Publications
Partners
Cape Town - The Heartbleed bug does not represent a failure in the technology behind security, rather it indicates that there was a lack of implementation, a security expert has said.
Computer security professionals have been in panic over the bug which can be exploited to steal encrypted information such financial data.
"Heartbleed does not represent a failure in math behind the security. In fact, it was an implementation flaw in a part of code that had nothing to do with encryption," John Miller, Trustwave Security Research manager told News24.
The bug exploits a vulnerability in OpenSSL which is used to transmit encrypted data. Typically, access to a secure website is provided by typing in "https", but the bug allows hackers to steal data transmitted through secure channels.
"Heartbleed will stand as a reminder that security is hard and that even simple bugs can have wide ranging and unexpected consequences," said Miller.
Detection systems
In 2013, reports emerged that banks lost millions to an international card fraud syndicate.
The scam hit businesses that make use of the point of sales terminals and the Dexter malware as it is known, was used to gather customer information and sold to other criminals.
"Unfortunately, as much as we'd all like to see perfection, we're stuck in an imperfect world and must deal with such events when they occur. An organisation's response to these severe events can serve as a metric of their trustworthiness," Miller warned.
He said that automated system controls serve to slow a criminal attacking a network, but without a response, these controls don't provide much of a defence.
"Automated security controls serve to slow an attacker, detect and alert when an attack is occurring, and allow a system defender to respond. Without all three of those components, security controls don't end up providing all that much security."
Heartbleed attacks can slip through detection systems because the bug leaves no trace and only allows small bits of information to be compromised at a time.
"With a compromised SSL key, an attacker is able to impersonate the affected server nearly undetectably. Human behaviour comes into play when we consider how users establish trust in other systems," Miller said, adding that people could be duped into trusting a malicious system.
"For SSL, users rely on a chain of trust going from their software to a set of root certificate authorities. Any failure in that chain can result in users incorrectly trusting a malicious system."
- Follow Duncan on Twitter
Computer security professionals have been in panic over the bug which can be exploited to steal encrypted information such financial data.
"Heartbleed does not represent a failure in math behind the security. In fact, it was an implementation flaw in a part of code that had nothing to do with encryption," John Miller, Trustwave Security Research manager told News24.
The bug exploits a vulnerability in OpenSSL which is used to transmit encrypted data. Typically, access to a secure website is provided by typing in "https", but the bug allows hackers to steal data transmitted through secure channels.
"Heartbleed will stand as a reminder that security is hard and that even simple bugs can have wide ranging and unexpected consequences," said Miller.
Detection systems
In 2013, reports emerged that banks lost millions to an international card fraud syndicate.
The scam hit businesses that make use of the point of sales terminals and the Dexter malware as it is known, was used to gather customer information and sold to other criminals.
"Unfortunately, as much as we'd all like to see perfection, we're stuck in an imperfect world and must deal with such events when they occur. An organisation's response to these severe events can serve as a metric of their trustworthiness," Miller warned.
He said that automated system controls serve to slow a criminal attacking a network, but without a response, these controls don't provide much of a defence.
"Automated security controls serve to slow an attacker, detect and alert when an attack is occurring, and allow a system defender to respond. Without all three of those components, security controls don't end up providing all that much security."
Heartbleed attacks can slip through detection systems because the bug leaves no trace and only allows small bits of information to be compromised at a time.
"With a compromised SSL key, an attacker is able to impersonate the affected server nearly undetectably. Human behaviour comes into play when we consider how users establish trust in other systems," Miller said, adding that people could be duped into trusting a malicious system.
"For SSL, users rely on a chain of trust going from their software to a set of root certificate authorities. Any failure in that chain can result in users incorrectly trusting a malicious system."
- Follow Duncan on Twitter
