tag:theconversation.com,2011:/africa/topics/heartbleed-9881/articlesHeartbleed – The Conversation2015-01-14T15:20:52Ztag:theconversation.com,2011:article/362642015-01-14T15:20:52Z2015-01-14T15:20:52ZIf you seek to ‘switch off’ encryption, you may as well switch off the whole internet<figure><img src="https://images.theconversation.com/files/69024/original/image-20150114-3865-i5wpql.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">We don't need any more internet off-switches, thanks.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/deadhorse/367716072/sizes/z/in/photostream/">deadhorse</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc/4.0/">CC BY-NC</a></span></figcaption></figure><p>Prime Minister David Cameron has <a href="http://www.bbc.co.uk/news/uk-politics-30778424">stated</a> that the UK government will look at “switching off” some forms of encryption in order to make society safer from terror attacks. This might make a grand statement but it is impossible to implement and <a href="http://www.theguardian.com/technology/2015/jan/13/david-cameron-encrypted-messaging-apps-ban">extremely technologically naïve</a>.</p>
<p>Encryption is a core part of the internet; it’s use is increasing every day – Google’s services, including search and email, use encrypted streams, as do Facebook and Twitter and many other widely used sites. Encryption makes it almost impossible for eavesdroppers to read the contents of the traffic. It is the foundation upon which all e-commerce is based.</p>
<p>It’s just impossible to ban. There is no way to define a law which constrains the use of encryption. Would it be only when used in certain applications (such as email), or by disallowing certain methods (such as the encryption program PGP)? Would using a <a href="http://practicalcryptography.com/ciphers/caesar-cipher/">Caesar code</a>, a cipher nearly 2,000 years old, be illegal?</p>
<p>Such a move would make the UK – or any country that followed suit – unsafe in which to do business. Free countries wouldn’t consider switching off encryption due to the insecurity it introduces for both consumers and businesses.</p>
<p>Much online content accessed in the UK is actually stored and processed outside the country. Someone who suspects that they may be monitored can set up a secure connection to a remote site in the cloud – <a href="https://www.amazon.co.uk/clouddrive">Amazon’s</a> for example – and store and process information there. How would this fall under any new law?</p>
<p>And where would the ban end? Would it include character encoding, such as the Base-64 encoding that allows for <a href="https://www.ietf.org/rfc/rfc2045.txt">email attachments</a>, or the encoding that <a href="http://unicode.org/">provides non-Roman character sets</a> for other languages? Encryption is also the basis for cryptographic signing, a <a href="https://developer.mozilla.org/en/docs/Introduction_to_Public-Key_Cryptography">digital signature</a> used by all manner of organisations to verify that digital content – software, audio-visual media, financial products – is what it claims to be. It is the basis of trust on the internet.</p>
<p>We have a right to some privacy. Few people would not object to their letters being examined or their phones being tapped – and the rights enjoyed in the days of traditional communications should be no different when applied to their modern digital equivalents.</p>
<p>We also have a right to protect ourselves. With major losses of data occurring regularly, whether from attacks or due to error, we need to protect ourselves and our data. Encryption of data when stored or communicated is one way of doing so. The tools used by the security services to hack systems and break encryption are largely the same used by criminal hackers – reducing encryption levels will increase our vulnerability to both.</p>
<h2>The trouble with cryptography</h2>
<p>Law enforcement agencies have had an easy ride with computer systems and the internet – it’s relatively easy to pull evidence from the hard drives of suspects, given the lack of security. But the increasing focus on privacy and security has put the pressure on investigators. The battle lines between the right to privacy and the need to investigate crime have been drawn.</p>
<p>The internet was not designed with security in mind, and most of the protocols in use – HTTP, Telnet, FTP, SMTP – are clear-text and insecure. Encrypted versions such as HTTPS, SSH, FTPS and authenticated mail – are replacing them by adding a layer of security through Secure Socket Layers (SSL). While not perfect, this a vast improvement to a system where anyone can intercept a data packet and read (and change) its contents. The natural step forward is to encrypt the data where it is stored at each end, rather than only as it is transmitted – this avoids what’s called a <a href="https://www.owasp.org/index.php/Man-in-the-middle_attack">man-in-the-middle attack</a> (interception of traffic en route by a third party impersonating the recipient), and the encryption key needed to decode the message only resides with those who have rights to access it.</p>
<h2>Keeping defence on its toes</h2>
<p>Reading enemy communications provides a considerable advantage, so cryptography has become a key target for defence agencies. Conspiracy theories have blossomed around the <a href="https://theconversation.com/backdoor-discovered-in-apple-ios-devices-that-undermines-iphone-security-29601">presence of backdoors</a> in cryptography software. Defeating encryption otherwise requires finding a flaw in the methods used (such as the <a href="https://theconversation.com/heartbleed-patched-but-security-time-bomb-is-still-ticking-25582">Heartbleed bug discovered in OpenSSL</a>) or with the encryption keys (such as weak passwords).</p>
<p>There has been a long history of defence agencies trying to block and control high-grade cryptography. The US government took copies of encryption keys through its <a href="http://www.cryptomuseum.com/crypto/usa/clipper.htm">Clipper chip</a>, attempted to prevent publication of the RSA public key encryption method, and dragged Phil Zimmerman through the courts after claiming his PGP (“pretty good privacy”) encryption software leaving the country was <a href="http://internethalloffame.org/blog/2012/12/17/how-joe-biden-accidentally-helped-us-all-e-mail-private">tantamount to illegally exporting weapons</a>.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/69025/original/image-20150114-3883-1pngvxf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/69025/original/image-20150114-3883-1pngvxf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=425&fit=crop&dpr=1 600w, https://images.theconversation.com/files/69025/original/image-20150114-3883-1pngvxf.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=425&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/69025/original/image-20150114-3883-1pngvxf.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=425&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/69025/original/image-20150114-3883-1pngvxf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=534&fit=crop&dpr=1 754w, https://images.theconversation.com/files/69025/original/image-20150114-3883-1pngvxf.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=534&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/69025/original/image-20150114-3883-1pngvxf.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=534&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Well, we’ll start with everything, and take it from there.</span>
<span class="attribution"><span class="source">imgflip</span></span>
</figcaption>
</figure>
<h2>Hand me your finger</h2>
<p>Ultimately username and password combinations alone are too insecure, as computers are now sufficiently powerful to perform brute-force attacks by checking all possible permutations of characters. The introduction of <a href="https://theconversation.com/after-all-these-hacks-tech-firms-could-do-more-but-better-security-starts-with-you-32051">multi-factor authentication</a> improves this by requiring two or more methods such as passwords, access cards, text messages or even fingerprints.</p>
<p>But Virgina Circuit Court judge Steven C. Fucci ruled last year that <a href="http://security-today.com/articles/2014/11/03/court-rules-police-can-force-users-to-unlock-iphones-with-fingerprints.aspx">fingerprints are not protected</a> by the <a href="http://www.law.cornell.edu/wex/fifth_amendment">Fifth Amendment</a> (“no person shall be compelled in any criminal case to be a witness against himself”). This means that those using their fingerprints as access keys may have to offer them up to investigators. Unusually, the same does not apply to passwords.</p>
<p>The UK equivalent, the right to silence, also comes with <a href="http://www.legislation.gov.uk/ukpga/2000/23/section/49">encryption key-related exceptions</a>: failing to hand them over <a href="http://www.theregister.co.uk/2014/07/08/christopher_wilson_students_refusal_to_give_up_crypto_keys_jail_sentence_ripa">is an offence in itself</a>.</p>
<h2>Encryption by default</h2>
<p>Both Apple’s iOS and Google’s Android operating systems for phones and tablets now offer <a href="https://theconversation.com/better-locks-to-secure-our-data-are-the-inevitable-result-of-too-many-prying-eyes-33790">encryption by default</a>, so that data on their devices are protected straight out of the box. Now that we carry so much data with us on our phones, one might reasonably ask why this took so long.</p>
<p>Of course this <a href="https://www.techdirt.com/articles/20141019/07115528878/everybody-knows-fbi-director-james-comey-is-wrong-about-encryption-even-fbi.shtml">ratchets up the tension between privacy and police investigation</a>. With iOS 8 and Android Lollipop, there are no electronic methods to access encryption keys from existing digital forensics tool kits, nor will the users have a password to hand over, so the encryption method technically breaches the law in both the US and UK. The same battle rages over the encrypted web service Tor which law enforcement sees as a domain where crime can go undetected, but the privacy-minded advocate see as an important bulwark against authoritarianism. </p>
<p>The technical case for switching off encryption is simply a non-starter. In fact we are moving in the opposite direction, replacing the old, open internet with one that incorporates security by design. If you wish to switch off encryption, it will unpick the stitching that holds the internet together.</p><img src="https://counter.theconversation.com/content/36264/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Bill Buchanan does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Prime Minister David Cameron has stated that the UK government will look at “switching off” some forms of encryption in order to make society safer from terror attacks. This might make a grand statement…Bill Buchanan, Head, The Cyber Academy, Edinburgh Napier UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/355082014-12-31T08:51:48Z2014-12-31T08:51:48ZHighlights and lowlights of 2014, a golden year for cybercrime<figure><img src="https://images.theconversation.com/files/67932/original/image-20141222-31539-djl6n6.jpg?ixlib=rb-1.1.0&rect=0%2C216%2C925%2C551&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A year in which security was caught napping.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/eprater/4195628360">eprater</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span></figcaption></figure><p>Looking back, 2014 was not a good year for keeping things safe under digital lock and key. If a score was being kept, it might seem that the cybercriminals are in the lead, despite the valiant efforts – and own goals – from the cybersecurity profession worldwide.</p>
<p>Cast your mind back to <strong>March</strong>, everyone was panicking about the <a href="https://theconversation.com/explainer-should-you-change-your-password-after-heartbleed-25506">HeartBleed</a> bug. Based on an error in code upon which the majority of the world’s secure servers relied, experts had plenty of time to fix the issue. Sadly there was an array of conflicting information about changing passwords, leading to widespread confusion. While most IT administrators made sure this was managed in a professional manner, it created a stir that seemed to set the tone for the year.</p>
<p>In <strong>May</strong>, online auction giant <a href="https://theconversation.com/massive-ebay-hack-change-your-password-now-27052">Ebay</a> admitted to having been compromised. The site said its systems, with personal details of tens of millions of users, may have had been vulnerable for months. Everyone was advised, indeed forced, to change their password. </p>
<p>In the same month, iPhones were hijacked and their owners blackmailed by the cunning <a href="https://theconversation.com/explainer-is-your-iphone-at-risk-after-the-oleg-pliss-hack-27288">Oleg Pliss</a> ransomware, locking phones and threatening to delete data unless cash was paid.</p>
