The Internet has been abuzz for the last week or so in response to the Heartbleed vulnerability in OpenSSL. While almost all of the attention has centered on patching Web servers and advising users to change their passwords, security researchers have discovered that individual client PCs and devices are also at risk thanks to "Reverse Heartbleed."
Meldium, a cloud identity and access management service, shared details of the Reverse Heartbleed threat in a blog post. An attacker can exploit Heartbleed to expose sensitive data on vulnerable servers, but that's not the only attack possible using this flaw. The "heartbeat" used in the Heartbleed attack can be initiated by either the client or the server, so a malicious server can also send bad heartbeat packets to an OpenSSL client to extract data.
“It’s the popularity and pervasiveness of the OpenSSL library that makes this vulnerability difficult to remediate fully,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “While popular Web applications may be already patched, the myriad of appliances, embedded devices, and network infrastructure that may be vulnerable will take a lot longer to address. You can’t just disable the Internet for maintenance.”
Let's be clear: There is no such thing as an invulnerable application. Some have more critical vulnerabilities than others as we discovered this week with the Heartbleed bug, but any application can be exploited given a dedicated attacker. According to the HP 2013 Cyber Risk Report, though, the application itself is not to blame for most vulnerabilities—you are.
HP compiled data from 2,200 applications scanned by HP Fortify on Demand and reports that 80 percent of the vulnerabilities discovered were not the fault of the application code itself.
“Many vulnerabilities were related to server misconfiguration, improper file settings, sample content, outdated software versions, and other items related to insecure deployment,” the report states.
By now you've likely heard about the Heartbleed bug, a critical vulnerability that exposes potentially millions of passwords to attack and undermines the very security of the Internet. Because the flaw exists in OpenSSL—which is an open source implementation of SSL encryption—many will question whether the nature of open source development is in some way at fault. I touched based with security experts to get their thoughts.
Closed vs. Open Source
First, let’s explain the distinction between closed source and open source. Source refers to the source code of a program—the actual text commands that make the application do whatever it does.
This Patch Tuesday has much more significance than most. With only four security bulletins from Microsoft, it's relatively tame as far as Patch Tuesdays go, but today also marks the final patches and updates from Microsoft for Windows XP.
“So this is it, the last hurrah for the once beloved XP, the last kick at the can for patching up the old boat,” says Ross Barrett, senior manager of security engineering for Rapid7. “Sure, by today’s standards it’s a leaky, indefensible, liability, but… hey, do you even remember Windows 98? Or (*gasp*) ME?”
There are two Critical bulletins and two Important. All of them are capable of enabling remote code execution if successfully exploited.
With the end of Windows XP support from Microsoft imminent, perhaps you’ve finally made the (very wise) decision to stop using the venerable operating system. I commend you. However, if you’re planning to simply install a newer operating system on your existing hardware, you should reconsider.
Sure, there's a good chance that your existing hardware meets the minimum system requirements for either OS: a 1GHz or faster processor, 1GB of RAM (2GB for 64-bit), 16GB of hard drive space (20GB for 64-bit) and a DirectX 9 graphics device with WDDM 1.0 or higher.
As far as cyber criminals are concerned, tax season means open season. This time of year is a favorite for phishing scams and fraud, second only to the holidays. With a little awareness and common sense, though, you can avoid being a victim and make sure your tax refund ends up in your pocket.
Fred Touchette, senior security analyst with AppRiver, shared some thoughts about common tax season threats and how to avoid them.