On April 7, the IT industry was rocked when it was announced that over 60 percent of the Internet — even secure SSL connections — were vulnerable to attack due to a new weakness codenamed Heartbleed. The weakness lives in the OpenSSL cryptographic software library, which encrypts sessions between consumer devices and websites. It’s usually referred to as the “heartbeat” since it pings messages back and forth. Hence the name of the bug.
This is a critical vulnerability that is already testing the contingency plans of thousands of Linux vendors, as well as hosting companies.
Why our very own Lev Lesokhin, of course.
If you were on Twitter Tuesday (or watching the market index), you no doubt saw AP’s fake tweet regarding an explosion at the White House that wounded the president, and the market and media frenzy that followed as a result. Not only was it remarkable to see the effect one rogue tweet could have on market stability (it temporarily wiped out $136B from the S&P 500), but the whole episode also underscored how fast paced the world of business has become.
In just over 250 days, the eyes of the world will turn to London, England, for the opening of the Summer Olympic Games. Athletes from countries around the globe are deep into training regimens in preparation for the largest stage of athleticism on the planet.
But while athletes still are only in the preparatory stages for the 2012 Olympics, a much different event of “Olympic” proportions is already well underway and these “games” will likely extend well beyond the dimming of the Olympic torch on August 12 of next year. The event is the hacking of international and government computer systems…and while entrants from the United States may be as competitive in this event as they are in most of the events of the Summer Games, it seems that a different country leads the way in the hacking event.
McAfee recently reported that over the last five years there have been 72 targeted hacks on the International Olympic Committee as well as governments and the United Nations. And in spite of their government’s insistence that they neither sponsor nor condone the practice, McAfee notes that China is by far the clear-cut leader in the race for hacking gold.
Although much of the evidence in the hacks studied by McAfee point to Beijing-based culprit, the fact remains that, much like Olympic events, every country in the world has an entry in the hacking games.
True Spirit of Sportsmanship…NOT
Regardless of their point of origin or even their targets, the hacks on the IOC, UN and other international governments prove one thing – hacking has become a truly global sport that thrives on its intended targets acting as spectators rather than active participants. To combat hacking, organizations must get involved and make wise strategic defensive plans to combat hack attacks.
Unfortunately, too many companies take a passive approach to their defense by installing a third-party security system. Historically, security systems have been fine if you want to know when someone or something has infiltrated your perimeter, but in terms of actual proactive defensive measures they are little better than France’s “Maginot Line” which failed so miserably to prevent the Germans from invading in World War II.
Every defensive force since the beginning of time has known that if you want to keep the infiltration from happening, you first need to secure your interior – or in the technology age, your application software.
The Glory of Sport and Honor of Our Teams
As shown in the MITRE and the SANS Institute report on the 25 Most Dangerous Programming Flaws released earlier this year, topping the list of flaws in application software code was the one that has been behind many of the highest profile hacks in recent memory – SQL Injection. While there are instances of these flaws coming as a result of new code, many of the vulnerabilities we see in today’s software result from issues in pre-existing code – flaws have lied dormant for generations of application software only to be exploited as hackers become more aware of their existence.
Private and public organizations can ill afford to take the time to rewrite new code every time they need to create a new application, let alone when they customize one. Nevertheless, there needs to be some due diligence applied to ensure that the code upon which new software is built meets with the latest standards and norms of the industry.
If organizations want to keep hackers out of their data, they need to get smarter and build an impenetrable fortress for that data – one without a vulnerable piece of application software. The only way to do that is to perform a complete assessment of the structural quality and overall health of not only newly written code, but also any pre-existing code an application is built upon to ensure it meets up with current standards and hacker intelligence.
Locating and addressing the vulnerabilities will keep organizations just a bit ahead of the hackers in the technology race and deny them the gold medal for Olympic-sized hacking.