<p>In this case, the criminals managed to acquire a database of usernames and passwords, maybe via HeartBleed, and cracked the passwords. As it’s well-known that many users reuse the same passwords for many accounts, the Oleg Pliss attackers searched for iCloud email accounts and simply stepped through their list of passwords until they were successful. Then they remotely locked the phones and demanded a ransom. What was clever about this attack is that it targeted the weak link – lax security among humans – rather than the tough target, the security of the iPhone itself.</p>
<p>Already 3-0 to the cybercriminals by half-time, it wasn’t looking too good for Team Cybersecurity. In <strong>June</strong> there was finally a score for law enforcement: <a href="https://theconversation.com/two-weeks-to-stop-gameover-zeus-what-you-need-to-know-27536">Gameover Zeus</a>, a prolific botnet, was brought down through a combined operation from the FBI, UK National Crime Agency and other international agencies. It gave security experts time to hose down their systems, upgrade security measures and re-group, knowing that it would be weeks before this botnet could rally.</p>
<p>The most popular mobile phone and tablet operating system, Android did not have a good year. With the most <a href="https://theconversation.com/explainer-which-phone-is-most-vulnerable-to-malware-25942">mobile malware</a>, Android is seen as a system that needs to clean up its act, with vulnerabilities exploited <a href="https://theconversation.com/had-an-odd-text-on-your-android-device-time-to-watch-out-for-sms-worms-28624">through text messages</a>, and potentially revealing <a href="https://theconversation.com/naked-selfies-found-on-wiped-phones-shows-how-data-isnt-always-deleted-29119">intimate details</a> left behind on second-hand devices that had been supposedly wiped.</p>
<p>In <strong>July</strong>, the focus was back on Apple’s iOS phone operating system, in which a <a href="https://theconversation.com/backdoor-discovered-in-apple-ios-devices-that-undermines-iphone-security-29601">back door</a> was discovered, proving a major embarrassment for the company. It’s interesting that the subsequent release of iOS, version eight, brought full encryption to the phone, suggesting that Apple has tried to fill this hole – <a href="https://theconversation.com/after-all-these-hacks-tech-firms-could-do-more-but-better-security-starts-with-you-32051">much to the annoyance</a> of some national security agencies.</p>
<p><strong>September</strong> arrived with a bang, as dozens of celebrities found <a href="https://theconversation.com/three-ways-your-personal-photos-are-vulnerable-to-hackers-31134">naked pictures of themselves</a> posted online. The issues earlier in the year that proved the potential to gain access to iCloud accounts had been realised, with the images stripped not from the phones themselves but from the iCloud accounts linked to them. Apple’s response was to generate a notification following any access to an iCloud account – but that may be too little too late if an intruder has already copied your more intimate snaps.</p>
<p>Later the same month, the discovery of the <a href="https://theconversation.com/bigger-than-heartbleed-bug-in-bash-leaves-millions-of-web-servers-vulnerable-32231">Shellshock</a> bug makes it 7-1. This was a another issue arising from decades old code in the <a href="http://www.gnu.org/software/bash/">Bash shell</a> software, since incorporated into millions of computers and embedded devices worldwide. It’s ironic that, after years in which Microsoft Windows was regularly compromised, 2014 was the year in which the heat was turned on open source systems like Linux.</p>
<p>As <strong>November</strong> came around we witnessed a spectacular own goal, when a particularly complex and aggressive malware, <a href="https://theconversation.com/introducing-regin-one-of-the-most-sophisticated-espionage-bugs-ever-discovered-34616">Regin</a>, was alleged to be the product of Western intelligence agency experts. Of course, nobody has come forward to take the credit – but it’s clear that there are very capable cybersecurity or cybercriminal experts out there who have the time and resources to create bespoke attacks for their own ends.</p>
<p><strong>December</strong> brings the season for joy for many – but not for <a href="http://www.engadget.com/2014/12/10/sony-pictures-hack-the-whole-story/">Sony Pictures</a>, which suffered an attack that leaked unreleased films online, posted embarrassing internal emails for all to see, and brought the company’s internal systems to their knees. Perhaps most embarrassing is that this seems to be <a href="https://theconversation.com/credibility-at-risk-in-sony-hacking-scandal-1038">becoming a habit</a> for Sony Corporation.</p>
<p>Come <strong>Christmas Day</strong>, the servers supporting the XBox and PlayStation online gaming platforms were <a href="http://www.bbc.co.uk/news/uk-30602609">hacked</a>. </p>
<p>All in all, such a 10-1 thrashing points to an eventful year, and unfortunately leaves no doubt that the criminals have the edge, leaving the security experts nursing their own goals and playing catch up.</p><img src="https://counter.theconversation.com/content/35508/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Andrew Smith does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Looking back, 2014 was not a good year for keeping things safe under digital lock and key. If a score was being kept, it might seem that the cybercriminals are in the lead, despite the valiant efforts…Andrew Smith, Lecturer in Networking, The Open UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/326402014-10-08T05:18:02Z2014-10-08T05:18:02ZiWorm hack shows Macs are vulnerable too<figure><img src="https://images.theconversation.com/files/61060/original/4vhrykms-1412694323.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">That's one sad Mac.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/nickkellet/6839330932/">nickkellet</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span></figcaption></figure><p>The computer operating systems and applications we use today have often evolved over many years, decades even, and contain tens or hundreds of millions of lines of code. Flaws in that code – and there will always be some – give rise to security problems that, in an internet-connected world, are an increasing problem. </p>
<p>Many are found in code written in the C++ programming language – in Microsoft Windows, in Java, in applications such as Abode Flash or Reader, the Outlook email client, browsers such as Internet Explorer and Firefox, and increasingly Linux and OS X. Any issues found to affect Linux and other Unix-like operating systems causes problems for Apple because OS X is Unix-like in nature.</p>
<p>Apple’s decision to redevelop a new operating system for the Macintosh based on Unix was a momentous one. A <a href="http://www.computerworld.com/article/2524660/operating-systems/the-unix-family-tree.html">family of related operating systems</a>, Unix has evolved since the early 1970s and continues to be used and developed today. Technically OS X is a “Unix-like” operating system called <a href="http://support.apple.com/kb/ta25634">Darwin</a>; Linux is another Unix-like operating system. This decision meant the company could rely on the stability of Unix and focus on the user experience.</p>
<p>Will this decision return to bite Apple, however? The flaws now being discovered in Unix-like operating systems also affect OS X. Many bugs are being found that have gone unnoticed for years – the Heartbleed flaw in OpenSSL for example relates to C++ code written by Eric Young in 1998.</p>
<h2>Lair of the iWorm</h2>
<p>Last week, Dr. Web (a Russian security firm) detailed a <a href="http://www.techtimes.com/articles/17226/20141006/os-x-malware-mac-backdoor-iworm-piggybacks-reddit-to-infect-over-17000-macs-how-about-yours.htm">newly discovered piece of malware</a> for OS X, called Mac.BackDoor.iWorm. This allows hackers to take control of a computer, using it as part of a botnet (a group of perhaps thousands of compromised, remotely-controlled computers) for illegal activity such as spamming or performing Denial of Service (DDoS) attacks, where a website is overloaded with requests and forced offline.</p>
<p>After Dr. Web detected more than 17,000 computers infected with the worm, Apple <a href="http://www.tuaw.com/2014/10/06/apple-updates-xprotect-malware-definitions-to-shut-down-iworm/">responded quickly</a> by adding the malware’s signature to the <a href="http://www.thesafemac.com/mmg-builtin/">Xprotect</a> malware scanner built into OS X. But this will only protect against the worm if it has been updated to include the latest changes.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/oOn-pu1Qn3k?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Detecting the iWorm.</span></figcaption>
</figure>
<p>Interestingly iWorm’s creators used the popular website Reddit as an attack vector. In a fake Minecraft discussion forum were posted the addresses of the hackers’ command and control servers – iWorm would browse Reddit to find these addresses, connect and wait for instructions. Reddit closed the hacker’s user accounts and the fake forum, cutting off the iWorm’s controllers – for now. The <a href="http://www.tuaw.com/2014/10/06/apple-updates-xprotect-malware-definitions-to-shut-down-iworm/">suggestion</a> is that it spread originally through pirated software infected with malicious code downloaded from torrent sites (making it more of a Trojan than a worm).</p>
<h2>Shell Shock</h2>
<p>Another recent bug, the <a href="https://theconversation.com/bigger-than-heartbleed-bug-in-bash-leaves-millions-of-web-servers-vulnerable-32231">Shellshock vulnerability</a> found in the Bash shell program affects practically all Unix-like operating systems (including Linux and OS X) because it’s such a common program, included by default in most installations. As Linux is found in many embedded systems – network hardware such as routers and switches, microcontrollers that operate traffic lights, industrial production lines and all sorts of other uses – the number of potentially vulnerable devices is huge.</p>
<p>The bug allows an intruder to remotely run arbitrary commands. The efforts of hackers have been to use Shellshock to control web servers through their CGI function, one of the oldest methods through which a program could communicate with a web server. Today CGI has been largely replaced by PHP and other high-level scripting languages, but many millions of servers retain it for compatibility.</p>
<p>Even by using Shellshock to run commands on remote machines, on a properly security-hardened server the potential for damage is limited, as most of the important operations require higher-level privileges – if correctly configured. </p>
<h2>Buffer overflow attack</h2>
<p>Such programming errors show how sloppy software developers have been (and often continue to be), and how long such flaws can hang around – some 23 years for Heartbleed. Many bugs are due to C++ programming errors, causing programs to act incorrectly when the data a program receives is not what it expects. A common way of exploiting this is a <a href="http://www.cse.scu.edu/%7Etschwarz/coen152_05/Lectures/BufferOverflow.html">buffer overflow</a>.</p>
<p>Programs typically allocate a certain amount of memory (buffer) to variables used by programs to store and pass around data. That data is expected to arrive in a certain format and fit within the memory allocation. If it arrives and is larger than it should be it can overwrite code stored in neighbouring memory areas, causing the program to become erratic, crash, or execute code contained in the data sent that overruns the buffer.</p>
<p>Similar but not quite the same, the <a href="http://www.theregister.co.uk/2014/04/09/heartbleed_explained/">Heartbleed flaw</a> lay in a feature of SSL called a “heartbeat”, a challenge-response between two computers designed to keep the connection open. The code required the client computer to send a string of characters, and a number totalling the length of that string of characters. The server reads the number and sends back that many characters. The attack worked because the attacker could, for example, deliberately send only one character but ask for 500; the server responds with a further 499 characters drawn from memory which, on a server running SSL, may well contain sensitive data such as usernames, passwords or even credit card details.</p>
<h2>Moving targets</h2>
<p>So after decades of vulnerabilities appearing on Microsoft Windows, now they are beginning to show up in others such as Linux and OS X. Code will always contain errors and oversights and the apparent security of an operating system is as much to do with the extent to which people are interested in finding flaws. With billions of desktop, laptop and mobile devices running some version of Windows, it’s a magnet for hackers as much as it is for security experts trying to find those vulnerabilities first.</p>
