A Week in the News: Still Talking About Heartbleed

The OpenSSL Heartbleed bug that could expose passwords, communications, and encryption keys continues to dominate news headlines across the security industry

Like last week, the Heartbleed saga continues to dominate security news headlines. I could probably spend the whole recap just talking about Heartbleed, but I won’t, because I think you may also want to know about a year-long data-breach affecting the makers of a popular (and stylish) brand of external hard-drives, an odd move by Microsoft that may impact your ability to install security updates, a potential initiative from a certain search giant that may boost search optimization for websites that make a good security decision, and a look at how the end of XP support has affected the Internet.

The Heartbleed

As I said, the Heartbleed saga continues. In case you haven’t paid attention to any news source at all over the last two and a half weeks or so, Heartbleed is a crypto flaw that could have enabled anyone on the Internet to read the memory of a machine that’s protected by an encryption implementation service called OpenSSL. In severe cases, this small block of memory could contain sensitive information like user-names, passwords, or even private encryption keys. There isn’t enough time to re-explain this whole situation in a brief news wrap, but if you are a bit lost, read this Heartbleed walkthrough and this further analysis explaining exactly why Heartbleed is a big deal. If you’re well acquainted with what’s going on here, then read on:

Over the weekend, Heartbleed escalated, transitioning from a serious but still hypothetical security vulnerability to one which was being actively exploited in real world attacks and collecting real victims. A parenting website in the U.K. – called Mumsnet – was attacked by hackers exploiting Heartbleed. Those assailants made off with passwords there and reportedly used them to post messages on the site. More alarmingly, attackers also exploited Heartbleed and managed to compromise systems under the control of the Canadian Revenue Agency. Over a six-hour period, before the CRA managed to update its systems with the patched version of OpenSSL, the attackers stole the social insurance numbers of 900 citizens.

The OpenSSL Heartbleed bug that could expose passwords, communications, and encryption keys continues to dominate news headlines across the security industry

Even some 20 percent of servers or ‘exit nodes’ in the Tor anonymization network were found vulnerable, according to research examining a random sampling of Tor nodes performed by Collin Mulliner of Boston’s Northeastern University late last week. Tor has begun blocking these vulnerable nodes.

Despite these attacks; proofs-of-concept demonstrating that certificate theft was, in fact, possible; and wide knowledge about the need to replace potentially compromised certificates, the rush to revoke and replace certificates seems to be no real rush at all. Briefly, these certificates ensure that a website is the website you think it is. Certificates, quite literally, are trust on the Internet. For sure, there has been an explosion in certificate revocation and replacement since the Heartbleed realization, but the explosion is not nearly proportional to the scope of the bug.

LaCie’s Year-Long Leak

According to my colleague (and monthly news podcast co-host) Chris Brook, the French computer hardware company LaCie, perhaps best known for their colorful external hard drives, announced this week it fell victim to a data breach that may have put at risk the sensitive information of anyone who has purchased a product off their website during the last year. The company says that an attacker compromised their online systems with a piece of malware and then used that access to steal customer names, addresses, and email addresses, as well as payment card information and card expiration dates. So, if you bought anything directly from LaCie’s online store in the last year or so, your information may have been exposed, though you’ve probably already been informed by the company if that is the case.

A Bizarre Decision by Microsoft and a Potentially Great One by Google

In a move that befuddled me, though I am sure there is probably a good reason for it, Microsoft somewhat recently announced that it would no longer provide security updates to users running out-of-date versions of Windows 8.1. In other words, in order to receive future security updates, customers will have to have updated their machines with the most recent Windows 8.1 Update, which the company pushed out in April.

I spoke with a spokesperson from Microsoft, but that person didn’t elaborate much on why they made the decision. The good news here – as this Microsoft spokesperson was sure to point out – is that this announcement only affects the small percentage of users that don’t have the auto-update feature enabled. To be clear, we definitely recommend turning on auto-update, and I believe it is turned on by default for most commercial Windows systems. If you’re on auto-update, then you have nothing to worry about. If you install your updates manually, then you will need to install the Windows 8.1 update from April, or you won’t be able to install their monthly patches moving forward. Your choice here, but it seems like a no-brainer to me.

On the other hand, rumors are swirling around that the search giant Google may add some math to their magical search algorithm (at least I think that’s how it works) that will boost search results for websites that implement encryption. The Wall Street Journal reported this news based on something the companies’ search algorithm guru, Matt Cutts, said at a conference. Google didn’t outright deny these claims, but they did say that the company has nothing to announce at the moment. Hard to know if Google is actually mulling this over, but it certainly seems to be a good idea.

XPocalypse Eventually?

Speaking of things that Microsoft is not going to support anymore, they officially – and at long last – issued the final patches for Windows XP last month. There has been a lot of talk, for years, about what the impact would be of abandoning security support for an operating system that is still used by as many as 28 percent of computer users. It’s too soon to tell what the impact of this will be, but it’s probably time to get off XP if you are still running it. I have to think we’d be talking about this a whole lot more if Heartbleed never emerged, and I bet we will be talking about it as we move further into the future. Here is a solid run-down on what the end of XP may mean going forward.

In Mobile News

Last, but certainly not least, a new report from our researcher friends at Kaspersky Lab demonstrates that business is booming for those that use malware to steal banking information from Android users. In closing: another day, another hack that compromises one of those fancy fingerprint scanners.