Tag Archives: Heartbleed

Open Source Software Does Not Solve All Of The World’s Problems

While I am not a Linux user personally, I am a big fan of it.  However, I am not delusional enough to think that just because a piece of software is open source, it is secure and bug free.

Anyone who thought that should have had those delusions ripped away when the Heartbleed bug was publicized.  For those readers not familiar with Heartbleed,  Heartbleed is the name given to the bug that affected the wildly popular open source software that implements SSL or HTTPS, the protocol used to protect secure many web sites.

It was thought that the bug affected around a half million to one million ecommerce web sites, many of which still have not been fixed 18 months later.

As popular as this software is, many, many people looked at it and even made contributions to it.  Still, this bug lived in the software from December 31, 2011 until a fix was released (but of course released does not mean that people have integrated into software that used the flawed version) on April 7, 2014.

To me, this proves that open source software, no matter the goals and desires of developers, may have security holes in it.

Fast forward to this week.

All versions of Linux released since Kernel version 3.8 (released in early 2013 -about 3 years ago) have a bug in the OS keyring, where encryption keys, security tokens and other sensitive security data is stored.

Whether hackers and foreign intelligence agents knew about this over the last few years or not is unknown, but we expect many Linux variants will release a patch this week.

More importantly, at least some versions of Android, which is based on Linux, also have this bug.  The researchers who found the bug said it affected tens of millions of Linux PCs and servers and 66% of all Android phones and tablets.

Google says that it does not think that Android devices are vulnerable to this bug being exploited by third parties and the total number of devices impacted is significantly smaller than the researchers though.  In this case, I trust Google researchers.  Google will have a patch available within 60 days, but getting that patch through the phone carrier release process could take a while.  I call this patch process TOTALLY BROKEN.  The only phones that we know will be patched quickly will be Google Nexus phones because Google releases those patches directly.

So, one more time, a major and highly visible piece of open source software is found to have a significant security hole for years.  This post talks about two examples, but there are many, many others.

If open source software as popular as Linux and OpenSSL has security holes, imagine the holes that MIGHT live in other, less popular open source software.  Some open source software might only be used by tens of people and only be looked at by one person.

The moral of this story is NOT that you should not use open source software;  it is no less or more risky than closed source software.  The moral is that you should ALWAYS consider the potential risks in using software and to the maximum degree possible, test for and mitigate potential security bugs.  And be ready to deal with the new ones when they are found.

Information on the OS Keyring bug can be found here.

Information on Heartbleed can be found here.

Facebooktwitterredditlinkedinmailby feather

News Bites For April 7, 2015

Researchers from the University of Virginia and Perrone Robotics recently completed testing of an anti hacking sensor for automobiles  from startup Mission Secure, Inc.  The sensor was able to detect several attempts to take over the braking, acceleration and collision avoidance systems of cars on a test track.

This article says the tests went well, but challenges remain like convincing car makers to use something they did not invent, adapting it for different cars and getting the cost down.  Hopefully, car makers will do something before there is a flashy and possibly bloody demonstration of the problem.

###############

Although people love to beat up Android phones as not very secure, Google’s just released Android security year in review says that number of potentially harmful Android application installations was cut nearly in half from Q1 to Q4 of 2014 (see report).

Google found that less than 1% of Android devices had a potentially harmful app installed and the number went down to 0.15% for devices that only installed apps from the Google App Store.

###############

Darking Reading is reporting that 3 out of 4 Global 2000 companies are still vulnerable to the Heartbleed SSL bug, a year after its public disclosure (see article).  Security software provider Venafi found 580,000 hosts (such as web servers) that had not completely fixed the Heartbleed problem.  Gartner called these companies “lazy”, saying they patched the bug, but did not replace the old, compromised SSL keys or revoke the old certificates.  The article provides a lot of potential reasons such lack of knowledge and not knowing where all their keys and certificates reside.

As a reminder, Heartbleed is a bug in the very popular open source SSL encryption package OpenSSL that has a catchy name, cute logo (a heart dripping blood) and span of millions of affected computers.  The bug works on both clients and servers running OpenSSL,  allowing an attacker to steal a server’s private keys (resulting in the ability to masquerade as the server) or steal a user’s password (resulting the the ability to, for example, empty your bank account).

Part of the problem is that whether a particular system is using OpenSSL is not obvious to the user like a bug in Excel 2013 would be visible.

###############

Apparently, the U.S. Government has been tracking international phone calls way longer than Snowden told us about.  USAToday is reporting that as far back as 1992 under President George H.W. Bush and approved by, at least, then Attorney General William Barr.  The data collection continued under Presidents Clinton, Bush II and Obama until it was killed in 2013 after the Snowden leaks.

The DEA was getting so much call data that they had to get the help of the DoD to program computers to analyze the data.  They claim the call traffic has led to finding some big players, but could not name any names.

The DEA used an “expansive interpretation” of administrative subpoenas that said that the data was relevant to federal drug investigations.  A former DEA official said that they knew that they were stretching the definition.

Now the DEA sends subpoenas to the phone companies to get the data.   It is reported that they send as many as a thousand subpoenas a day, however, that likely represents a much smaller percentage of the call traffic than prior to 2013.

###############

Facebooktwitterredditlinkedinmailby feather