<p>Personal computers running Linux (less than 2% of all PCs) or OS X (less than 7%) are few in comparison. But two-thirds of the internet’s servers are Linux/Unix-based and perhaps this is where those with malicious intent are turning their attention. And if that happens, Mac OS X may well become collateral damage.</p>
<p>While Apple has been fast to release patches, the danger is that users do not install the updates – as is the case with many Windows users, millions of whom run old, out-of-date and vulnerable versions of Windows and other programs. In the future, Apple will need to find its own vulnerabilities, review its own code and not leave it to the security community – which becomes a race between then protectors and the exploiters.</p><img src="https://counter.theconversation.com/content/32640/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Bill Buchanan does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The computer operating systems and applications we use today have often evolved over many years, decades even, and contain tens or hundreds of millions of lines of code. Flaws in that code – and there…Bill Buchanan, Head, Centre for Distributed Computing, Networks and Security, Edinburgh Napier UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/322312014-09-26T12:47:07Z2014-09-26T12:47:07ZBigger than Heartbleed? Bug in bash leaves millions of web servers vulnerable<figure><img src="https://images.theconversation.com/files/60179/original/5nrvgy67-1411732288.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Better bash that bash bug, big time.</span> <span class="attribution"><a class="source" href="http://www.shutterstock.com/pic-124757866/stock-photo-server-data-on-a-monitor.html?src=78d0oghwouoUqqY7Y124Vg-1-7">isak55/Shutterstock</a></span></figcaption></figure><p>A first and quite reasonable thought readers may have will be to wonder: what is bash? </p>
<p>When you use a computer you probably interact with it through a point-and-click, visual interface such as Windows or Mac OS. More advanced users or specific tasks might require a text-only interface, using typed commands. This command line program is known as a shell, and bash is the acronym for Bourne Again SHell (a successor to the Bourne shell, written by Stephen Bourne – that’s geek humour right there), known to everyone as <a href="https://www.gnu.org/software/bash/bash.html">bash</a>.</p>
<p>So what you need to know is that a shell is essential, and that bash as the most common shell in use is installed on pretty much every machine that runs a flavour of Linux or Unix. That includes Mac OS X – which behind its shiny desktop is a Unix-based operating system too. </p>
<p>What has systems administrators hot under the collar right now is the discovery by Red Hat, a firm that produces one of the long-established distributions of Linux favoured by enterprise, of a vulnerability in bash. This bug, which is being called “<a href="https://www.cert.gov.uk/resources/alerts/update-bash-vulnerability-aka-shellshock/">shellshock</a>”, allows <a href="http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability">under specific conditions</a> a hacker to remotely access and take control of a system running a vulnerable version of bash.</p>
<p>Potentially vulnerable computers running Linux/Unix account for around <a href="https://secure1.securityspace.com/s_survey/data/201211/index.html">two-thirds of web servers on the internet</a>. That will include a huge number of online services you use – shops, banks, social networking sites, government services. The police and military, too. </p>
<h2>Huge scope online</h2>
<p>Now you can see why everyone is panicking and claiming that this is bigger than the <a href="https://theconversation.com/explainer-should-you-change-your-password-after-heartbleed-25506">Heartbleed</a> bug, a problem that only affected one specific technology (secure socket layers) which is not near-universal like bash. It has been classed as a maximum risk factor 10 of 10. </p>
<p>Red Hat has <a href="https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/">released a patch</a> to close the loophole and solve the problem, but it’s not perfect and still allows an attacker other vectors to exploit. Other Linux and Unix vendors will be on the case as a matter of urgency and no doubt there will be an update from Apple for its Mac OS systems very soon. It isn’t the fault of one organisation – while tempting, there is no cause to bash Apple this time.</p>
<p>This vulnerability, dating back to version 1.13 of the program, has existed <a href="http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/">for 22 years</a> and it has taken detailed analysis by security experts to find it. Now it has been made public, vendors and system administrators are scrabbling to close the hole while hackers and cybercriminals are trying to exploit it.</p>
<p>In fact within 24 hours of being announced, exploits are <a href="http://www.theregister.co.uk/2014/09/26/bad_guy_builds_beastly_bash_botnet/">already being reported in the wild</a>. The issue is exacerbated by the problem that shell programs such as bash are designed to be connected to remotely, through programs such as SSH or telnet. It isn’t too difficult to send commands to a remote device or to encourage users to download an application that uses the same commands.</p>
<p>But that assumes the attacker is able to bypass your perimeter protection such as a firewall and other network security policies. As a network engineer, I know that while there is a weakness on my system that must be resolved, there are other defence mechanisms already surrounding that weakness that still provide protection.</p>
<p>However, those running a web server – whose entire function is to respond to those remote calls (in this case, your web browser’s requests for pages on the site you’re browsing) – have much more of a problem. This provides a route into the system that can’t be blocked with a firewall as it would also block legitimate requests for the web server. Systems administrators are probably very busy at the moment trying to ensure that their bash environments cannot be exploited.</p>
<p>Also of concern are the tens of millions of pieces of networking hardware such as router and switches that connect the internet’s computers together. Almost all run stripped-down versions of Linux-like operating systems optimised for networking, but <a href="http://tools.cisco.com/security/center/viewAlert.x?alertId=35816">they also include bash</a> for network engineers to connect and control them. These will need to be patched too.</p>
<h2>Desktop users are safe\®</h2>
<p>The rest of us can probably breathe easier. Attackers are more interested in compromising systems that may return financial advantage, which is unlikely to be our desktop computers.</p>
<p>My advice to Apple Mac users is to check <a href="http://support.apple.com/kb/ht1810">firewall settings</a> and take care when downloading any third-party application not available via the App Store. For Linux users the same applies – Ubuntu has a software centre, for example, where the community have checked all available applications to date. In any case, a patch will be available soon. Windows users are unaffected (and it’s not often you can say that).</p>
<p>Some are suggesting this bug is a larger problem for Apple desktop devices than it really is. Unless your machine has been set up to allow others remote access to it (it wouldn’t do so by default), has also switched off the firewall and is not using a protected network (home broadband routers provide their own protection, for example), then I wouldn’t worry – but install whatever recommended updates appear in the days to come.</p><img src="https://counter.theconversation.com/content/32231/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Andrew Smith was historically affiliated with the Linux Professional Institute.</span></em></p>A first and quite reasonable thought readers may have will be to wonder: what is bash? When you use a computer you probably interact with it through a point-and-click, visual interface such as Windows…Andrew Smith, Lecturer in Networking, The Open UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/286092014-07-03T05:22:39Z2014-07-03T05:22:39ZThe Heartbleed bug continues to pose risks for people<figure><img src="https://images.theconversation.com/files/52916/original/n736wm4y-1404352160.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">You could still be at risk from the Heartbleed bug.</span> <span class="attribution"><span class="source">Igor Stevanovic</span></span></figcaption></figure><p>It’s been almost three months since the <a href="http://heartbleed.com/">Heartbleed</a> bug was revealed and many thousands of computer servers still need to be fixed.</p>
<p>The Australian government’s <a href="http://www.staysmartonline.gov.au/alert_service/alerts/heartbleed_update_more_than_300,000_web_servers_are_still_vulnerable#.U7Jpp42Syrw">Stay Smart Online initiative</a> this week points to research by security expert Robert Graham who identified 600,000 vulnerable servers after the Heartbleed bug was <a href="http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities">made public in April</a>. He says <a href="http://blog.erratasec.com/2014/06/300k-vulnerable-to-heartbleed-two.html#.U7HuDvmSx8H">300,000 servers</a> still remain exposed as of late June.</p>
<p>Managing security problems in complex IT infrastructure is uncannily like managing pests on a farm. If they are handled promptly, problems are minimised.</p>
<p>But if they are neglected, the problems will grow, do more damage and take more work to rectify when they are finally dealt with.</p>
<p>The equivalent of an insect plague arrived on the paddocks of the world’s IT system administrators in April 2014 when the Heartbleed vulnerability was first revealed.</p>
<h2>The Heartbleed risk</h2>
<p>The <a href="https://theconversation.com/topics/heartbleed">Heartbleed</a> bug was <a href="https://theconversation.com/how-the-heartbleed-bug-reveals-a-flaw-in-online-security-25536">a programming mistake</a> in the <a href="http://www.openssl.org/">OpenSSL</a> security library used by a large proportion of the world’s internet software. It left much of the world’s IT infrastructure vulnerable to cybercriminals.</p>
<p>Keeping systems secure required system administrators to not only update software, but obtain new “master keys” to re-establish their corporate electronic identity. In many cases they also had to ask their users to change passwords.</p>
<p>It is likely that the global cost of dealing with Heartbleed has already run into the hundreds of millions of dollars.</p>
<p>A <a href="https://theconversation.com/six-more-bugs-found-in-popular-openssl-security-tool-27679">second round of problems</a> in the same software were identified in June 2014, again requiring considerable remedial action by vendors and system administrators. </p>
<h2>But the problem persists</h2>
<p>A few months on from Heartbleed the majority of internet-accessible systems that were vulnerable have been secured, but not all.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/52920/original/pxtwttyq-1404353763.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/52920/original/pxtwttyq-1404353763.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/52920/original/pxtwttyq-1404353763.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=398&fit=crop&dpr=1 600w, https://images.theconversation.com/files/52920/original/pxtwttyq-1404353763.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=398&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/52920/original/pxtwttyq-1404353763.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=398&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/52920/original/pxtwttyq-1404353763.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=500&fit=crop&dpr=1 754w, https://images.theconversation.com/files/52920/original/pxtwttyq-1404353763.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=500&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/52920/original/pxtwttyq-1404353763.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=500&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">The 4.1.1 version of Android’s Jelly Bean operating system remains a risk.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/frikjan/7988113282">Flickr/Frikjan</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">CC BY-NC-ND</a></span>
</figcaption>
</figure>
<p>For instance, many older Android smartphones have a firmware version (4.1.1) that <a href="http://www.pcmag.com/article2/0,2817,2456507,00.asp">contained the vulnerable code</a>. Protecting these phones required the firmware supplier to either patch the supplied version to fix the bug, or update to a newer version of Android.</p>
