Home Opinions & Analysis The positive side of Heartbleed

The positive side of Heartbleed

April 17, 2014 | Posted by Dan Raywood

The Heartbleed flaw may be bugging every online company at the moment, but is it all bad?

 

In conversation with security manager Thom Langford, he said that users may become wise to phishing attacks, while Canon’s director of information security Quentyn Taylor said on Twitter that “the SSL issue is doing wonders for awareness” as it dominates national news headlines and makes users aware not only of password security, but also of open source software and secure connections.

 

So could the worst thing to hit internet security, which has been described by Bruce Schneier as “catastrophic” and “on the scale of 1 to 10, this is an 11”, be turned into a positive thing? I was interested by a blog by bug bounty brokers BugCrowd, who published an “open letter to internet users and businesses” asking them to help the company test OpenSSL.

 

It said: “The challenge is that OpenSSL is a free, open source offering. It relies on a small team of dedicated developers that make sacrifices to maintain it in the belief that they are providing a necessary and valuable service to the global online community. While a majority of businesses around the world rely on it every day to secure the services they run internally and externally, resources are highly constrained and extensive testing has not been possible.”

 

It cited Steve Marquess, President of the OpenSSL Software Foundation, who said that the funding is not there for a formal security review. “We believe it is the responsibility of internet users that rely on this service to address this. That’s pretty much everyone that uses the internet, and definitely those that do business on it. If we all decide to tackle this together, we can make a real difference and help protect ourselves for the future,” it said.

 

BugCrowd has now launched a Crowdtilt crowd-funding campaign which will raise money that will encourage crowd-sourced security testing to root out any other vulnerabilities in OpenSSL. “With a very minor donation to the fund, everyone can play a part in making the internet safer,” it said. “We believe everyone should have the opportunity to participate, so there’s no minimum contribution, and no maximum either. Those who contribute will be credited according to the level of their contribution, and acknowledged as being a part of this historic effort.”

 

I asked Tom Cross, director of security research at Lancope, whether he thought this was a positive move from such a critical issue. He said that following this, the NSA stories and the Target breach, consumers are becoming more aware of the fact that computer security issues may affect them personally, even though they may not be computer savvy.

 

“The HeartBleed vulnerability feeds into that perspective and reinforces it. Consumers want to do the right thing and follow best practices, and they are paying closer attention to guidance from computer security professionals on what they should be doing to protect themselves,” he said.

 

Cross praised the concept of greater financial support for free and open source software projects for technology like OpenSSL that is relied upon throughout our IT infrastructure. “It costs money to develop quality software products, even when the end result is being distributed for free on the internet. Software engineers are often paid to work on these projects through non-profit foundations, and those foundations need to have enough funding to ensure the right level of quality assurance is being provided.”

 

If a positive can be gleaned from this story, it is people working together voluntarily. Steve Durbin, global vice president of the Information Security Forum said that this is “something we need much more of”. He said this has raised its head and showed that still, in the security world, we’re better off sharing than not.

Speaking to IT Security Guru, Mike Janke, CEO of Silent Circle, agreed that there are many, many positives coming out of this, just as with the Snowden disclosures. “It puts a bright spot-light on many facets of security technology that we all took for granted before as being ‘secure’.

 

TK Keanini, CTO of Lancope, said that the issue is bad, but it was “bad enough to cause a change in human behaviour”.  He said: “Unfortunately, this is a truth where the saying it has to get a lot worse before it gets better.”

 

Awareness is hard to drive, and as Tom Cross said, sometimes it takes a bad story to make consumers and directors alike realise that this could affect them and that they have to act upon it. I was keen to understand the positive side and if it is the industry’s best people collaborating and working towards a standard, especially one that is being deployed so widely and unpaid for, perhaps this is a time when the work of open source foundations is more recognised.

Recent

Sony Pictures – ten reasons why North Korea is not the attacker

Everyone seems to be eager to pin the blame for the Sony hack on North Korea. However, I think it’s unlikely.   Here’s ten reasons why:   1. The broken English looks deliberately bad and doesn’t exhibit any of the classic comprehension mistakes you actually expect, in other words it reads to me like an (…read more)

December 18, 2014

ICANN suffers attack which hits central data system

The Internet Corporation for Assigned Names and Numbers (ICANN) has admitted that a spear phishing attack hit its centralised zone data system (CZDS).   In an update, ICANN said that the attacker obtained administrative access to all files in the CZDS, including copies of the zone files in the system, information entered by users such (…read more)

December 18, 2014

US Government points finger at North Korea for Sony hack

Sony Pictures has said that there will be no theatrical release for The Interview, as the US has claimed that North Korea was “centrally involved” in the hacking of Sony Pictures computers.   According to a statement issued to Variety, Sony Pictures said that it has decided not to move forward with the planned December 25th (…read more)

December 18, 2014