Welcome!

News Feed Item

i-Sprint’s Insights on ‘How to Avoid Heartbleed or Similar SSL Related Vulnerabilities’

i-Sprint Innovations (“i-Sprint”), a leading Identity, Credential and Access Management Solutions provider across Asia Pacific, provides insights on the latest disclosure of Heartbleed, an OpenSSL encryption bug, and how to avoid it and other similar SSL related vulnerabilities.

The emergence of the Heartbleed bug is yet another reminder of the security threats we continue to face. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names, passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and impersonate them.

This bug has resided in production software for more than two years and is described as "catastrophic" by leading security experts. The immediate solution is to identify affected systems, apply the fix and update the SSL certificates. Users also need to be informed to change their passwords and track misuse of the exposed information.

Even if the bug is patched today, there is no guarantee that a similar type of bug will not resurface or stay hidden in software undiscovered. Such vulnerability with similar impact could arise in the future from another SSL library or application product.

It also leads to the question of whether Secure Socket Layer (SSL) is sufficient to protect data confidentiality and the integrity of online transactions. How can enterprises manage the risk of data leakages in future through web services and convince their customers that their data is safe from eavesdroppers? Would it have been possible to have done something to mitigate the risk of such an event?

To prevent exposure of sensitive data even if SSL encryption is broken, enterprises need a strong data protection solution such as End-to-End Encryption (E2EE) to protect passwords and sensitive transaction of data. E2EE ensures that sensitive data stays encrypted even within the memory of vulnerable web or application servers. It offers protection to the Heartbleed type of bug as well as prevents insiders such as software developers or DBAs from leaking sensitive data accidentally or deliberately. In fact, both Monetary Authority of Singapore (MAS) and Hong Kong Monetary Authority (HKMA) have mandated financial institutions to adopt E2EE for protection of passwords as well as critical transaction data in the e-banking sites.

Like many financial institutions, organizations should adopt the same best practices to encrypt and send encrypted passwords and sensitive data over a communication channel in addition to the SSL protection. This can be done by using an encryption library and key data for data encryption at the point of entry (user desktop/smartphone) before submission to the server side. This data remains encrypted all the way to the web server and even the application server. The data may be decrypted at the application server, however in the case of passwords, they remain encrypted and are verified inside a Hardware Security Module (HSM). HSMs are cryptographic devices using tamper resistant hardware built to meet the FIPS standards. Thus, the passwords are encrypted from the point of entry to the point of comparison. Apart from mitigating against Heartbleed type of vulnerabilities, this ensures that nobody in the intranet has access to the password in clear during transit and storage, as well as protecting against internal fraud.

In summary, effective data protection requires a combination of layered security solutions and the right processes. Instead of relying only on SSL protection, organizations should look into implementing E2EE solutions at the application layer to protect their confidential information against the next web server vulnerability.

For questions on Heartbleed or how to be protected against it, please visit www.i-sprint.com or contact i-Sprint at [email protected].

i-Sprint’s Solutions

i-Sprint has its own unique brand of security products, intellectual properties and patents that are designed to exceed global financial services regulatory requirements. In order to capitalize the fast growing Identity, Credential and Access Management (ICAM) market, i-Sprint proactively delivers innovative product features via our product offerings in Identity Protection, Cloud Protection, Mobile Protection and Data Protection.

i-Sprint’s world leading security solutions include a proven and secure E2EE Authentication and Data Protection for convenient (Single Sign-On) and secure access to internet banking applications. i-Sprint’s solutions meets Internet Banking Security Guidelines from regulatory agencies in multiple countries; overcoming the security challenges of most internet and mobile banking solutions. i-Sprint delivers bank-grade versatile strong authentication (biometrics, multi-factor authentication and more) and token management platform to secure multiple application delivery environments (web, mobile and cloud) based on a common security platform.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
Cybersecurity is a critical component of software development in many industries including medical devices. However, code is not always written to be robust or secure from the unknown or the unexpected. This gap can make medical devices susceptible to cybersecurity attacks ranging from compromised personal health information to life-sustaining treatment. In his session at @ThingsExpo, Clark Fortney, Software Engineer at Battelle, will discuss how programming oversight using key methods can incre...
SYS-CON Events announced today that Hitachi, the leading provider the Internet of Things and Digital Transformation, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Hitachi Data Systems, a wholly owned subsidiary of Hitachi, Ltd., offers an integrated portfolio of services and solutions that enable digital transformation through enhanced data management, governance, mobility and analytics. We help globa...
Did you know that you can develop for mainframes in Java? Or that the testing and deployment can be automated across mobile to mainframe? In his session at @DevOpsSummit at 20th Cloud Expo, Vaughn Marshall, Sr. Principal Product Owner at CA Technologies, will discuss and demo how increasingly teams are developing with agile methodologies using modern development environments and automating testing and deployments, mobile to mainframe.
The goal of Continuous Testing is to shift testing left to find defects earlier and release software faster. This can be achieved by integrating a set of open source functional and performance testing tools in the early stages of your software delivery lifecycle. There is one process that binds all application delivery stages together into one well-orchestrated machine: Continuous Testing. Continuous Testing is the conveyor belt between the Software Factory and production stages. Artifacts are ...
SYS-CON Events announced today that Juniper Networks (NYSE: JNPR), an industry leader in automated, scalable and secure networks, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. The company co-innovates with customers and partners to deliver automated, scalable and secure network...
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, New York, and 21st International Cloud Expo, which will take place in November in Silicon Valley, California.
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In his Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, will explore t...
NHK, Japan Broadcasting, will feature the upcoming @ThingsExpo Silicon Valley in a special 'Internet of Things' and smart technology documentary that will be filmed on the expo floor between November 3 to 5, 2015, in Santa Clara. NHK is the sole public TV network in Japan equivalent to the BBC in the UK and the largest in Asia with many award-winning science and technology programs. Japanese TV is producing a documentary about IoT and Smart technology and will be covering @ThingsExpo Silicon Val...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting challenge of adapting related cloud strategies to ensure optimal alignment, from managing complexity to ensuring proper governance. How can culture, automation, legacy apps and even budget be reexamined to enable this ongoing shift within the modern software factory?
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists will examine how DevOps helps to meet th...
SYS-CON Events announced today that Hitachi Data Systems, a wholly owned subsidiary of Hitachi LTD., will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City. Hitachi Data Systems (HDS) will be featuring the Hitachi Content Platform (HCP) portfolio. This is the industry’s only offering that allows organizations to bring together object storage, file sync and share, cloud storage gateways, and sophisticated search an...
SYS-CON Events announced today that Hitachi, the leading provider the Internet of Things and Digital Transformation, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Hitachi Data Systems, a wholly owned subsidiary of Hitachi, Ltd., offers an integrated portfolio of services and solutions that enable digital transformation through enhanced data management, governance, mobility and analytics. We help globa...