<p>While exploiting the bug on a smartphone is much harder than on a server, it remains possible. Therefore vulnerable phones should be updated to protect them.</p>
<p>Google made updates available to the manufacturers of smartphones shortly after discovering the problem but manufacturers then had to apply Google’s fixes to the specific firmware for each of their affected models, and test the fixed version.</p>
<p>Even then, updates for many phones were not made available to consumers, as phones are often sold with customised firmware from carriers.</p>
<p>The major Australian carriers – Telstra, Optus and Vodafone – provide custom firmware in phones sold from their retail outlets. Each carrier would then have had to package and test the update for the customised version for each vulnerable phone model.</p>
<p>Given the relatively limited resources at each individual carrier for such testing, it’s no surprise that this process took a long time. For instance, it took Vodafone Australia <a href="http://support.vodafone.com.au/articles/FAQ/HTC-One-X-software-update">until June 16</a> to supply fixed firmware for one model, the HTC One X.</p>
<p>Other carriers, and other phones running this Android version, may still be vulnerable. Users of Android phones should consider downloading the free <a href="https://blog.lookout.com/blog/2014/04/09/heartbleed-detector/">Lookout Heartbleed Detector</a> from the Google Play store to check.</p>
<h2>Why so slow to fix the bug?</h2>
<p>The issues illustrated by the slow rollout of Android updates are specific examples of the kinds of problems faced by both software vendors and system administrators in dealing with security vulnerabilities.</p>
<p>Fixing the problem in the software is often the easy part. Deploying the fix across the many affected systems, and testing to ensure that the fix doesn’t create additional problems, is where the real work lies, particularly when security updates are bundled with other unrelated fixes that may have side effects.</p>
<p>Information security analyst Marco Ostini, who works at the Australian Computer Emergency Response Team (<a href="https://www.auscert.org.au/">AusCERT</a>), says this leads to “<a href="http://www.itnews.com.au/News/388961,vendors-slow-to-patch-openssl-vulnerabilities.aspx">vulnerability mitigation fatigue</a>” where fixes are not being deployed on many systems.</p>
<h2>The problem with orphans</h2>
<p>The systems and software packages that aren’t being updated are “orphans” – that is, no one is taking responsibility for keeping them updated to protect against security issues.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/52930/original/dbfhwvwz-1404356759.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/52930/original/dbfhwvwz-1404356759.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/52930/original/dbfhwvwz-1404356759.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=727&fit=crop&dpr=1 600w, https://images.theconversation.com/files/52930/original/dbfhwvwz-1404356759.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=727&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/52930/original/dbfhwvwz-1404356759.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=727&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/52930/original/dbfhwvwz-1404356759.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=913&fit=crop&dpr=1 754w, https://images.theconversation.com/files/52930/original/dbfhwvwz-1404356759.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=913&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/52930/original/dbfhwvwz-1404356759.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=913&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Heartbleed.</span>
</figcaption>
</figure>
<p>Phones running the vulnerable version of Android, 4.1.1, were actually examples of orphan devices, as most suppliers had ceased providing updates for them. Because of the scale of the security risk, an exception was made for Heartbleed. </p>
<p>IT orphan servers are often be operated by smaller organisations, or smaller divisions within larger ones, that lack the expertise to maintain their servers. </p>
<p>They may be running old, unsupported software that nevertheless continues to perform some useful but often relatively small task. A common example is a computer in an engineering environment such as a factory that uses vendor-specific software to control some expensive, valuable, but ageing device.</p>
<p>If the vendor has ceased to support the software, there may be no way to fix it. Even if the software is open source the individual customer will often not have the expertise to perform the fix themselves.</p>
<p>But sometimes orphan servers <em>are</em> simply the result of tired system administrators with the so-called “vulnerability mitigation fatigue”. Maintaining servers, particularly running old and relatively unusual software, is a great deal of work and the rewards are often not clear.</p>
<h2>If it ain’t broke … still fix it</h2>
<p>It’s tempting to simply say “if it ain’t broke, don’t fix it”. Unfortunately, IT security doesn’t work that way. </p>
<p>Aside from the risk of data loss from the specific system, a compromised server within a wider corporate network may leave a gap in the metaphorical fence for further attacks.</p>
<p>Therefore, managing IT infrastructure requires vigilance to ensure even lower-profile systems are kept protected, and careful design to reduce the consequences of a single system being compromised.</p>
<p>Even if the consequences to the organisation of a compromise of a particular system are not great, they still represent a safe and anonymous electronic haven from which cybercriminals can do further damage. In the farm analogy, they’re the equivalent of the neglectful neighbour’s weed-infested paddock. </p>
<p>The internet has become an essential part of our global society but it is vulnerable to criminal activity, and will ever be thus. The continuing aftermath of Heartbleed increases that vulnerability.</p>
<p>That is why we need diligence on the part of those who develop and manage IT systems to not only protect their own little patches, but to help keep the pests under control more generally.</p><img src="https://counter.theconversation.com/content/28609/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Robert Merkel has previously received Australian Research Council grants in the area of software testing and reliability..</span></em></p>It’s been almost three months since the Heartbleed bug was revealed and many thousands of computer servers still need to be fixed. The Australian government’s Stay Smart Online initiative this week points…Robert Merkel, Lecturer in Software Engineering, Monash UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/262372014-05-05T03:54:47Z2014-05-05T03:54:47ZLock down cybersecurity or face another Heartbleed – or worse<figure><img src="https://images.theconversation.com/files/47755/original/pmqpq7fr-1399254751.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">More than 5 million Australians were victims of cybercrime in 2012 and cyber breaches are only going to get bigger and more disruptive.</span> <span class="attribution"><a class="source" href="http://www.flickr.com/photos/jimprosser/8268488048">Jim Prosser/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc/4.0/">CC BY-NC</a></span></figcaption></figure><p>The recently released <a href="https://theconversation.com/topics/national-commission-of-audit">Commission of Audit</a> report recommends that the Australian government needs to become “<a href="http://theconversation.com/digital-by-default-efficient-egovernment-or-costly-flop-26182">digital by default</a>”. </p>
<p>The continued shift to digital service delivery is intended to reduce costs, improve quality of service and provide greater transparency. But it will also open up new vulnerabilities to cyber attacks that could be used to access secure and confidential data, compromise the integrity of trusted authorities and disrupt critical services. </p>
<p>In a report launched today at the <a href="http://www.cebit.com.au/cybersecurity-2014">CeBIT cybersecurity conference</a> in Sydney, we outline cybercrime trends which could feasibly shut down critical utility infrastructure such as energy grids and defraud the healthcare system to the tune of A$16 billion by 2023.</p>
<p>The recent <a href="https://theconversation.com/topics/heartbleed">Heartbleed</a> security bug is a telling example of the evolving nature of cyber threats, with the vulnerability impacting many popular websites and going undetected for almost two years.</p>
<h2>Technology trends</h2>
<p>The shift towards digital commercial services will continue to play a key role in driving the economy and society forward, as these services become increasingly embedded into business operations across a wide range of industries.</p>
<p>The healthcare industry is looking to digitisation to reduce spiralling costs while meeting changing patient needs and improving the care experience. The adoption of <a href="https://theconversation.com/topics/ehealth">electronic health records</a> will allow physicians to easily create and share medical records and other important patient data. </p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/47765/original/37jrnyzp-1399255428.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/47765/original/37jrnyzp-1399255428.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/47765/original/37jrnyzp-1399255428.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=402&fit=crop&dpr=1 600w, https://images.theconversation.com/files/47765/original/37jrnyzp-1399255428.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=402&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/47765/original/37jrnyzp-1399255428.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=402&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/47765/original/37jrnyzp-1399255428.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=505&fit=crop&dpr=1 754w, https://images.theconversation.com/files/47765/original/37jrnyzp-1399255428.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=505&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/47765/original/37jrnyzp-1399255428.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=505&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption"></span>
<span class="attribution"><a class="source" href="http://www.flickr.com/photos/intelfreepress/7853146846">Intel Free Press/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<p>Investment in <a href="https://theconversation.com/topics/cloud-computing">cloud computing</a> will drive efficiencies and allow interoperability between provider systems. And new diagnostic and non-invasive sensor technologies will improve remote monitoring and telehealth solutions.</p>
<p>Similarly, digital infrastructure will transform the energy industry. Smart grids and smart meters will allow providers to better forecast and adjust to peak demand, driving improved pricing models and optimised production. And in-home energy management devices will connect with smart appliances and allow consumers to monitor, control and optimise consumption automatically. </p>
<p>Alongside critical industries, consumers are also becoming more digitised, with a growing number of devices connected to the network. This goes beyond personal computers, smartphones and tablets to include <a href="https://theconversation.com/topics/wearable-technology">wearable devices</a>, <a href="https://theconversation.com/detection-devices-how-a-sensor-society-quietly-takes-over-26089">sensors</a> and interactive displays such as in-home energy monitors. The number of devices connected to the internet is expected to increase to as many as 50 billion by 2020.</p>
<h2>Evolving cyber threats</h2>
<p>This increased dependence on technology, combined with the evolving complexity of cybersecurity threats will increase our level of vulnerability – at a national, organisational and individual level.</p>
<p>The Department of Defence estimates that <a href="http://www.defence.gov.au/defencenews/stories/2013/jan/0124.htm">5.4 million Australians</a> were victims of cybercrime in 2012 and independent estimates put the cost of cybercrime in Australia as high as <a href="http://now-static.norton.com/now/en/pu/images/Promotions/2012/cybercrimeReport/2012_Norton_Cybercrime_Report_Master_FINAL_050912.pdf">A$2 billion per year</a>.</p>
<p>Left unchecked, these figures will continue to rise in coming years as cyber attacks become more sophisticated and harder to detect.</p>
<figure class="align-left zoomable">
