Welcome to the April 2014 Newsletter.
A vulnerability in a popular implementation of the Secure Socket Layer (SSL) technology, used to secure internet transactions, has been revealed that has sent the media and industry experts into something of a frenzy, dubbing it 'Heartbleed'. However, the reaction is not without cause, as this allows sophisticated attackers to read parts of a system's memory that may contain sensitive details.
Roland Dobbins, senior analyst at Arbor Networks' Security Engineering & Response Team (ASERT) - much as many other commentators have - describes the 'Heartbleed' security bug as extremely serious, which "highlights the manual nature of the tasks required to secure critical Internet services, such as basic encryption and privacy protection".
Most worryingly, there are no automated safeguards which can ameliorate these issues. "... what most people don't realise is that, if attackers captured packets in the past from vulnerable systems and retained those captured packets, they've the opportunity now to use analysis tools to replay those packets and decrypt the Internet traffic contained in those packets", Dobbins warns.
As ever, in the world of computing security, we are always one step away from the next potential crisis. But what should be done in response to this latest threat? Dan Miller, principal engineer, Adapt, has this advice: "The first step is to assess the risk. If an organisation suspects any of its servers is vulnerable, it should work quickly to patch or disable affected services. Working closely with a service provider or the Operating System vendor during this process is advised to mitigate risk and keep operations running smoothly."
One suspects that, for a number of organisations, Heartbleed and heartbreak may not be that far apart, if remedial action isn't taken quickly.
To make sure you get your copy of the Newsletter emailed to you personally, every time, click here to register.
Brian Wall, Editor
Follow us :