Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 29 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

The positive side of Heartbleed

by The Gurus
April 17, 2014
in Opinions & Analysis
Share on FacebookShare on Twitter

The Heartbleed flaw may be bugging every online company at the moment, but is it all bad?
 
In conversation with security manager Thom Langford, he said that users may become wise to phishing attacks, while Canon’s director of information security Quentyn Taylor said on Twitter that “the SSL issue is doing wonders for awareness” as it dominates national news headlines and makes users aware not only of password security, but also of open source software and secure connections.
 
So could the worst thing to hit internet security, which has been described by Bruce Schneier as “catastrophic” and “on the scale of 1 to 10, this is an 11”, be turned into a positive thing? I was interested by a blog by bug bounty brokers BugCrowd, who published an “open letter to internet users and businesses” asking them to help the company test OpenSSL.
 
It said: “The challenge is that OpenSSL is a free, open source offering. It relies on a small team of dedicated developers that make sacrifices to maintain it in the belief that they are providing a necessary and valuable service to the global online community. While a majority of businesses around the world rely on it every day to secure the services they run internally and externally, resources are highly constrained and extensive testing has not been possible.”
 
It cited Steve Marquess, President of the OpenSSL Software Foundation, who said that the funding is not there for a formal security review. “We believe it is the responsibility of internet users that rely on this service to address this. That’s pretty much everyone that uses the internet, and definitely those that do business on it. If we all decide to tackle this together, we can make a real difference and help protect ourselves for the future,” it said.
 
BugCrowd has now launched a Crowdtilt crowd-funding campaign which will raise money that will encourage crowd-sourced security testing to root out any other vulnerabilities in OpenSSL. “With a very minor donation to the fund, everyone can play a part in making the internet safer,” it said. “We believe everyone should have the opportunity to participate, so there’s no minimum contribution, and no maximum either. Those who contribute will be credited according to the level of their contribution, and acknowledged as being a part of this historic effort.”
 
I asked Tom Cross, director of security research at Lancope, whether he thought this was a positive move from such a critical issue. He said that following this, the NSA stories and the Target breach, consumers are becoming more aware of the fact that computer security issues may affect them personally, even though they may not be computer savvy.
 
“The HeartBleed vulnerability feeds into that perspective and reinforces it. Consumers want to do the right thing and follow best practices, and they are paying closer attention to guidance from computer security professionals on what they should be doing to protect themselves,” he said.
 
Cross praised the concept of greater financial support for free and open source software projects for technology like OpenSSL that is relied upon t
hroughout our IT infrastructure. “It costs money to develop quality software products, even when the end result is being distributed for free on the internet. Software engineers are often paid to work on these projects through non-profit foundations, and those foundations need to have enough funding to ensure the right level of quality assurance is being provided.”
 
If a positive can be gleaned from this story, it is people working together voluntarily. Steve Durbin, global vice president of the Information Security Forum said that this is “something we need much more of”. He said this has raised its head and showed that still, in the security world, we’re better off sharing than not.
Speaking to IT Security Guru, Mike Janke, CEO of Silent Circle, agreed that there are many, many positives coming out of this, just as with the Snowden disclosures. “It puts a bright spot-light on many facets of security technology that we all took for granted before as being ‘secure’.
 
TK Keanini, CTO of Lancope, said that the issue is bad, but it was “bad enough to cause a change in human behaviour”.  He said: “Unfortunately, this is a truth where the saying it has to get a lot worse before it gets better.”
 
Awareness is hard to drive, and as Tom Cross said, sometimes it takes a bad story to make consumers and directors alike realise that this could affect them and that they have to act upon it. I was keen to understand the positive side and if it is the industry’s best people collaborating and working towards a standard, especially one that is being deployed so widely and unpaid for, perhaps this is a time when the work of open source foundations is more recognised.

FacebookTweetLinkedIn
Tags: Heartbleed
ShareTweetShare
Previous Post

Microsoft slashes Windows XP custom support prices just days before axing public patches

Next Post

Student charged with Heartbleed attack

Recent News

Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023
Lupovis eliminates false positive security alerts for security analysts and MSSPs

Lupovis eliminates false positive security alerts for security analysts and MSSPs

January 26, 2023
Threat actors launch one malicious attack every minute

Threat actors launch one malicious attack every minute

January 25, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information