<a href="https://images.theconversation.com/files/47760/original/q3cv82p2-1399255081.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/47760/original/q3cv82p2-1399255081.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/47760/original/q3cv82p2-1399255081.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=507&fit=crop&dpr=1 600w, https://images.theconversation.com/files/47760/original/q3cv82p2-1399255081.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=507&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/47760/original/q3cv82p2-1399255081.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=507&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/47760/original/q3cv82p2-1399255081.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=638&fit=crop&dpr=1 754w, https://images.theconversation.com/files/47760/original/q3cv82p2-1399255081.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=638&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/47760/original/q3cv82p2-1399255081.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=638&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption"></span>
<span class="attribution"><a class="source" href="http://www.flickr.com/photos/29487767@N02/6872259969/">Daniela Hartmann/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc-sa/4.0/">CC BY-NC-SA</a></span>
</figcaption>
</figure>
<p>As more data and processing continues to move to public networks and the cloud, traditional network boundaries are dissolving, leading to new challenges in how we secure data and infrastructure across virtual locations.</p>
<p>The tools needed to carry out a cyber attack are becoming more widely available, opening up attack opportunities to a wide range of would-be attackers, from disgruntled corporate insiders seeking retribution, to “<a href="https://theconversation.com/lulzsec-anonymous-freedom-fighters-or-the-new-face-of-evil-2605">hacktivists</a>” promoting a cause, to corporate espionage and criminal syndicates using cyber breaches as a means for financial gain.</p>
<h2>Navigating the threat</h2>
<p>An April <a href="https://www.aspi.org.au/publications/cyber-maturity-in-the-asia-pacific-region-2014">report</a> by the Australian Strategic Policy Institute (<a href="https://www.aspi.org.au/">ASPI</a>) ranked Australia second in cybersecurity capabilities in the Asia-Pacific region. But Australia cannot remain complacent in its approach to cybersecurity. Our strategies and tools need to evolve and keep pace with rapidly advancing cyber challenges. </p>
<p>To address these emerging threats, Australia will need a change in perspective, recognising that cybersecurity is not solely a technology challenge. It is also a cultural challenge; one that extends beyond traditional information security practises.</p>
<p>Because attackers frequently exploit the weakest link, cybersecurity will need to be viewed as a shared responsibility with everyone having a role to play in ensuring the security of the entire digital ecosystem.</p>
<p>This will need:</p>
<ul>
<li>a commitment to improved education and training to make users aware of the risks and consequences of their actions</li>
<li>improved software and system design that integrates effective security as naturally and invisibly as possible</li>
<li>new technologies to prevent and respond to future cyber threats.</li>
</ul>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/47757/original/rppskjrx-1399254941.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/47757/original/rppskjrx-1399254941.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/47757/original/rppskjrx-1399254941.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=425&fit=crop&dpr=1 600w, https://images.theconversation.com/files/47757/original/rppskjrx-1399254941.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=425&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/47757/original/rppskjrx-1399254941.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=425&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/47757/original/rppskjrx-1399254941.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=534&fit=crop&dpr=1 754w, https://images.theconversation.com/files/47757/original/rppskjrx-1399254941.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=534&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/47757/original/rppskjrx-1399254941.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=534&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption"></span>
<span class="attribution"><a class="source" href="http://www.flickr.com/photos/mikecogh/7348035690">Michael Coghlan/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span>
</figcaption>
</figure>
<p>We are working on these challenges, through improved digital identity systems that will make it easier to verify identities and establish trust in collaborative environments and through researching new <a href="http://searchsecurity.techtarget.com/definition/homomorphic-encryption">homomorphic cryptography</a> techniques that allow processing secure data without needing to decrypt it. </p>
<p>CSIRO’s research in data analytics and machine learning could also contribute to new innovations that make it easier to detect and quickly respond to network anomalies.</p>
<p>Future attacks will likely be beyond the response capabilities of any one organisation. Successfully navigating the road ahead will require a whole-of-nation effort, harnessing the full range of resources available across our economy.</p>
<p>Alongside existing national and defence-related strategies, the research community in partnership with industry and government have a vital role to play, through applying innovation and cutting-edge technology to the people, process and technology solutions needed going forward. </p>
<p>Through the integration of knowledge, ideas and resources, we can ensure strong cybersecurity capability is at the core of the digitally-enabled future of Australia.</p><img src="https://counter.theconversation.com/content/26237/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>James Deverell works for CSIRO.</span></em></p>The recently released Commission of Audit report recommends that the Australian government needs to become “digital by default”. The continued shift to digital service delivery is intended to reduce costs…James Deverell, Director, CSIRO Futures, CSIROLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/260262014-04-30T05:16:03Z2014-04-30T05:16:03ZHeartbleed bug: insider trading may have taken place as shares slid ahead of breaking story<figure><img src="https://images.theconversation.com/files/47294/original/skpc62hp-1398783384.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Saw it coming?</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/jooon/2432064925/in/photolist-mZdKrD-4GUYaT-mYec7R-n4Te9S-n4tixv-nhZwtE-n174PX-mXZ8xL-n1WHrX-naJCem-n2iyiH-n2ixxB-n2ixrV-n8Wrf5-nf92fS-naQx9D-mVbXze-nbqU4Y-n6Y57w-mZhmxe-mZt99K-mWrtUh-n6KDwn-n57ydM-nbou86-mZiFUX-mWkjCT-n5PbZ3-mY2r8H-n8xmPP-4HnUAc-n9z6j9-ndb1FH-mZTmjP-n12jH6-n292ph-mVZ9ra-n31ZjJ-mYbPKB-ni9yrn-npmjXA-mZohiR-mWkYyx-mY2ksp-mYajNF-mZhmwH-mZhmvR-mZhmtX-mZj9Pu-n89CYC">Jon Åslund</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span></figcaption></figure><p>Here is a puzzle for you. Why did shares in Yahoo! slide by nearly 10% in the days before Heartbleed was announced and then recover after the main news items broke?</p>
<p>It has long been the case that security vulnerabilities can have a negative effect on the public’s perception of tech companies and the value of their stock. All chief executives need to understand this and take action to reduce the exposure and associated risks. </p>
<p>It happened with Sony three years ago, for example, with an <a href="http://www.bbc.co.uk/news/technology-13169518">outage on their PlayStation network</a>. This lasted more than a week, resulting in a share price drop of 8%. It affected both consumers and developers, causing major embarrassment for the company. </p>
<p>I have analysed how the recent <a href="http://www.businessinsider.com/heartbleed-bug-explainer-2014-4">Heartbleed bug</a> affected certain major tech companies. Yahoo! was widely reported to have been hit hard by Heartbleed and to have leaked user information. Amazon had more to lose than most major companies from a dip in consumer confidence related to electronic commerce. Also included in the analysis were HP, Dell, Google, AOL and Microsoft. </p>
<p>The chart below shows the stock price of these companies over the time of the Heartbleed vulnerability. You can see there are two dips, which can be explained by three main phases.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/47176/original/r42zg52x-1398701187.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/47176/original/r42zg52x-1398701187.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=420&fit=crop&dpr=1 600w, https://images.theconversation.com/files/47176/original/r42zg52x-1398701187.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=420&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/47176/original/r42zg52x-1398701187.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=420&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/47176/original/r42zg52x-1398701187.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=528&fit=crop&dpr=1 754w, https://images.theconversation.com/files/47176/original/r42zg52x-1398701187.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=528&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/47176/original/r42zg52x-1398701187.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=528&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The ups and downs of big tech stock during Heartbleed crisis.</span>
<span class="attribution"><span class="source">Google Finance</span></span>
</figcaption>
</figure>
<h2>Day zero minus two</h2>
<p>The first phase related to the <a href="http://blog.easydns.org/2014/04/07/urgent-security-advisory-heartbleed-openssl-vulnerability/">technical release of information</a> about the vulnerabilty. The first major news release was on April 7 with the stark message: <a href="http://seclists.org/fulldisclosure/2014/Apr/106">“We are doomed.”</a></p>
<p>We can see that the full dip happened that day, taking these companies’ stock prices down between 3% and 10%. But the slide had been happening for a few days, having started on the previous Thursday. This may have been due to information being disseminated to the major companies, most likely from the security authorities before the rest of the world knew about it.</p>
<p>This would have been intended to give the major companies a day or two to get their systems ready for the so-called day zero threat, where it would be an open season in terms of intruders probing systems. </p>
<p>It could be that this information was also leaked to insiders who then sold their stocks in the major IT companies, waiting for a time to repurchase them at a tidy profit. One thing that would certainly be well known to traders is that a news item can push down a company’s stock price, only for it to recover after it blows over. </p>
<h2>Day zero plus one</h2>
<p>In the next phase, from April 7 to 9, the companies’ stock prices went back up, almost to normal levels. This was the period where the key technical teams within the major IT companies were patching their systems and reporting back. The information coming back perhaps didn’t look too bad on their systems, which would have made them think they weren’t badly exposed. </p>
<p>The vulnerability was only seen as a technical flaw and nothing to alarm the business community. Few at the time were predicting the storm would hit and the impact that it would have. Traders may well have gone back into the market to repurchase stocks that they had sold in the days before. </p>
<h2>Day zero plus two</h2>
<p>The news of Heartbleed <a href="http://money.cnn.com/2014/04/09/technology/security/heartbleed-bug/">broke in a major way</a> around the world on April 9. Yahoo! and Amazon were heavily quoted in the news and were seen as being at the most risk. </p>
<p>Yahoo! stock lost 9.4%, while Amazon’s lost 8.3%. More curiously Microsoft went down nearly 5%, even though it was not exposed to the vulnerability.</p>
<p>Two things appear to have been going on – the first could have been profit taking. Traders could bail out of a stock, wait for the news item to play through, then go back in when the stock was at its lowest and make a nice profit. The second may have been a general knee-jerk feeling that the internet was cracking, and that the roof was about to collapse. It seemed possible that user trust in online commerce could be broken. </p>
<p>When the news broke, no one really knew what was going on, even at the highest level. Some governments were advising users to change all their passwords immediately, for example, while others were saying don’t change until things had been patched. For a company such as Amazon this lack of user trust, even for a short period, can have major effects on their infrastructure.</p>
<h2>The after effects</h2>
