Daily Sabah logo

Politics
Diplomacy Legislation War On Terror EU Affairs Elections News Analysis
TÜRKİYE
Istanbul Education Investigations Minorities Expat Corner Diaspora
World
Mid-East Europe Americas Asia Pacific Africa Syrian Crisis Islamophobia
Business
Automotive Economy Energy Finance Tourism Tech Defense Transportation News Analysis
Lifestyle
Health Environment Travel Food Fashion Science Religion History Feature Expat Corner
Arts
Cinema Music Events Portrait Reviews Performing Arts
Sports
Football Basketball Motorsports Tennis
Opinion
Columns Op-Ed Reader's Corner Editorial
PHOTO GALLERY
JOBS ABOUT US RSS PRIVACY CONTACT US
© Turkuvaz Haberleşme ve Yayıncılık 2023

Daily Sabah logo

عربي
  • Politics
    • Diplomacy
    • Legislation
    • War On Terror
    • EU Affairs
    • Elections
    • News Analysis
  • TÜRKİYE
    • Istanbul
    • Education
    • Investigations
    • Minorities
    • Expat Corner
    • Diaspora
  • World
    • Mid-East
    • Europe
    • Americas
    • Asia Pacific
    • Africa
    • Syrian Crisis
    • Islamophobia
  • Business
    • Automotive
    • Economy
    • Energy
    • Finance
    • Tourism
    • Tech
    • Defense
    • Transportation
    • News Analysis
  • Lifestyle
    • Health
    • Environment
    • Travel
    • Food
    • Fashion
    • Science
    • Religion
    • History
    • Feature
    • Expat Corner
  • Arts
    • Cinema
    • Music
    • Events
    • Portrait
    • Reviews
    • Performing Arts
  • Sports
    • Football
    • Basketball
    • Motorsports
    • Tennis
  • Gallery
  • Opinion
    • Columns
    • Op-Ed
    • Reader's Corner
    • Editorial
  • TV

Major Internet vulnerability

by Çetin Kaya Koç

Apr 12, 2014 - 12:00 am GMT+3
by Çetin Kaya Koç Apr 12, 2014 12:00 am
On April 6, a Google security engineer named Neel Mehta, well-known for his ability to discover flaws and vulnerabilities in security software packages, reported that OpenSSL -- one of the commonly, if not most, deployed software packages in the world -- has a flaw. The flaw may allow an attacker to learn the passwords and keys used in the system and affect just about anything a typical consumer does: setting and using a home wireless hub, connecting to an Internet bank website, or logging to email, storage and social media accounts.

This sounds very serious, and I assure you it is. The security blogger Bruce Schneier said it very succinctly: On a scale from one to 10 in importance, this is an 11.

Now that I have your attention, let me give you the specifics. I will also explain what you need to do or can do as a typical Internet user. OpenSSL is a software package. It implements a protocol named secure sockets layer (SSL) that allows two computers to create an encrypted tunnel between them in order to exchange data securely, away from prying eyes. Not every secure connection uses OpenSSL software and not even every SSL connection uses it either. There are other SSL implementations, such as GnuTLS, MatrixSSL, PolarSSL and SChannel. Some of these packages are open source, while others are commercial or proprietary.

OpenSSL is probably the most widely used software package in the world. I would guess that about half of Internet-connected devices run OpenSSL.

The project started in 1998 and is managed by a group of software developers, now located in the United Kingdom and Germany.

Being an open-source project, their principal support is through donations and their efforts are volunteer-driven.

The software is free. Anyone, any company can obtain a copy and install it on a computer, router or device. That is one reason it is so popular.

The security researchers who found the flaw in OpenSSL package named it "the heartbleed bug." It works like this: Another OpenSSL-installed computer connects to your computer and tricks your computer to send some memory blocks to it. Unfortunately, the memory block will contain sensitive data, particularly encryption keys and passwords. The OpenSSL team fixed the software and published the new version within the same day. Does this mean the problem is over? Far from it.

There are thousands, if not millions, of computers that need to update their OpenSSL software. This will be a slow process. I am guessing all major banks, e-commerce, social media, email and cloud storage servers updated their OpenSSL software in the last 72 hours.

Unfortunately, they are not the only ones that need updating. Yesterday, Cisco and Juniper, two of the major networking equipment makers in the world, announced the flaw affects many types of networking equipment as well. Large routers that connect Internet hubs, home routers and VPN equipment that connects company offices are all affected.

OpenSSL is used in way too many places and types of the equipment, including phones. Furthermore, collaboration software is also vulnerable. The list is growing fast.

What can you do as a consumer? Run to change your password? Unfortunately, this is not going to help. Your software or firmware needs updating. This is not something a user is generally capable of doing. If you change your password and your software still has the "heartbleed bug," an attacker targeting you will learn your new password, too.

There is a funny t-shirt I sometimes see people wearing that reads, "I am a bomb disposal technician. If you see me running, try to keep up." This is how many security researchers feel now: just hope someone is not targeting you. The seriousness of this flaw cannot be overstated.

If your bank or email server provider updated its OpenSSL software, you are okay. It is very likely they did. This is especially true for U.S.- and Europe-based operations.

However, with other equipment where the automatic software updates are either unavailable or not practical, there seems to be one solution. That is to throw away the equipment, go to the computer store, get the new one and make sure it has the newest, bug-fixed OpenSSL version. This will take months, if not years, to weed out.

There is an important lesson here: OpenSSL is poorly funded and staffed. For software with this kind of major security role in the world, they need better funding. I am still of the opinion that the open-source model is the best. I trust them more. I can see and analyze code. If there is a bug, the Internet community acts quickly to fix it. However, I believe it needs to be rewritten as it is too old and too complicated.
  • shortlink copied
  • Last Update: May 09, 2014 11:01 pm
    RELATED TOPICS
    fight-against-terrorism DEUTSCHE-BANK US-LIBYA-RELATIONS
    The Daily Sabah Newsletter
    Keep up to date with what’s happening in Turkey, it’s region and the world.
    You can unsubscribe at any time. By signing up you are agreeing to our Terms of Use and Privacy Policy. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
    No Image
    The world on fire, literally and figuratively: A look back at 2021
    PHOTOGALLERY
    • POLITICS
    • Diplomacy
    • Legislation
    • War On Terror
    • EU Affairs
    • News Analysis
    • TÜRKİYE
    • Istanbul
    • Education
    • Investigations
    • Minorities
    • Diaspora
    • World
    • Mid-East
    • Europe
    • Americas
    • Asia Pacific
    • Africa
    • Syrian Crisis
    • İslamophobia
    • Business
    • Automotive
    • Economy
    • Energy
    • Finance
    • Tourism
    • Tech
    • Defense
    • Transportation
    • News Analysis
    • Lifestyle
    • Health
    • Environment
    • Travel
    • Food
    • Fashion
    • Science
    • Religion
    • History
    • Feature
    • Expat Corner
    • Arts
    • Cinema
    • Music
    • Events
    • Portrait
    • Performing Arts
    • Reviews
    • Sports
    • Football
    • Basketball
    • Motorsports
    • Tennis
    • Opinion
    • Columns
    • Op-Ed
    • Reader's Corner
    • Editorial
    • Photo gallery
    • Jobs
    • privacy
    • about us
    • contact us
    • RSS
    © Turkuvaz Haberleşme ve Yayıncılık 2021