleed” computer bug, according to security experts who warned on Thursday that the risks extended beyond just Internet Web servers.
The widespread bug surfaced late on Monday, when it was disclosed that a pernicious flaw in a widely used Web encryption program known as OpenSSL opened hundreds of thousands of websites to data theft. Developers rushed out patches to fix affected web servers when they disclosed the problem, which affected companies from Amazon.com Inc and Google Inc to Yahoo Inc.
Yet pieces of vulnerable OpenSSL code can be found inside plenty of other places, including email servers, ordinary PCs, phones and even security products such as firewalls. Developers of those products are scrambling to figure out whether they are vulnerable and patch them to keep their users safe.
via ‘Heartbleed’ computer bug threat spreads to firewalls and beyond | Reuters.
The Canada Revenue Agency has shut down public access to its electronic services website over security concerns related to the “Heartbleed Bug,” a newly discovered software flaw that has made information on many of the world’s major websites vulnerable to theft.
In a message posted on its website, the agency said that it had temporarily closed its services site “to protect the security of taxpayer information.”
Revenue Minister Kerry-Lynne Findlay said Wednesday morning that the site had been closed as a “precautionary measure.”
A newly discovered security bug nicknamed Heartbleed has exposed millions of usernames, passwords and reportedly credit card numbers — a major problem that hackers could have exploited during the more than two years it went undetected.
It’s unlike most of the breaches reported over the past few years, in which one Web site or another got hacked or let its guard down. The flaw this time is in code designed to keep servers secure — tens of thousands of servers on which data is stored for thousands of sites.
THIS week sees the last batch of bug fixes and security patches that Microsoft will issue for Windows XP. After April 8th, computers using the 13-year-old operating system will continue to work just fine, but all technical support for XP—whether paid or otherwise—will cease. In a change of heart, Microsoft has at least agreed to continue issuing updates for its Security Essentials malware engine, which runs on XP, until July 2015. Apart from that, users who continue to rely on the thing will be on their own—at the mercy of mischief-makers everywhere.
via Difference Engine: End of the road for Windows XP | The Economist.
OpenSSL 1.0.1g has been released to fix “A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1.” known as the Heartbleed Bug
via InfoSec Handlers Diary Blog – OpenSSL CVE-2014-0160 Fixed.
As the number and sophistication of cyber-attacks increase, so too does the demand for people who can prevent such digital incursions. Cyber-security is having a jobs boom.But there aren’t enough people with the necessary skills to become the next generation of cyber-cops.According to the most recent US Bureau of Labor statistics, demand for graduate-level information security workers will rise by 37% in the next decade, more than twice the predicted rate of increase for the overall computer industry.
Nippon Telegraph and Telephone Corporation, Mitsubishi Electric Corporation and the University of Fukui have jointly developed an authenticated encryption algorithm offering robust resistance to multiple misuse.
via New authenticated encryption algorithm is resistant to multiple misuse.
The term “dox” also spelt “doxx”, and short for “[dropping] documents” first came into vogue as a verb around a decade ago, referring to malicious hackers’ habit of collecting personal and private information, including home addresses and national identity numbers. The data are often released publicly against a person’s wishes. It is a practice frowned upon by users of Reddit, a popular online forum, and many others.
via The Economist explains: What doxxing is, and why it matters | The Economist.
As a pioneering Internet security researcher and a well-known skeptic about achieving truly secure systems, are you optimistic about efforts to build a more secure network? No, I’m not. I see two problems associated with this approach. First, any significant network that is developed will need to accommodate existing (legacy) systems in some manner, and be operated by some of the same people we have now — there is simply too much invested in legacy systems. This will lead to participating organizations continuing to make poor choices about their priorities for security (and privacy). Many security problems come about because of user error, misconfiguration, poor patching, indirect attacks, and a failure to properly prioritize and fund appropriate safeguards — it isn’t only the design of the networks. A new set of network protocols and connections will not address the full range of issues.
via March 11, 2014: People of ACM: Eugene H. Spafford — Association for Computing Machinery.