Coding flaw in hugely popular OpenSSL cryptographic library can potentially expose passwords and banking credentials of millions of internet users as well as highly sensitive digital certificates of numerous websites
On the 8th of April, 2014, IT Security experts uncovered a major bug in the hugely popular OpenSSL cryptographic library. OpenSSL is widely implemented across an array of devices including web-servers, mobile phones and even smart-TV's, and has so far been seen as essential to preventing eavesdropping of passwords, banking credentials, and other sensitive data.. Nicolai Solling Director of Technology Services at Help AG, a IT security firm dedicated to spreading awareness about cyber threats in the Middle East, says as much as 75% of the server infrastructure on the internet needs to be upgraded or patched to fix this massive flaw.
"The implications of this discovery are enormous given that the number of organizations that utilize OpenSSL is so vast. Though the vulnerability may be difficult for the common user to understand, is essentially means that their sensitive information such as login names and passwords for services such as e-banking or webmail could now be exposed to attackers as well as anyone who accesses the affected websites ," said Nicolai.
Help AG warns that a number of enterprises in the Middle East run SSL and other crypto-services based on OpenSSL. The security expert has stressed that these organizations must validate their security stance in light of the finding and if necessary, take steps to patch their services in order to mitigate the issue and protect their users.
"The race against the clock has already begun as we are already starting to see the first set of attack frameworks emerge. With each passing day, we are sure to see more cyber criminals exploiting these vulnerabilities. The responsibility of fixing this issue lies with organizations since this is a server-side vulnerability. Unfortunately, for common users, this means that there is very little they could do to protect themselves," warned Nicolai.
The bug, which has resulted from a coding error, is officially referenced as CVE-2014-0160. It allows potential attackers to retrieve unencrypted data from the OpenSSL process just by accessing the vulnerable server. This data could reveal anything from authentication credentials and potentially cryptographic material identifying a website's digital certificate. If hackers manage to uncover this information, they could gain access to data which would normally have been encrypted and protected.
Commenting on the roadmap to mitigating the issues arising out of this finding, Nicolai Solling said, "IT professionals now have their work cut out for them. As a first step, they must either patch or upgrade vulnerable servers. As we uncover more information about the bug replacement of certificates may also be required.
"This scenario has also brought to the limelight the need for stronger authentication solutions. If authentication were based on frameworks which ensured passwords are dynamic and only usable once, even if the data was leaked the attacker could not do anything with it," concluded Nicolai.
About Help AG
Help AG is a leading IT security solutions, services and consultancy company, founded in Germany in 1995 and active in the Middle East since 2004. A winner of multiple reseller, partner and channel awards, the company was even recognized in 2013 as one of the Top 100 SME businesses by Dubai's Department of Economic Development (DED).
Focusing solely on the security aspects of Information Technology and maintaining an unprecedented 80% of staff in technical positions has enabled Help AG to stand out as the region's trusted advisor capable of delivering the most complex and innovative IT security solutions spanning Application Security, Network Security, Enterprise Mobile Security and Next Generation Modern Malware Protection. This unmatched technical expertise has enabled Help AG to establish a dedicated Security Analysis division offering customers Security Review, Penetration Testing, Configuration Architecture Review, Vulnerability Assessment and Social Engineering and Exploitation services.
As a key player in the security arena, the company remains dedicated to raising regional awareness about IT security threats and trends and regularly conducts informative vendor-agnostic events such as its flagship Security Spotlight Forum (SSF) and CIO Circle of Trust. More information is available at: http://www.helpag.com