<p>After the main news events, stock prices mostly went back to where they started. None of the major companies caused the problem, so their reputations have not been tarnished. Yahoo! is now showing a 0.0% change overall, for example. </p>
<p>Some traders may have done well from the rises and falls during the crisis. The evidence suggests that there could have been some insider trading taking place in the days before the story became big news. In theory the companies should have announced the problem to the stock market as soon as they became aware, but this series of events probably illustrates the limits of the duty on companies to disclose: when matters of national security are at stake, the rules may not be so rigorously applied. </p><img src="https://counter.theconversation.com/content/26026/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Bill Buchanan does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Here is a puzzle for you. Why did shares in Yahoo! slide by nearly 10% in the days before Heartbleed was announced and then recover after the main news items broke? It has long been the case that security…Bill Buchanan, Head, Centre for Distributed Computing, Networks and Security, Edinburgh Napier UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/258872014-04-24T05:14:18Z2014-04-24T05:14:18ZLet’s not panic like it’s 1999 as we clean up after Heartbleed<figure><img src="https://images.theconversation.com/files/46937/original/s448pv38-1398265084.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The internet didn't fall to pieces at the millennium and it won't now.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/drinksmachine/495352477/in/photolist-8eUzq1-51sByA-51ojop-7scvow-8VE6Db-8VE6CG-8VE6CY-8VE6CL-Nn4Df-4fy2jJ-GFtSi-6NUA7d-73nTXo-hRQMZx-6NQo2V-8dvaw-7LPHj-6NUyHf-6NUzqh-6ngg6-8G6BVF-kSzp6K-6BXyT-sTWWz-cA3qYs-sTDDn-bAgWD3-bPbAcx-bxqEQY-bxmDFm-bxqEMq-bxmDWN-73zxgf-51ojDi-8G9LN5-524Lqu-2vjqj5-bLk1eK-bxqHJE-bLjZpt-bxqhQ9-4mc4Bg-6DsSe8-7J55CN-8twF7P-nTcHV-6Gpiq7-6GpisY-6GpiE1-KLP2X">drinksmachine</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span></figcaption></figure><p>Take a moment to jump back in your mental time machine to 31 December 1999. It was the biggest New Year’s Eve for a thousand years. The dawn of a new millennium. But as we prepared to party, the world was also gripped by the fear that digital infrastructure was about to come crashing down around us.</p>
<p>For all we knew, the <a href="http://news.bbc.co.uk/hi/english/static/millennium_bug/countries/default.stm">millennium bug</a> would hit at midnight, causing untold havoc on the computers upon which we had come to depend. Those of us old enough to remember may have felt a similar sense of dread over the past few weeks as we faced the implications of the Heartbleed security flaw.</p>
<p>We were caught in the hype in 1999 and let others dictate what we needed to do. That left us vulnerable to people who wanted to take advantage. We should learn our lesson from that time as we deal with <a href="https://theconversation.com/explainer-should-you-change-your-password-after-heartbleed-25506">Heartbleed</a> and as we approach the next big security glitch. </p>
<h2>The apocalypse that wasn’t</h2>
<p>The millennium bug, also known as the Y2K bug, was a real issue, a throwback to historical programming from the 1960s and 1970s. </p>
<p>For many years, operating systems, hardware, software and many other devices made their calculations using a two-digit date. The switch from 99 to 00 as the millennium came to an end meant that some systems, such as those used by your bank, would be thrown into immediate chaos. They wouldn’t know if it was 1900 or 2000.</p>
<p>The story went that many critical systems, including air traffic control, security control systems and financial systems all used date and time to assist humanity in completing their automated tasks. If they were confused about the date, human safety and security could have been on the line.</p>
<p>The millennium bug came with considerable hype and scaremongering in the press. Some <a>outlets</a> discussed the potential for planes to simply fall out the sky. Whether you were around in 1999 or not, you probably know that this didn’t actually happen in the end.</p>
<p>But even though much of the hype was unwarranted, the millennium bug was a realistic concern. By 1999, the internet was popular across the world, even if it wasn’t the backbone of our very existence. Home computers were becoming a standard feature and many societies had become dependent on computer technology to support everyday experiences. Online shopping had already begun and many of us were already printing out tickets for economy airlines.</p>
<p>Cynics would say that some IT experts <a href="http://techie.com/how-the-y2k-scare-made-panic-into-profit/">profited</a> from Y2K, making a killing from the fear, hype and misunderstanding that surrounded it by selling advice and software to protect against the worst.</p>
<p>While Y2K didn’t cause total societal meltdown. There were still some problems. Some <a href="http://news.bbc.co.uk/1/hi/business/582007.stm">cash machines and card readers failed</a>, for example, and were out of action for around two days. But many of the big issues it might have caused were addressed in advance of New Year’s Eve.</p>
<h2>Learning the lesson</h2>
<p>Considering the current media coverage of <a href="https://theconversation.com/explainer-should-you-change-your-password-after-heartbleed-25506">Heartbleed</a>, you could be forgiven for thinking that we have not learnt from history.</p>
<p>Just as in 1999, the general public was heavily implicated. Up to 60% of websites were vulnerable to the Heartbleed security flaw, but users of those sites were left with mixed messages. Should they change their passwords? Was their bank, social network or email under threat? Would they be robbed? Would their identity be stolen? Is it the end of the internet as we know it?</p>
<p>As the media spread panic, people all over the world struggled to keep up. But now that we know we should probably change our passwords to be on the safe side, how many people have actually done it? Probably only a tiny fraction. Still, the internet has not crumbled. A security meltdown has not yet been reported. </p>
<p>For both Heartbleed and the Millennium Bug, the problem was real, issues have occurred for both. But with intervention from technical experts, the issues were both eventually resolved. While Heartbleed may linger for a little while longer. I doubt the Millennium Bug remains an issue.</p>
<p>Hopefully, Heartbleed has taught us all to be a bit more careful about our passwords and it should serve to prove that panic helps no one. On the other hand, the disasters averted in 1999 and 2014 should guide us as we start to look to 2038 – the year when the next big bug could hit our systems. </p>
<p>But maybe you should start thinking about <a href="http://2038bug.com/">2038</a>. This is the next date that could confuse our computers. It is a while yet before anyone should be concerned but it is still a mathematically likely issue. </p>
<p>In all technology reports, when you start seeing every expert saying different things, it can be difficult to know how to act. That is because collectively we do not yet know the the extent of the problem. So, the best thing, is to stay calm, wait, and make an informed decision rather than react to the first piece of advice that comes your way.</p><img src="https://counter.theconversation.com/content/25887/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Andrew Smith does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Take a moment to jump back in your mental time machine to 31 December 1999. It was the biggest New Year’s Eve for a thousand years. The dawn of a new millennium. But as we prepared to party, the world…Andrew Smith, Lecturer in Networking, The Open UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/255822014-04-14T14:13:05Z2014-04-14T14:13:05ZHeartbleed patched but security time bomb is still ticking<figure><img src="https://images.theconversation.com/files/46375/original/483g9gnt-1397481819.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Health check failed.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/62648476@N00/4545575241/">El Payo</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span></figcaption></figure><p>Heartbleed, the bug that has preoccupied thousands of websites and millions of users over the past week, may well have been the biggest security flaw in internet history but it is unlikely to be the last.</p>
<p>Our entire security infrastructure is a mess because both ordinary people and elite security experts often harbour fundamental misunderstandings about security, design and privacy. </p>
<p>Heartbleed is a bug in OpenSSL, a library used by programmers to <a href="http://theconversation.com/how-the-heartbleed-bug-reveals-a-flaw-in-online-security-25536">encrypt data on the web</a>. Hackers may have used the bug to find your password for Facebook, Instagram, Google, Yahoo and possibly thousands of other <a href="http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/">websites</a>.</p>
<p>Security Guru Bruce Schneier has called the situation “catastrophic” – an <a href="https://www.schneier.com/blog/archives/2014/04/heartbleed.html">11 on a scale of 1 to 10</a>. And the craziest part is, Heartbleed is so simple that you can explain how it works in a <a href="http://xkcd.com/1354/">six-panel comic strip</a>.</p>
<h2>Secure is not a fixed state</h2>
<p>One serious problem is that many people think about security as a fixed state. We categorise some things as “secure” while others are “insecure”. Money in the bank is secure. Money in the sock drawer is insecure. When you see the little padlock icon in your browser, the website is secure. If there is no padlock, it’s insecure.</p>
<p>This is nonsense. Security is a spectrum. Making data more secure is expensive and inconvenient. So we compromise. We accept some risk to avoid high costs and frustrating access policies.</p>
<p>This confusion is exacerbated by our unrealistic views about the designers and engineers who build websites. We imagine designers who logically deduce optimal designs from a comprehensive list of requirements and testers who systematically rule out every possible bug.</p>
<p>But design isn’t like the maths problems you did in school where finding the answer is simply a matter of manipulating the information given. It’s a creative process that involves improvising as <a href="http://arxiv.org/abs/1304.0116">many systems have no meaningful requirements</a> in practice.</p>
<p>A system like OpenSSL has an unknown, potentially infinite number of exploits. You can spend billions testing it and still not know for certain whether you have found them all. </p>
<h2>Expensive locks on glass doors</h2>
<p>Organisations appear to regularly spend enormous sums on fancy-sounding security technologies that are trivially easy to bypass. Take, for example, the millimetre-wave body scanners now found in many airports. These cost US$180,000 each and are used to create, save, <a href="http://www.cnet.com/uk/news/feds-admit-storing-checkpoint-body-scan-images">store</a>, and transfer naked images of you. </p>
<p>Even though they cost a fortune and significantly undermine our privacy, you can walk through a body scanner <a href="http://www.nbcdfw.com/news/local/TSA-Agent-Slips-Through-DFW-Body-Scanner-With-a-Gun-116497568.html">with a gun</a> or a third of a kilogram of <a href="https://www.schneier.com/blog/archives/2010/12/hiding_petn_fro.html">plastic explosive</a>. Or, since children are not subjected to the scanners, you could just hide something on the kid and retrieve it on the other side.</p>
<p>Online, we primarily lock our data using passwords. But passwords just <a href="http://www.wired.com/2012/11/ff-mat-honan-password-hacker/all/">don’t work very well</a>. Virtually everything that’s easy for you to remember is easy for others to guess. Everything that’s hard to remember has to be written down somewhere, and then someone else can find it. Hackers can also trick you into revealing your password or exploit password reuse to compromise your “password ecosystem”.</p>
<p>And hackers are not the only ones seeking to get their hands on your data. You may well wonder why you should bother having strong passwords when government agencies including the NSA <a href="http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption">systematically undermine encryption standards</a> to more easily access your data on <a href="http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story_1.html">Facebook and other websites</a>. Of course, hackers can exploit the same weaknesses created by the NSA. </p>
<h2>Your password future</h2>
<p>For most of us, opting out of online life because of the NSA or Heartbleed is unrealistic. However, there are some reasonable precautions you can take today. </p>
