The Heartbleed flaw may be bugging every online company at the moment, but is it all bad?
In conversation with security manager Thom Langford, he said that users may become wise to phishing attacks, while Canon’s director of information security Quentyn Taylor said on Twitter that “the SSL issue is doing wonders for awareness” as it dominates national news headlines and makes users aware not only of password security, but also of open source software and secure connections.
So could the worst thing to hit internet security, which has been described by Bruce Schneier as “catastrophic” and “on the scale of 1 to 10, this is an 11”, be turned into a positive thing? I was interested by a blog by bug bounty brokers BugCrowd, who published an “open letter to internet users and businesses” asking them to help the company test OpenSSL.
It said: “The challenge is that OpenSSL is a free, open source offering. It relies on a small team of dedicated developers that make sacrifices to maintain it in the belief that they are providing a necessary and valuable service to the global online community. While a majority of businesses around the world rely on it every day to secure the services they run internally and externally, resources are highly constrained and extensive testing has not been possible.”
It cited Steve Marquess, President of the OpenSSL Software Foundation, who said that the funding is not there for a formal security review. “We believe it is the responsibility of internet users that rely on this service to address this. That’s pretty much everyone that uses the internet, and definitely those that do business on it. If we all decide to tackle this together, we can make a real difference and help protect ourselves for the future,” it said.
BugCrowd has now launched a Crowdtilt crowd-funding campaign which will raise money that will encourage crowd-sourced security testing to root out any other vulnerabilities in OpenSSL. “With a very minor donation to the fund, everyone can play a part in making the internet safer,” it said. “We believe everyone should have the opportunity to participate, so there’s no minimum contribution, and no maximum either. Those who contribute will be credited according to the level of their contribution, and acknowledged as being a part of this historic effort.”
I asked Tom Cross, director of security research at Lancope, whether he thought this was a positive move from such a critical issue. He said that following this, the NSA stories and the Target breach, consumers are becoming more aware of the fact that computer security issues may affect them personally, even though they may not be computer savvy.
“The HeartBleed vulnerability feeds into that perspective and reinforces it. Consumers want to do the right thing and follow best practices, and they are paying closer attention to guidance from computer security professionals on what they should be doing to protect themselves,” he said.
Cross praised the concept of greater financial support for free and open source software projects for technology like OpenSSL that is relied upon t
hroughout our IT infrastructure. “It costs money to develop quality software products, even when the end result is being distributed for free on the internet. Software engineers are often paid to work on these projects through non-profit foundations, and those foundations need to have enough funding to ensure the right level of quality assurance is being provided.”
If a positive can be gleaned from this story, it is people working together voluntarily. Steve Durbin, global vice president of the Information Security Forum said that this is “something we need much more of”. He said this has raised its head and showed that still, in the security world, we’re better off sharing than not.
Speaking to IT Security Guru, Mike Janke, CEO of Silent Circle, agreed that there are many, many positives coming out of this, just as with the Snowden disclosures. “It puts a bright spot-light on many facets of security technology that we all took for granted before as being ‘secure’.
TK Keanini, CTO of Lancope, said that the issue is bad, but it was “bad enough to cause a change in human behaviour”. He said: “Unfortunately, this is a truth where the saying it has to get a lot worse before it gets better.”
Awareness is hard to drive, and as Tom Cross said, sometimes it takes a bad story to make consumers and directors alike realise that this could affect them and that they have to act upon it. I was keen to understand the positive side and if it is the industry’s best people collaborating and working towards a standard, especially one that is being deployed so widely and unpaid for, perhaps this is a time when the work of open source foundations is more recognised.