|By David Tishgart||
|April 19, 2014 12:00 PM EDT||
While organizations spend the next few days and weeks patching OpenSSL vulnerabilities, the realization is setting in that we may never know the full extent of the damage caused by Heartbleed.
Although Heartbleed was only announced in early April, it has actually been present in OpenSSL versions dating back to March 2012. This means hackers have had ample time to steal certificates and other sensitive information. Making matters worse, it's nearly impossible for companies to know whether their web communications have indeed been compromised.
What exactly is being exposed?
When exploited by a hack, Heartbeat (the name of the transport layer security extension where the bug was found) dumps whatever data might reside in the memory of client/server communications in small 64k chunks. Normally this traffic is encrypted, but the bug actually compromises the secret keys, usernames and passwords that protect this data. Leaked keys can lead to insecure web certificates, which could indirectly lead an attacker to usernames and passwords, payment card details, cookies -- essentially any information submitted by other users of the service.
Should I worry about my Gazzang zNcrypt keys being exposed?
No. Gazzang zNcrypt keys are encrypted client-side, so a compromise of the zTrustee server using Heartbleed would never expose any zNcrypt keys. Furthermore, while we use SSL for data-in-transit encryption, the payload of data between client nodes and zTrustee is encrypted with strong crypto libraries like GPG underneath OpenSSL. So we're doubling up the encryption, just for instances like this.
Like many other websites, we have already patched our zTrustee SaaS servers for the Heartbleed vulnerability. We also encourage customers who haven't already done so to upgrade to the latest operating system version and deploy those OS patches as well.
How can I protect my organization against future threats like Heartbleed?
One of the reasons this bug is so widespread is because it exploited a vulnerability in the popular and highly regarded OpenSSL crypto library. In other words, it went after the very service layer that untold numbers of companies use to protect against hackers. Where many of these companies went wrong is they relied on that single layer of security to protect against a network attack.
Multi-factor authentication, which requires a second piece of information to allow access to an account, is one way users can protect email access and other sensitive account information. So in addition to upgrading, patching and maintaining the latest versions of your OS and software, another way to protect your company's data is to deploy multiple layers of cryptography.
I mentioned earlier that we use GPG in addition to SSL for data-in-transit encryption. As another example, our customers use Gazzang zNcrypt to encrypt their data and protect that data by disallowing unauthorized people and processes to access it. The encryption key is then encrypted itself and stored in the zTrustee key manager (along with the master). The data owner can then set a broad range of configurable policies governing who or what can access those keys.
The important thing to remember is that security needs to be applied in layers, and a single layer is never enough. A useful tool to check your SaaS vendors' security is Qualsys SSL Labs test.
What can I do as a consumer?
To start, here are a couple of lists spotlighting companies that use the TLS Heartbeat extension. The best advice is to change your password if a service you use is listed as vulnerable.
When you focus on a journey from up-close, you look at your own technical and cultural history and how you changed it for the benefit of the customer. This was our starting point: too many integration issues, 13 SWP days and very long cycles. It was evident that in this fast-paced industry we could no longer afford this reality. We needed something that would take us beyond reducing the development lifecycles, CI and Agile methodologies. We made a fundamental difference, even changed our culture...
Jan. 21, 2017 02:45 PM EST Reads: 1,154
Things are changing so quickly in IoT that it would take a wizard to predict which ecosystem will gain the most traction. In order for IoT to reach its potential, smart devices must be able to work together. Today, there are a slew of interoperability standards being promoted by big names to make this happen: HomeKit, Brillo and Alljoyn. In his session at @ThingsExpo, Adam Justice, vice president and general manager of Grid Connect, will review what happens when smart devices don’t work togethe...
Jan. 21, 2017 02:30 PM EST Reads: 693
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
Jan. 21, 2017 01:45 PM EST Reads: 5,272
@DevOpsSummit taking place June 6-8, 2017 at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @DevOpsSummit at Cloud Expo New York Call for Papers is now open.
Jan. 21, 2017 01:45 PM EST Reads: 3,622
"There's a growing demand from users for things to be faster. When you think about all the transactions or interactions users will have with your product and everything that is between those transactions and interactions - what drives us at Catchpoint Systems is the idea to measure that and to analyze it," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York Ci...
Jan. 21, 2017 01:45 PM EST Reads: 5,777
SYS-CON Events announced today that Dataloop.IO, an innovator in cloud IT-monitoring whose products help organizations save time and money, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Dataloop.IO is an emerging software company on the cutting edge of major IT-infrastructure trends including cloud computing and microservices. The company, founded in the UK but now based in San Fran...
Jan. 21, 2017 01:15 PM EST Reads: 2,612
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
Jan. 21, 2017 12:45 PM EST Reads: 4,379
Internet of @ThingsExpo, taking place June 6-8, 2017 at the Javits Center in New York City, New York, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @ThingsExpo New York Call for Papers is now open.
Jan. 21, 2017 12:15 PM EST Reads: 3,740
In the next five to ten years, millions, if not billions of things will become smarter. This smartness goes beyond connected things in our homes like the fridge, thermostat and fancy lighting, and into heavily regulated industries including aerospace, pharmaceutical/medical devices and energy. “Smartness” will embed itself within individual products that are part of our daily lives. We will engage with smart products - learning from them, informing them, and communicating with them. Smart produc...
Jan. 21, 2017 12:15 PM EST Reads: 1,773
Providing the needed data for application development and testing is a huge headache for most organizations. The problems are often the same across companies - speed, quality, cost, and control. Provisioning data can take days or weeks, every time a refresh is required. Using dummy data leads to quality problems. Creating physical copies of large data sets and sending them to distributed teams of developers eats up expensive storage and bandwidth resources. And, all of these copies proliferating...
Jan. 21, 2017 11:45 AM EST Reads: 4,137
SYS-CON Events announced today that Catchpoint, a leading digital experience intelligence company, has been named “Silver Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Catchpoint Systems is a leading Digital Performance Analytics company that provides unparalleled insight into your customer-critical services to help you consistently deliver an amazing customer experience. Designed for digital business, C...
Jan. 21, 2017 11:45 AM EST Reads: 1,848
“DevOps is really about the business. The business is under pressure today, competitively in the marketplace to respond to the expectations of the customer. The business is driving IT and the problem is that IT isn't responding fast enough," explained Mark Levy, Senior Product Marketing Manager at Serena Software, in this SYS-CON.tv interview at DevOps Summit, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Jan. 21, 2017 11:30 AM EST Reads: 11,604
SYS-CON Events announced today that Catchpoint Systems, Inc., a provider of innovative web and infrastructure monitoring solutions, has been named “Silver Sponsor” of SYS-CON's DevOps Summit at 18th Cloud Expo New York, which will take place June 7-9, 2016, at the Javits Center in New York City, NY. Catchpoint is a leading Digital Performance Analytics company that provides unparalleled insight into customer-critical services to help consistently deliver an amazing customer experience. Designed ...
Jan. 21, 2017 11:30 AM EST Reads: 6,438
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smart...
Jan. 21, 2017 11:30 AM EST Reads: 2,808
WebRTC sits at the intersection between VoIP and the Web. As such, it poses some interesting challenges for those developing services on top of it, but also for those who need to test and monitor these services. In his session at WebRTC Summit, Tsahi Levent-Levi, co-founder of testRTC, reviewed the various challenges posed by WebRTC when it comes to testing and monitoring and on ways to overcome them.
Jan. 21, 2017 11:15 AM EST Reads: 6,123