Home Opinions & Analysis The positive side of Heartbleed

The positive side of Heartbleed

April 17, 2014 | Posted by Dan Raywood

The Heartbleed flaw may be bugging every online company at the moment, but is it all bad?


In conversation with security manager Thom Langford, he said that users may become wise to phishing attacks, while Canon’s director of information security Quentyn Taylor said on Twitter that “the SSL issue is doing wonders for awareness” as it dominates national news headlines and makes users aware not only of password security, but also of open source software and secure connections.


So could the worst thing to hit internet security, which has been described by Bruce Schneier as “catastrophic” and “on the scale of 1 to 10, this is an 11”, be turned into a positive thing? I was interested by a blog by bug bounty brokers BugCrowd, who published an “open letter to internet users and businesses” asking them to help the company test OpenSSL.


It said: “The challenge is that OpenSSL is a free, open source offering. It relies on a small team of dedicated developers that make sacrifices to maintain it in the belief that they are providing a necessary and valuable service to the global online community. While a majority of businesses around the world rely on it every day to secure the services they run internally and externally, resources are highly constrained and extensive testing has not been possible.”


It cited Steve Marquess, President of the OpenSSL Software Foundation, who said that the funding is not there for a formal security review. “We believe it is the responsibility of internet users that rely on this service to address this. That’s pretty much everyone that uses the internet, and definitely those that do business on it. If we all decide to tackle this together, we can make a real difference and help protect ourselves for the future,” it said.


BugCrowd has now launched a Crowdtilt crowd-funding campaign which will raise money that will encourage crowd-sourced security testing to root out any other vulnerabilities in OpenSSL. “With a very minor donation to the fund, everyone can play a part in making the internet safer,” it said. “We believe everyone should have the opportunity to participate, so there’s no minimum contribution, and no maximum either. Those who contribute will be credited according to the level of their contribution, and acknowledged as being a part of this historic effort.”


I asked Tom Cross, director of security research at Lancope, whether he thought this was a positive move from such a critical issue. He said that following this, the NSA stories and the Target breach, consumers are becoming more aware of the fact that computer security issues may affect them personally, even though they may not be computer savvy.


“The HeartBleed vulnerability feeds into that perspective and reinforces it. Consumers want to do the right thing and follow best practices, and they are paying closer attention to guidance from computer security professionals on what they should be doing to protect themselves,” he said.


Cross praised the concept of greater financial support for free and open source software projects for technology like OpenSSL that is relied upon throughout our IT infrastructure. “It costs money to develop quality software products, even when the end result is being distributed for free on the internet. Software engineers are often paid to work on these projects through non-profit foundations, and those foundations need to have enough funding to ensure the right level of quality assurance is being provided.”


If a positive can be gleaned from this story, it is people working together voluntarily. Steve Durbin, global vice president of the Information Security Forum said that this is “something we need much more of”. He said this has raised its head and showed that still, in the security world, we’re better off sharing than not.

Speaking to IT Security Guru, Mike Janke, CEO of Silent Circle, agreed that there are many, many positives coming out of this, just as with the Snowden disclosures. “It puts a bright spot-light on many facets of security technology that we all took for granted before as being ‘secure’.


TK Keanini, CTO of Lancope, said that the issue is bad, but it was “bad enough to cause a change in human behaviour”.  He said: “Unfortunately, this is a truth where the saying it has to get a lot worse before it gets better.”


Awareness is hard to drive, and as Tom Cross said, sometimes it takes a bad story to make consumers and directors alike realise that this could affect them and that they have to act upon it. I was keen to understand the positive side and if it is the industry’s best people collaborating and working towards a standard, especially one that is being deployed so widely and unpaid for, perhaps this is a time when the work of open source foundations is more recognised.


Researchers claimed that they say Regin previously

Regin was spotted twice before yesterday’s revelations, claim researchers. Following yesterday’s announcement about the detection of the sophisticated surveillance backdoor Trojan ‘Regin’ by Symantec, researchers at both Kaspersky Lab and F-Secure have claimed that they were both aware of the threat. Kaspersky said in its research that it was contacted in spring 2012 by a researcher who mentioned Regin (…read more)

November 24, 2014

One year on: how retail hacks showed APTs in practice

It’s now almost a year since Target admitted the loss of customer data following an extremely sophisticated hack.   Involving one of Target’s suppliers, a number of point of sale devices and a large number of customer records, the breach was one of the largest in recent history. Target bounced back and dealt with the (…read more)

November 24, 2014

Sophisticated Regin backdoor Trojan spied on targets since 2008

Malware which has spied on international targets for more than six years has been detected. According to research from Symantec, “Regin” is a back door-type Trojan with a high degree of technical competence, including a powerful framework for mass surveillance. Its capabilities include several Remote Access Trojan (RAT) features, including: capturing screenshots, taking control of the (…read more)

November 23, 2014