HOME     MENU     SEARCH     NEWSLETTER    
NEWS & INFORMATION FOR TECHNOLOGY PURCHASERS. UPDATED 9 MINUTES AGO.
You are here: Home / Network Security / Don't Reset Passwords for Heartbleed?
Barium Ferrite (BaFe):
Higher Capacity, Superior Performance, Longer Archival Life
www.thefutureoftape.com
Resetting All Passwords Now May Be Worst Heartbleed Fix
Resetting All Passwords Now May Be Worst Heartbleed Fix
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
APRIL
12
2014


Heartbleed. It’s going to go down in history as one of the worst bugs ever. Heartbleed could give hackers access to user passwords and even trick people into using fake versions of popular Web sites.

Security engineers at Codenomicon who found the bug are reporting that the vulnerability is in the OpenSSL cryptographic software library. The weakness, they said, steals information typically protected by the SSL/TLS encryption used to secure the Internet.

But is changing all your passwords the right response? According to independent security analyst Graham Cluley, it’s not always the best move.

“The danger is that if you change your passwords before a Web site has been fixed, you might actually be exposing your credentials to greater risk of being snarfled up by people exploiting the vulnerability in the buggy versions of OpenSSL,” he wrote in a blog post. “Don’t forget -- there are an awful lot more people now testing to see how well the vulnerability can be exploited now that details are public. Sadly, mainstream media are proving to be a little guilty of parroting the advice of the likes of Tumblr.”

Back to Online Identity Basics

We caught up with Matt Willems, a labs engineer at security software firm LogRhythm, to get his take on the password issue. He told us, first of all, that Heartbleed allows attackers to see a portion of the contents of memory of the vulnerable server.

“This may be garbage or useless data, but it could be usernames and passwords of users and administrators or other sensitive data,” Willems said. “This particular vulnerability still exists in many locations, so changing your password may just mean that the new password is vulnerable.”

As Willems sees it, the strongest advice is to follow normal best practices for online identity information. That, he said, means changing your passwords regularly and if an online service says your information may be at risk, follow their directions.

“Service providers and anyone using OpenSSL should immediately upgrade to OpenSSL 1.0.1g. Both open source and commercial software have seen these types of vulnerabilities in the past and will continue to in the future,” Willems said. “One of the big differences is that open source software vulnerabilities tend to be discovered by a community and quickly patched while commercial software vulnerabilities are often patched behind the scenes.”

A Recipe for Disaster

We also turned to Mike Gross, global risk strategy director at IT security firm 41st Parameter, to see where he stands on the password change issue. He told us the solution is not a simple silver bullet fix or inconvenient password reset that will undoubtedly generate its own set of customer service costs and issues.

“Top global sites should be extra vigilant for an expected rush of fraud-staging activities and social engineering attempts through call centers as fraudsters take advantage of an elevated volume of password resets to fit into the 'noise of the crowd,'" Gross said. “The answer is additional layered security through a continuously refined set of 'locks' that immediately identify fraudulent access attempts, so organizations can protect their invaluable customer relationships.”

From Gross’ perspective, device intelligence coupled with a powerful risk engine is one critical component of this layered approach -- and it's already in place at several of the top global banks, e-commerce merchants, and airlines to help defend against exactly this type of widespread vulnerability.

“With the abundance of compromised data from recent breaches,” he concluded, “relying solely on usernames and passwords, accurate identity information, and basic step-up authentication to protect consumers at login or the point of transaction is a recipe for disaster without visibility into attacks across the entire online estate.”

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
Forrester study shows 187% ROI with Druva Endpoint Backup: In a commissioned study conducted by Forrester Consulting on behalf of Druva, Forrester found that the costs and benefits for a composite organization with 3,000 inSync users, based on customer interviews, are: 1) 187% return on investment, and 2) Total cost savings and benefits of $3.8 million. Click here to access the study now.
MORE IN NETWORK SECURITY
Product Information and Resources for Technology You Can Use To Boost Your Business

NETWORK SECURITY SPOTLIGHT
The FBI is pointing the finger of blame for the Sony Pictures cyberattack directly at North Korea. The hackers stole confidential data and caused the movie giant to can its new comic film, "The Interview."

ENTERPRISE HARDWARE SPOTLIGHT
Almost half of consumer, industry and life sciences manufacturers are expected to be using 3D printers within three years and now 3D printing services are aiming to help companies experiment.

© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.