<p>First, you should get a password manager like <a href="https://lastpass.com/">LastPass</a> or <a href="https://agilebits.com/onepassword">1Password</a>. These make it more convenient to use stronger passwords, and a different password on every site. Of course, if the password manager itself is hacked, you’re toast.</p>
<p>Use your new password manager to generate unique, strong passwords and enable <a href="http://evanhahn.com/2fa/">two-factor authentication</a> wherever possible. This adds an extra layer to logging in, such as sending a code to your mobile phone.</p>
<p>In the long term, it is important to recognise that individuals, companies, the media and politicians will use fear, misinformation and bad logic to try to sell you ineffective security systems.</p>
<p>They will imply that security is a state and that everything must be secure; therefore, security systems are worth whatever money, disruption, inconvenience and downright abuse involved.</p>
<p>This is a trick to keep you from simply weighing the costs and benefits. The truth is, airports do not need body scanners to stop hijackings and your internet service provider does not need to keep a record of every website you ever visit just in case it might be relevant to some frivolous copyright infringement lawsuit at some point. The NSA does not need access to the entire world’s communications to look for terrorists and the police do not need unmanned aerial vehicles to spy on citizens. These are all bad trade-offs –- they are expensive, invasive, abusive and most of all ineffective.</p>
<p>You should expect more security problems like Heartbleed in the future. Your average software developer, like your average person, does not really understand security. Smooth-talking salespeople con them into buying ineffective security systems and government agencies intentionally undermine security tools and treat privacy as the enemy. </p>
<p>For all the anxiety it has caused, Heartbleed has also spawned a public conversation about online security, encryption and how security systems are designed and tested. It reminds us that even the best system designers and security experts are human beings who make mistakes just like the rest of us. Next time you make a mistake, perhaps you can take solace in the fact that as bad as it is, you probably haven’t compromised half the internet for two years. </p><img src="https://counter.theconversation.com/content/25582/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Paul Ralph does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Heartbleed, the bug that has preoccupied thousands of websites and millions of users over the past week, may well have been the biggest security flaw in internet history but it is unlikely to be the last…Paul Ralph, Lecturer in Information Systems, Lancaster UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/255362014-04-11T04:46:32Z2014-04-11T04:46:32ZHow the Heartbleed bug reveals a flaw in online security<figure><img src="https://images.theconversation.com/files/46184/original/kdcrqcyp-1397189103.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Does Heartbleed expose flaws in the way some security-critical software is developed?</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/kaleenxian/2912692337">Flickr/Kaleenxian</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">CC BY-NC-ND</a></span></figcaption></figure><p>The <a href="http://www.abc.net.au/news/2014-04-10/heartbleed-bug-password-reset-data-openssl/5379604">Heartbleed bug</a> that’s potentially exposed the personal and financial data of <a href="http://www.news.com.au/technology/heartbleed-bug-in-openssl-renders-internet-insecure/story-e6frfrnr-1226878634218">millions of people</a> stored online has also exposed a hole in the way some security software is developed and used.</p>
<p>The bug is in an extremely widespread piece of software called <a href="https://www.openssl.org/">OpenSSL</a>. OpenSSL allows programmers to write systems that send sensitive data such as financial or medical information over the internet, with confidence that anybody “listening in” will only get indecipherable gibberish.</p>
<p>It also provides a way to prove that a message came from a particular organisation’s computer, so that you can be confident you’re sending your credit card details to Amazon or Apple rather than a criminal.</p>
<h2>How was OpenSSL developed?</h2>
<p>OpenSSL is not the only tool that provides these facilities, but it is by far the most common, due to its free availability and long history.</p>
<p>OpenSSL dates from the late 1990s, and like many other crucial pieces of internet software, is developed by a loosely-organised global bunch of hobbyists, students and volunteers.</p>
<p>It is made available as <a href="https://theconversation.com/topics/open-source">open source</a> software for anyone to use for free on very liberal terms. Most of the world’s internet servers – and every Android smartphone – use a great deal of software developed in this manner, though many such developer teams include paid professionals from companies who use the software.</p>
<h2>The Heartbleed bug</h2>
<p>On New Year’s Eve 2011, German researcher and OpenSSL contributor Robin Seggelmann added <a href="https://github.com/openssl/openssl/commit/96db9023b881d7cd9f379b0c154650d6c108e9a3">code</a> implementing a new feature called “heartbeats”.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/46188/original/q32grzh4-1397189479.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/46188/original/q32grzh4-1397189479.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/46188/original/q32grzh4-1397189479.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=727&fit=crop&dpr=1 600w, https://images.theconversation.com/files/46188/original/q32grzh4-1397189479.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=727&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/46188/original/q32grzh4-1397189479.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=727&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/46188/original/q32grzh4-1397189479.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=913&fit=crop&dpr=1 754w, https://images.theconversation.com/files/46188/original/q32grzh4-1397189479.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=913&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/46188/original/q32grzh4-1397189479.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=913&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Heartbleed needed a bugfix.</span>
</figcaption>
</figure>
<p>The <a href="https://tools.ietf.org/html/rfc6520">idea</a> was straightforward: if a connection between two computers stays silent for too long, it is disconnected, so periodic “heartbeat” messages can keep the connection going.</p>
<p>As well as a simple “I’m here”, messages contain a arbitrary “payload” which is sent back and forth, a little like this:</p>
<p><strong>Computer 1</strong>: “Hi, I’m still here, the payload is 5 characters long and is ‘12345’.”</p>
<p><strong>Computer 2:</strong> “Hi, great, you’re still there, and your payload was 5 characters long and was ‘12345’.”</p>
<p>Unfortunately, Seggelmann’s code didn’t check that the payload was of the indicated length, so a malicious request could request more data than was in the payload:</p>
<p><strong>Computer 1:</strong> “Hi, I’m still here, the payload is 50,000 characters long and is ‘12345’.”</p>
<p>Computer 2 would then send back a message with a payload of the requested length, the first characters of which would be the 12345 sent. The rest would be whatever happened to be in the computer’s memory next to the payload.</p>
<p>The exact contents sent back varied between systems and over time. But as well as information such as user passwords or private data, it could contain something called the private master key.</p>
<p>With access to this key, an “attacker” can electronically impersonate the organisation who rightfully owns the key, and unscramble all the private messages sent to that organisation – including old ones, if they’ve kept the previously unreadable scrambled versions.</p>
<p>Criminals could, for instance, steal the key of a major bank and then electronically impersonate it. It’s a potential field day for spies, too.</p>
<h2>Discovery and consequences</h2>
<p>The buggy code was incorporated into a June 2012 release of OpenSSL that was widely adopted, and there it stayed until discovered virtually simultaneously by Google’s security team, and <a href="http://www.codenomicon.com/">Codenomicon</a>, an internet security company.</p>
<p>Before <a href="http://heartbleed.com/">informing the public</a>, they informed the OpenSSL developers, who fixed the bug by adding the missing checks.</p>
<p>At this moment, there is no evidence that anybody has maliciously exploited the bug but system administrators have acted both to prevent exploitation, and reduce the consequences if it has already been.</p>
<p>The fix is simple. The task of getting it deployed to the millions of systems using OpenSSL is not.</p>
<p>System administrators across the world have been furiously installing the fix on millions of computers. They’re also scrambling to generate new master keys.</p>
<p>For most end users, the biggest nuisance will come when administrators request <a href="https://theconversation.com/explainer-should-you-change-your-password-after-heartbleed-25506">password changes</a>.</p>
<p>Most users have multiple internet accounts; many of these will be affected by the Heartbleed bug and their administrators will request their users to change passwords in case they have been stolen.</p>
<p>In addition, many embedded computers in devices such as home network routers may be vulnerable, and updating these is a time-consuming manual task.</p>
<p>Even if there hasn’t been any malicious exploitation of the bug, the costs of people’s time will likely run into the hundreds of millions of dollars.</p>
<h2>A tiny mistake but a major headache</h2>
<p>Contrary to a variety of conspiracy theories, the simplest and most likely explanation for the bug is an accidental mistake. Seggelmann denies doing anything <a href="http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html">deliberately wrong</a>.</p>
<p>Mistakes of the type that caused Heartbleed are have led to security problems since the 1970s. OpenSSL is written in a programming language called <a href="http://www.howstuffworks.com/c.htm">C</a>, which also dates from the early 1970s. C is renowned for its speed and flexibility, but the trade-off is that it places all responsibility on programmers to avoid making precisely this kind of mistake.</p>
<p>There are currently two broad streams of thought in the technical community about how to reduce the likelihood of such mistakes:</p>
<ol>
<li><p>use <a href="http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html">technical measures</a>, such as alternative programming languages, that make this type of error less likely</p></li>
<li><p>tighten up the process for making changes to OpenSSL, so that they are subject to much more extensive expert scrutiny before incorporation.</p></li>
</ol>
<h2>Dealing with risk</h2>
<p>My view is that while both of these points have merit, underlying both is that the Heartbleed bug represents a massive failure of risk analysis.</p>
<p>It’s hard to be too critical of those of who volunteer to build such a useful tool but OpenSSL’s design prioritises performance over security, which probably no longer makes sense.</p>
<p>But the bigger failure in risk analysis lies with the organisations who use OpenSSL and other software like it. The development team, language choices and development process of the OpenSSL project are laid bare, in public, for anyone who cares to find out.</p>
<p>The consequences of a serious security flaw in the project are equally obvious. But a huge array of businesses, including very large IT businesses depending on OpenSSL with the resources to act, did not take any steps in advance to mitigate the losses.</p>
<p>They could have chosen to fund a replacement using more secure technologies, and they could have chosen to fund better auditing and testing of OpenSSL so that bugs such as this are caught before deployment.</p>
<p>They didn’t do either, so they – and now we – wear the consequences, which likely far exceed the costs of mitigation.</p>
