If you spend any amount of time on the internet, you have very likely heard about a flaw in the OpenSSL project where a vulnerability has been discovered that pretty much renders the whole secure layer impotent. It is being referred to as “Heartbleed.”
A number of web-sites have been quietly updating their protocols while others have been noting the flaw does not affect their services. The good news is a lot of enterprise level services, along with Apple, BlackBerry, and Microsoft are not affected by Heartbleed.
The bad news is that services like Yahoo! and other tech sites like Ars Technica were affected by it. Both companies have updated their sites though so if you have not already, now is probably a good time to change your password for the services you might use there. If you have not been following the story closely, then you should know a patch has been created and implemented, but no one is sugar-coating this development, Heartbleed is catastrophic.
Even Google was touched by it, Android used a vulnerable version of OpenSSL but the “heartbeat” extension that was used was deactivated when Android 4.1 was released. What about the rest of the mobile landscape? How deep might the impact be? Us as mobile users have a lot to be concerned about, and we need to be diligent because the fix is totally out of our hands.
What we knowHere is what we know, any one of us that has ever downloaded an app from the App Store, Google Play, Windows Store, et al, is at risk. If any of the apps you use have any type of connectivity to a secure server to store and reconcile data, chances are the Heartbleed vulnerability has been in the picture for at least the last couple of years.
What we don't knowWhat we do not know is what specific applications might have been compromised on the server side and if any data was stolen as a result. That data could be username and password information, bank accounts, or even VoIP calls used through a messaging app. Heartbleed was a “sky’s the limit” hole, triggered by a small script centered on a mere 64k area of memory on a given server with virtually no evidence of anything going wrong.
What is also completely unknown is how big this issue will end up being in the mobile space. There is far more mobile users than in the traditional computer space. There is also little-to-no-information being disseminated that brings the necessary “consumer” awareness to the issue. Heartbleed is not an OS issue, or even a browser issue, it is a fault in the security layer in how just about everyone conducts business on the internet.
The impactTrendMicro conducted a scan of nearly 400,000 apps in Google Play. About 7,000 apps, including 15 banking apps, 39 online payment apps, and 10 online shopping apps were connecting to vulnerable servers. Sure, you could say that is less than 2%, but what a 2% it could be. Banks like Bank of America, USAA and Citi all had to update their security certificates.
The worst part of all this is that there is nothing you can do to fix the problem, short of not using online banking or making internet purchases. Until the services we use have said they have fixed the issue on their end, you might want to contact them to be sure, or hold off on using the service for a while.
See the reference link below to check if one of the sites you visit was affected by Heartbleed. For the services that have fixed the vulnerability, a change of password is all it should take. Until then…
sources: Forbes and TrendMicro
No comments:
Post a Comment
(( مَا يَلْفِظُ مِنْ قَوْلٍ إِلَّا لَدَيْهِ رَقِيبٌ عَتِيدٌ))