|
DUBAI, United Arab Emirates, 10 April, 2014: On the 8th of April, 2014, IT Security experts uncovered a major bug in the hugely popular OpenSSL cryptographic library. OpenSSL is widely implemented across an array of devices including web-servers, mobile phones and even smart-TV's, and has so far been seen as essential to preventing eavesdropping of passwords, banking credentials, and other sensitive data.. Nicolai Solling Director of Technology Services at Help AG, a IT security firm dedicated to spreading awareness about cyber threats in the Middle East, says as much as 75% of the server infrastructure on the internet needs to be upgraded or patched to fix this massive flaw.
“The implications of this discovery are enormous given that the number of organizations that utilize OpenSSL is so vast. Though the vulnerability may be difficult for the common user to understand, is essentially means that their sensitive information such as login names and passwords for services such as e-banking or webmail could now be exposed to attackers as well as anyone who accesses the affected websites ,” said Nicolai.
Help AG warns that a number of enterprises in the Middle East run SSL and other crypto-services based on OpenSSL. The security expert has stressed that these organizations must validate their security stance in light of the finding and if necessary, take steps to patch their services in order to mitigate the issue and protect their users.
“The race against the clock has already begun as we are already starting to see the first set of attack frameworks emerge. With each passing day, we are sure to see more cyber criminals exploiting these vulnerabilities. The responsibility of fixing this issue lies with organizations since this is a server-side vulnerability. Unfortunately, for common users, this means that there is very little they could do to protect themselves,” warned Nicolai.
The bug, which has resulted from a coding error, is officially referenced as CVE-2014-0160. It allows potential attackers to retrieve unencrypted data from the OpenSSL process just by accessing the vulnerable server. This data could reveal anything from authentication credentials and potentially cryptographic material identifying a website's digital certificate. If hackers manage to uncover this information, they could gain access to data which would normally have been encrypted and protected.
Commenting on the roadmap to mitigating the issues arising out of this finding, Nicolai Solling said, “IT professionals now have their work cut out for them. As a first step, they must either patch or upgrade vulnerable servers. As we uncover more information about the bug replacement of certificates may also be required.
“This scenario has also brought to the limelight the need for stronger authentication solutions. If authentication were based on frameworks which ensured passwords are dynamic and only usable once, even if the data was leaked the attacker could not do anything with it,” concluded Nicolai.
| 
RSS Feed 