<p>And while you shake your head at the IT geeks, I leave you with a question – how are you identifying and managing the risks that your own organisation faces?</p><img src="https://counter.theconversation.com/content/25536/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Robert Merkel has received funding from the Australian Research Council.</span></em></p>The Heartbleed bug that’s potentially exposed the personal and financial data of millions of people stored online has also exposed a hole in the way some security software is developed and used. The bug…Robert Merkel, Lecturer in Software Engineering, Monash UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/255092014-04-10T15:06:42Z2014-04-10T15:06:42ZDon’t panic about Heartbleed but have a spring clean anyway<figure><img src="https://images.theconversation.com/files/46125/original/s57w9hb8-1397135208.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Take a duster to your password collection. It's as good a time as any.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/rbainfo/7010382747/in/photolist-bFu3y4-ixm4T-kCCbJ-55X48y">Karen Blakeman</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc/4.0/">CC BY-NC</a></span></figcaption></figure><p>The web is full of scare stories about the Heartbleed security vulnerability but panicking won’t help. Better to use this situation as an opportunity to clean up our acts. Few of us do it but we should all be in the habit of changing our passwords regularly.</p>
<p>Heartbleed is a bug in particular versions of a piece of software called OpenSSL that, theoretically, enables anyone with internet access to an apparently secure server to steal chunks of data, even if they were previously thought to be secure.</p>
<p>It has attracted attention more because of the scale of the problem than anything else. Initial figures suggest 500,000 websites could potentially be vulnerable, many of which are <a href="http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/">household names</a>. SSL (and its younger sister TLS) are the definitions by which two computers conduct the secret handshake that says how they will communicate securely. There are many versions of SSL but OpenSSL is the most common.</p>
<p>Its popularity is, in part, due to the fact that it is an <a href="https://theconversation.com/open-source-ditching-patents-and-copyright-for-the-greater-good-5302">open source initiative</a> which means that it is updated by a group of like-minded experts who are willing to make the underlying code (the source code) open for scrutiny. Many in the security world think this an excellent idea as it means we can spot security flaws. That said, it doesn’t necessarily mean we can do anything about them. And, if the vulnerability is hidden within an extremely complex set of source code, and it can be overlooked.</p>
<p>The good news about Heartbleed is that once the problem was found, it was quickly made public via channels that are specifically set up to alert the security community, such as the recently launched <a href="http://www.ukcert.org.uk/">UK CERT</a>. The bad news is that it appears it may have been in versions of the software going back up to two years.</p>
<p>The fact that it went unnoticed may not be a problem. The problem is we don’t know if cyber-criminals were aware of the vulnerability before the good guys and whether they were exploiting it. It will take some time to determine if any damage has actually been done, and it may be that we will never know. All we know for certain is that the vulnerability exists and that it is possible to exploit it to grab sensitive information such as passwords. But there is already a fix for the problem which any reputable website operator should be applying if they haven’t done so already.</p>
<p>So, why the advice from many, including me, to change your passwords? It’s not that people are suggesting there is cause for panic. This is a serious security flaw but it may have been caught in time. But in the absence of evidence, it would seem that prudent caution is a sensible approach. Since changing passwords is a simple thing to do and it’s good to regularly change them anyway, you might as well take this as a timely reminder to have a spring clean.</p>
<p>Of course, if someone is exploiting this vulnerability on a site you use then it makes no sense to update your password until the site has been upgraded to using a version of OpenSSL that is no longer vulnerable. This is a tricky conundrum as the majority of users will not really know how to find out if the sites they deal with were affected let alone if they have applied all the necessary upgrades. </p>
<p>The best you can really do is give them a reasonable amount of time to bring in a fix for Heartbleed and then update your passwords. And of course, if you don’t know if the site was affected at all then it seems prudent to assume it was and change your password anyway.</p>
<p>It is for that reason that the blanket advice has been to revisit all of your passwords. If you have the technical savvy to be able to pick your way through the sites and determine which you really need to change then I applaud you but I suspect you probably haven’t and, in the world of online security, it is always better to be safe than sorry.</p>
<p>With any event like this, sites immediately spring up saying they can test if a website you use is vulnerable. I would exercise caution with such online checkers as there is some evidence that their results are not always accurate. Plus of course there are scammers who just love to put up sites that claim to be helping in such a situation but then ask you to supply the very sensitive information that you may be worried has been compromised.</p>
<p>Online security is an area where panic and knee-jerk reactions can sometimes do more harm than good but it is also true that if there is any doubt about sensitive information having been compromised, even if it is a case of not knowing, it is sensible to assume that it is worth changing your password.</p>
<p><em>The Conversation operated on a system that used OpenSSL but fixed the vulnerability at midnight on Tuesday 8 April. As a precaution, we’d recommend users change their passwords.</em></p><img src="https://counter.theconversation.com/content/25509/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Alan Woodward does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The web is full of scare stories about the Heartbleed security vulnerability but panicking won’t help. Better to use this situation as an opportunity to clean up our acts. Few of us do it but we should…Alan Woodward, Visiting Professor , University of SurreyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/255062014-04-10T13:29:42Z2014-04-10T13:29:42ZExplainer: should you change your password after Heartbleed?<figure><img src="https://images.theconversation.com/files/46119/original/shfj39bh-1397129626.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Don't break your heart over this issue but stay secure.</span> <span class="attribution"><a class="source" href="http://commons.wikimedia.org/wiki/File:Padlocks_sign_nseoultower.jpg">Optx</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>If you’re struggling to understand the deluge of information about the <a href="http://heartbleed.com/">Heartbleed vulnerability</a>, you’re not alone. Some reports tell us to change all our online passwords immediately, others warn us that this could do more harm than good. There is a lot of misinformation out there. </p>
<p>It is essential that you do not panic but nor should you be complacent. We all need a good old fashioned mix of common sense and prudence.</p>
<h2>What is Heartbleed?</h2>
<p>On many of the servers and internet web services we use, there is a free and open source security technology called <a href="https://www.openssl.org/">OpenSSL</a>. In simple terms, when you see the padlock beside the web page <a href="http://www.webopedia.com/TERM/U/URL.html">URL</a>, you have a secure and encrypted web connection that may have been managed by the OpenSSL software.</p>
<p>To date, OpenSSL has worked incredibly well. Network engineers and users like you have been more than happy with the service it has provided. But Google Security and <a href="http://www.codenomicon.com/">Codenomicon</a> recently discovered a flaw in the system now dubbed <a href="http://heartbleed.com/">Heartbleed</a> and announced this to the world on 7 April 2014. The bug may have existed unnoticed for the past two years.</p>
<p>In plain terms, Heartbleed is a server memory vulnerability. That means that the entire database of all customers for your favourite online retailer is not vulnerable, but that any of the transactions going on at the moment a site is attacked by a cybercriminal could be. This is why you’ve been advised by some experts to refrain from carrying out important transactions online while the situation is being resolved. </p>
<p>Heartbleed is a major concern for businesses, many of which host thousands of transactions every hour. An ardent cybercriminal could easily write an interrogation tool that exploits the Heartbleed bug every few seconds, allowing for large volumes of customer data to be acquired. It will depend entirely on what is being exchanged at the time as to what information will be extracted.</p>
<p>It is like having someone read your mind while you are reading this article. They will not see the entire article, but for the brief moment they look inside your head, they will see the same words you have just read.</p>
<p>Server memory is only as current as the current transaction or task it is completing. It is therefore unlikely that any old transactions from minutes, hours or days ago will be stored in memory.</p>
<h2>What do you need to do?</h2>
<p>For a start, don’t panic. Some are advising you should <a href="http://www.bbc.co.uk/news/technology-26954540">change all your passwords</a> but unless you know the website you are accessing uses OpenSSL, you could be creating more problems for yourself by changing your settings.</p>
<p>This is in part because you could change the password on a server that has not been <a href="http://pcsupport.about.com/od/termsp/g/patch-fix.htm">patched</a> and therefore still have an issue while it remains vulnerable. If a website is still vulnerable, your new password will still be vulnerable too.</p>
<p>Do check with the websites you use. Most sites are announcing if they have made any changes or have recognised a problem. <a href="https://ifttt.com/">IFTTT</a>, the popular social media mash up service, has already emailed its entire user base, informing them that the services they offer have been secured.</p>
<p>If you are technically inclined and would like to see for yourself, you can use many different Heartbleed <a href="http://filippo.io/Heartbleed/">checking sites</a> that check if the service you use is vulnerable. There are sites that are now listing <a href="http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/">vulnerable web sites</a>. This is good news in some respects but it also means that the sites that are vulnerable have also been announced to potential cybercriminals. If your site is on these lists, read the advice with care, as some are saying they do not believe they have any issues.</p>
<p>If you are still unsure, change the password, but use one that you will remember so that you don’t need a prompt from the site. It should also be a password that you are willing to change in a few days’ time. But remember, you will be surprised at how many sites you use, accounts you have and passwords you may have forgotten. If you’ve forgotten the password, stay away for now.</p>
<h2>What are the professionals doing?</h2>
<p>Many services are already fixed. Networking professionals are not complacent and are very security focused. Issues such as these are rare but do make for big news stories. Many may have removed the issue before it even became news.</p>
<p>Some web services will announce if they have patched and are safe but you needn’t necessarily worry if your favourite website doesn’t issue an announcement. The chances are it was never using OpenSSL in the first place.</p>
<h2>Will there be other issues?</h2>
<p>It is inevitable that there may be some sites that will not be patched as these are not primary commercial services that are being “looked after”. There is always the potential for other issues to be found with OpenSSL or other secure services. <a href="https://www.acunetix.com/websitesecurity/sql-injection/">SQL Injection</a>, for example, was a problem that became widely known in the networking community in 2012, but we still occasionally find servers still allowing this exploit.</p>
<p>All in all, your best course of action is to find out which websites in your digital life run on OpenSSL. The biggest sites will communicate with you, if and when they need to.</p>
<p><em>The Conversation operated on a system that used OpenSSL but fixed the vulnerability at midnight on Tuesday 8 April. As a precaution, we’d recommend users change their passwords.</em></p><img src="https://counter.theconversation.com/content/25506/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Andrew Smith does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>If you’re struggling to understand the deluge of information about the Heartbleed vulnerability, you’re not alone. Some reports tell us to change all our online passwords immediately, others warn us that…Andrew Smith, Lecturer in Networking, The Open UniversityLicensed as Creative Commons – attribution, no derivatives.