Showing 161 posts tagged security
Showing 161 posts tagged security
Chris Parsons, a post-doctoral fellow with the Citizen Lab at the Munk School of Global Affairs, said that there has been an increased call for outside security audits for OpenSSL, the security system affected by Heartbleed.
“Researchers have been grumbling that OpenSSL and other highly-relied upon security libraries need to be subject to more ‘forensic audits’ by professionals to identify and patch flaws before they are exploited in the wild,” he said.
Heartbleed was discovered by ateam of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately.
Missed this when it went up, but posting because I think it touches on something that is important to track as things move forward: despite experts inside and outside of industry recognizing the need for more audits of critical packages like OpenSSL, will resources actually be devoted to enable such work?
Given how many web sites were vulnerable to the Heartbleed bug, Parsons says there is likely to be a great deal of reflection on how it could have been identified sooner. Some cryptographers have estimated it may have existed for years before it was discovered last week.
This past weekend, Bloomberg News published a story alleging the U.S. National Security Agency (NSA) knew about the Heartbleed vulnerability for two years and that it may have been using it to access personal data.
The NSA denies the charge, but Parsons says it raises serious questions about the Five Eyes, the surveillance partnership between Canada, the U.S., Great Britain, Australia and New Zealand, which collaborates to detect threats such as Heartbleed.
"This is supposed to be the sort of thing that they’re supposed to find and ideally report," says Parsons.
"I think over the coming months, we need to figure out if they knew and if they didn’t, why didn’t they, because this is what we pay them to do. And if they did know, then why weren’t they protecting us?"
If you’re interested in why it’s so hard to patch a huge portion of the Internet in secret, and what forced the (relatively) early public disclosure of Heartbleed, then this is a good article to read.
The internet is currently atwitter with talk about Heartbleed bug, an encryption fault which caused a horrific ripple effect in the OpenSSL system that put your passwords on sites like RedTube, & Yahoo.
Chris Parsons nearly predicted the CRA’s vulnerability just before they decided to shut down their tax websites, while some of his colleagues and followers criticized the Canadian Cyber Incident Response Centre (CCIRC) for not alerting the public sooner, when it was already obvious the CRA was using a vulnerable version of SSL. Chris discussed the potential ramifications of the CRA’s Heartbleed vulnerability with me:
“A significant amount of highly sensitive tax-related personal information is passed through CRA’s online service gateways. A third-party could have, potentially, accessed logins and passwords of Canadians or the private keys of CRA’s services. The former set of information would let that party log into CRA and impersonate the person in question. The latter set of data could let the third-party decrypt previously captured client-server information and, as a result, decode not just passwords and logins but also the tax data that individuals provided to CRA.”
First time that I’ve been quoted (extensively) in Vice!