The latest SSL attack in the form of Heartbleed ( ref. CVE-2014-0160 ) has burst onto the scenes in the last 24 hours with a bang. Effectively, Heartbleed is a weakness in OpenSSL that allows the theft of information that is under normal circumstances protected by SSL/TLS. It allows the memory of affected systems to be read and information extracted ( including passwords and other vulnerable information ), and it also allows the keys ( both public and private ) used on those systems to be compromised.
The solution is to upgrade to the latest version of OpenSSL ( 1.0.1g ) – however that alone may not be enough. If your site was compromised previously, there would be no trace of that attack and simultaneously, your keys may be compromised. So you may need to regenerate private and public keys for these systems.
The media coverage of this is extensive, and to be fair, this is a very serious issue. However, we need to consider what the attack surface is. And in my own testing, the attack surface is low to non-existent – every single client of mine that I’ve tested, does not have a vulnerable implementation of OpenSSL or is not using the SSL Heartbeat extension ( this may be simply because I stick to 2 Linux distros alone ). Is this issue being blown out of proportion? I can’t talk for others but my own experience says yes.
That’s not to say you should not be vigilant – as a security professional, it’s always best to err on the side of caution. Prevention is better than cure …
There are a number of tools available for testing purposes as well as online SSL checkers like those from Qualys and Comodo. Test and make sure you’re covered.
UPDATE: The guys who wrote masscan, scanned the entire internet today and released some interesting numbers on vulnerable systems: approximately 600,000 out of ~ 28 million SSL-enabled servers. That’s 2.1% … not an entirely significant no but still a big issue depending on which sites are vulnerable.
There has been a lot of calls in the media for users of websites to change passwords. Make sure though that you change your password AFTER the affected site has been sorted out otherwise you’re just perpetuating the issue.
Mobile security has morphed in the last few years to become a major area of security concern. It’s no longer just laptops that provide on-the-go networked computing – smartphones, tablets, ultra-portables, e-readers and other networked devices now all vie for a space in your electronic arsenal, and they all come with their unique set of security concerns, specifically because of their mobile nature. The continual and rapid improvement in mobile device size, intelligence and computing power, means that these devices have the ability to mimic the abilities of full-blown desktops and laptops with an easy-of-use that along with their mobile nature, introduces new security threats.
Security standards are no more important than in this area due to the increased security requirements, disconnected-use method and more volatile threat landscape. There are some basic procedures that can be followed to mitigate the increased risks from mobile devices:
- make sure you have a company-wide security policy for mobile devices
- use risk assessment regularly to pick up on changing security trends
- provide training to your user and employees, and increase security awareness
Data types on these devices that can be compromised include email, images/videos/sound bites, contact information, static data/documents, authentication information, calendaring info and other. Tailor your security policies to the type of information that is contained in the mobile devices that are used within the organisation.
Deployment and use
- make sure mobile devices are patched regularly with the latest vendor-supplied updates
- disable or remove unnecessary features and services on mobile devices
- make use of user authentication, encryption and/or vpn to transmit critical information
Maintain security on mobile devices
- reduce exposure of sensitive data ( eg. use password database applications, encrypt sensitive data )
- maintain physical control over mobile devices
- backup data regularly
- use non-cellular connection options only when required
- report compromised devices
- enable additional software such as tracking, anti-virus or anti-malware applications
- control use of electronic wallets
- use 2-factor authentication
Centralised security management is a good option as it provides easy control over your mobile devices. Not all devices will support this though so it’s important to look at the enterprise capabilities of mobile devices before purchasing them. The depth of these capabilities will determine the control you have over these devices and the level of exposure they subsequently exhibit.
Areas of importance include:
- policy control
- remote password reset or data wipe
- remote locking
- network access control
- camera, microphone and removable media controls
- remote update capabilities
Policies, standards and procedures are needed to bring a certain level of security to the use of mobile devices within the modern organisation. Without these, mobile devices can become a security nightmare with data loss/compromise, identity theft and company network intrusion being real possibilities.
The Mozilla Foundation is releasing the latest and greatest version of its Web browser, Firefox 3.6.
It appears I’m not the only one who is not impressed with Google Chrome – Jim Lynch over at ExtremeTech has written a very interesting article asking the question – why do we need Chrome at all? The answer is of course that we don’t need another browser – the current bunch do just fine.
Cuil was launched earlier this week and hailed ( by its founder nonetheless ) as having indexed more than tripple the amount of information than its supposed closest rival, Google. Unfortunately, the first day saw porn results been returned for non-pornography related queries – apparently as a result of high load on the quantum computing-based search engine.
In other news concerning Cuil, one of it’s new employees spills the guts on the Silicon Valley lifestyle ( courtesy of TheReg ) that pervades Cuil.
This blog has been a bit empty lately but never mind, Sysadmin day is here. For those actually interested, please go to:
Note carefully the Gift Idea section where you can get ideas of items to send me. Anything over R10K is acceptable.