Need help? Chat now!

Hostwinds Blog

Search results for:

Vulnerability: Come In. The Door is Open. Featured Image

Vulnerability: Come In. The Door is Open.

by: Bryon Turcotte  /  October 13, 2014

Today's world is filled with battles, attacks, threats, and vulnerabilities. Whether you flip a page, change a channel or click a mouse, you are continually reminded that you may or may not be totally protected by that large wall of safety and security you believed would keep your castle sheltered and warmed against the throws of oncoming attackers. Yes, the battle is raging, and, if we would like to admit it or not, the data and information we covet are the primary targets. Not to be a source of negative news, but the world contains those who live to exploit our vulnerabilities and gain an advantage on our security, livelihood, and peace. The simple truth is that we should not avoid thinking about these obvious insidious threats just because they are invisible and we cannot hold them in our hands.

This being an opinion piece, these statements are obviously not meant to downplay the threats that are currently stepping over physical walls and taking human lives as you continue reading. Instead, they are here to hopefully broaden one's vision of "threat_" and compare it to how we respond to those more visible threats and categorize them as truly _life threatening. Terrorism, political violence, and contagious, deadly diseases are genuine and tangible but share the same personality traits as their distant cousins – these so-called "invisible threats" infect the cyber world. Threatening and fatal, but just at a different level. As Ebola, al-Qaeda, and ISIS militants do within their realms of disease and violent extremism, recent threats like Heartbleed and Shellshock unleash a danger to its vulnerable victims in the technological world. We should not assume that the world of technology is not filled with walls, windows, and doors like those in our physical world. This assumption and denial are the first of several symptoms of serious vulnerable thinking. We also may not realize that in this invisible world, many of our "houses_" have signs posted on their doors that read: "_Come in. The door is open."

The security exploits known as Heartbleed were first made public on April 7, 2014, as a security bug in the OpenSSL cryptography library used widely in implementing the Transport Layer Security (TLS) protocol. When the existence of Heartbleed was announced, security experts noted that it might be exploited "regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client." The bug – named by an engineer at the Finnish cybersecurity company Codenomicon – comes from "improper input validation in implementing the TLS heartbeat extension." When the bug was disclosed, it was reported by security researchers around the globe that approximately half a million web servers (that were previously believed to be secure and certified by "_trusted authorities_") were said to be open and vulnerable to attack. Thus, this unexpected security "_hole_" became very real and extremely threatening in a short time.

Codenomicon immediately launched the website to educate the public about the bug, released the "bleeding heart logo_" as a quick identifier for information and continuing news regarding the issue. This hole would easily allow attackers to enter and steal private server keys, user passwords, and internet session cookies. Security experts and technology organizations from around the globe considered Heartbleed to be a "_catastrophic_" event.  Forbes magazine wrote that the Heartbleed bug  "_is the worst vulnerability found since commercial traffic began to flow on the Internet." OpenSSL was fixed on the same day of Heartbleed's disclosure, but the words warning and caution were still hanging on the lips of the global security community. After all the concern, panic, and shots of warning ringing out through the invisible world, there was still a problem. Logically, you would think most would respond to an announcement labeled catastrophic the same as anyone would to news of a lethal virus in the water supply or armed going door to door killing innocent people. But, obviously, what is not seen is not necessarily that important or real.

Governments around the world warned the public that passwords should be changed on all the websites they use. Some organizations announced that anyone wanting true privacy and security online should "stay away from the Internet entirely for the next few days while things settle." Over one month after the public disclosure and released fix of the Heartbleed bug, researchers reported that approximately 1% of the 800,000 most popular TLS-enabled websites still were running with Heartbleed vulnerabilities. Two months following the disclosure, reports indicated that over 300,000 websites remained untouched without attempting to run the needed patches to plug the hole. Considering that all the major players in the technology world, including Google, Apple, Microsoft, and other large producers, were quick to respond to this threat, a larger slice that populates ground that many of us walk through may still be vulnerable. Do most people take the necessary precautions before walking through an environment infected with a known deadly virus? Why is this scenario much different? The reality is there is no difference. Ignorance in both cases can result in catastrophe.

In the wake of Heartbleed, another security bug known as Shellshock or Bashdoor was disclosed on September 24th, 2014. Shellshock is known as a "_family_" of security bugs that exist in the Unix Bash shell, which has been widely used for some time. Web servers use bash to launch and process specific commands. A vulnerable version would allow unauthorized access to a computer system by a hacker or let an attacker execute their own commands within the open environment. After a continual evaluation of Bash source code, researchers estimate that these vulnerabilities were alive and well inside Bash for over 20 years. Soon after the bug was disclosed and reports of the vulnerability began to surface, it was confirmed that attackers began to create botnets and launch distributed denial-of-service (DDOS) attacks and vulnerability scanning on compromised computers.

Security firms around the globe reported millions of attacks and invasions related to Shellshock. It has been compared to Heartbleed and can compromise millions of computer systems, servers, and additional related devices. Reports were released regarding attacks against Akamai Technologies, the United States Department of Defense, and Yahoo, clarifying the severity of the Shellshock bug. Numerous web site and security experts, including Incapsula and CloudFlare, reported more than 17,400 attacks on more than 1,800 web domains, originating from 400 unique IP addresses in a 24-hour time frame previous to their probe. It is estimated that 55% of Shellshock-related attacks originated in China and the United States. It was also reported that approximately 1.5 million attacks and probes had been tracked each day directly related to this bug.

If you understand technology today and see the value of data – the precious information created by us – which is now the very fuel that runs our lives and motivates society, you must agree that threats against this data have the damaging potential of catastrophic proportions. The math of seriousness works better if you look at this than disease, violence, and terrorism activity in today's world. For example, if Ebola were left unattended and allowed to spread and roam about freely, leaving its carriers with no outside efforts to combat its progress, the acceleration and damage would be staggering. We are witnesses to the worry, stress, and paranoia that are attached to its presence. Logically, the projected implications of an uncontrolled outbreak have launched the combative effort at historic levels. Yet, with all this effort, we still see death. We still see it spread. We still see it getting into our safe places. Why? Because vulnerabilities exist and entrances are so often willingly or stupidly left open so the threat can walk in freely. As the world's political and social climate changes and generations become lost in thoughts of an unpredictable or gloomy future, we witness the daily acts of terrorism as its wolves roam to devour and destroy.

We now wake each morning with dark events of terror and violence painted into our reality through our media outlets. Why does their growth continue even while in the midst of such powerful anti-terrorist defenses? How do they break ground so easily by capturing our fears? Again, they have learned about our vulnerabilities and how to exploit them. Do the threats that walk through the technology realm function much differently? Do they have a unique purpose, course, and result? Why should we treat security threats with less effort and vigor? Do these threats have less potential to do serious harm to us economically and socially if left to roam, attack and infect without an established system of protection in place to stop them? The evidence from recent years has shown that the general public grossly assumed that cyber threats could not bring the same level of devastation to our world as disease and extremists. Unfortunately, this mindset needs to change by learning about these threats and understanding how much damage they can bring to the visible world. Threats like Heartbleed, Shellshock, the many flavors of malicious software, and other exploits are real and very dangerous. Knowing more will only help to strengthen our defenses and protect us from disaster on a unique level.

Read previously published articles regarding Heartbleed, Shellshock, and other exploits and vulnerabilities in the Hostwinds Blog Archive.

Written by Bryon Turcotte  /  October 13, 2014