Click here to close now.




















Welcome!

News Feed Item

i-Sprint’s Insights on ‘How to Avoid Heartbleed or Similar SSL Related Vulnerabilities’

i-Sprint Innovations (“i-Sprint”), a leading Identity, Credential and Access Management Solutions provider across Asia Pacific, provides insights on the latest disclosure of Heartbleed, an OpenSSL encryption bug, and how to avoid it and other similar SSL related vulnerabilities.

The emergence of the Heartbleed bug is yet another reminder of the security threats we continue to face. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names, passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and impersonate them.

This bug has resided in production software for more than two years and is described as "catastrophic" by leading security experts. The immediate solution is to identify affected systems, apply the fix and update the SSL certificates. Users also need to be informed to change their passwords and track misuse of the exposed information.

Even if the bug is patched today, there is no guarantee that a similar type of bug will not resurface or stay hidden in software undiscovered. Such vulnerability with similar impact could arise in the future from another SSL library or application product.

It also leads to the question of whether Secure Socket Layer (SSL) is sufficient to protect data confidentiality and the integrity of online transactions. How can enterprises manage the risk of data leakages in future through web services and convince their customers that their data is safe from eavesdroppers? Would it have been possible to have done something to mitigate the risk of such an event?

To prevent exposure of sensitive data even if SSL encryption is broken, enterprises need a strong data protection solution such as End-to-End Encryption (E2EE) to protect passwords and sensitive transaction of data. E2EE ensures that sensitive data stays encrypted even within the memory of vulnerable web or application servers. It offers protection to the Heartbleed type of bug as well as prevents insiders such as software developers or DBAs from leaking sensitive data accidentally or deliberately. In fact, both Monetary Authority of Singapore (MAS) and Hong Kong Monetary Authority (HKMA) have mandated financial institutions to adopt E2EE for protection of passwords as well as critical transaction data in the e-banking sites.

Like many financial institutions, organizations should adopt the same best practices to encrypt and send encrypted passwords and sensitive data over a communication channel in addition to the SSL protection. This can be done by using an encryption library and key data for data encryption at the point of entry (user desktop/smartphone) before submission to the server side. This data remains encrypted all the way to the web server and even the application server. The data may be decrypted at the application server, however in the case of passwords, they remain encrypted and are verified inside a Hardware Security Module (HSM). HSMs are cryptographic devices using tamper resistant hardware built to meet the FIPS standards. Thus, the passwords are encrypted from the point of entry to the point of comparison. Apart from mitigating against Heartbleed type of vulnerabilities, this ensures that nobody in the intranet has access to the password in clear during transit and storage, as well as protecting against internal fraud.

In summary, effective data protection requires a combination of layered security solutions and the right processes. Instead of relying only on SSL protection, organizations should look into implementing E2EE solutions at the application layer to protect their confidential information against the next web server vulnerability.

For questions on Heartbleed or how to be protected against it, please visit www.i-sprint.com or contact i-Sprint at [email protected].

i-Sprint’s Solutions

i-Sprint has its own unique brand of security products, intellectual properties and patents that are designed to exceed global financial services regulatory requirements. In order to capitalize the fast growing Identity, Credential and Access Management (ICAM) market, i-Sprint proactively delivers innovative product features via our product offerings in Identity Protection, Cloud Protection, Mobile Protection and Data Protection.

i-Sprint’s world leading security solutions include a proven and secure E2EE Authentication and Data Protection for convenient (Single Sign-On) and secure access to internet banking applications. i-Sprint’s solutions meets Internet Banking Security Guidelines from regulatory agencies in multiple countries; overcoming the security challenges of most internet and mobile banking solutions. i-Sprint delivers bank-grade versatile strong authentication (biometrics, multi-factor authentication and more) and token management platform to secure multiple application delivery environments (web, mobile and cloud) based on a common security platform.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
U.S. companies are desperately trying to recruit and hire skilled software engineers and developers, but there is simply not enough quality talent to go around. Tiempo Development is a nearshore software development company. Our headquarters are in AZ, but we are a pioneer and leader in outsourcing to Mexico, based on our three software development centers there. We have a proven process and we are experts at providing our customers with powerful solutions. We transform ideas into reality.
In their Live Hack” presentation at 17th Cloud Expo, Stephen Coty and Paul Fletcher, Chief Security Evangelists at Alert Logic, will provide the audience with a chance to see a live demonstration of the common tools cyber attackers use to attack cloud and traditional IT systems. This “Live Hack” uses open source attack tools that are free and available for download by anybody. Attendees will learn where to find and how to operate these tools for the purpose of testing their own IT infrastructu...
Any Ops team trying to support a company in today’s cloud-connected world knows that a new way of thinking is required – one just as dramatic than the shift from Ops to DevOps. The diversity of modern operations requires teams to focus their impact on breadth vs. depth. In his session at DevOps Summit, Adam Serediuk, Director of Operations at xMatters, Inc., will discuss the strategic requirements of evolving from Ops to DevOps, and why modern Operations has begun leveraging the “NoOps” approa...
SYS-CON Events announced today that IceWarp will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. IceWarp, the leader of cloud and on-premise messaging, delivers secured email, chat, documents, conferencing and collaboration to today's mobile workforce, all in one unified interface
The Internet of Things (IoT) is about the digitization of physical assets including sensors, devices, machines, gateways, and the network. It creates possibilities for significant value creation and new revenue generating business models via data democratization and ubiquitous analytics across IoT networks. The explosion of data in all forms in IoT requires a more robust and broader lens in order to enable smarter timely actions and better outcomes. Business operations become the key driver of I...
Organizations from small to large are increasingly adopting cloud solutions to deliver essential business services at a much lower cost. According to cyber security experts, the frequency and severity of cyber-attacks are on the rise, causing alarm to businesses and customers across a variety of industries. To defend against exploits like these, a company must adopt a comprehensive security defense strategy that is designed for their business. In 2015, organizations such as United Airlines, Sony...
Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches. In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, discussed why containers should be paired with new architectural practices such as microservices rathe...
With the proliferation of connected devices underpinning new Internet of Things systems, Brandon Schulz, Director of Luxoft IoT – Retail, will be looking at the transformation of the retail customer experience in brick and mortar stores in his session at @ThingsExpo. Questions he will address include: Will beacons drop to the wayside like QR codes, or be a proximity-based profit driver? How will the customer experience change in stores of all types when everything can be instrumented and a...
It’s been proven time and time again that in tech, diversity drives greater innovation, better team productivity and greater profits and market share. So what can we do in our DevOps teams to embrace diversity and help transform the culture of development and operations into a true “DevOps” team? In her session at DevOps Summit, Stefana Muller, Director, Product Management – Continuous Delivery at CA Technologies, answered that question citing examples, showing how to create opportunities for ...
As more and more data is generated from a variety of connected devices, the need to get insights from this data and predict future behavior and trends is increasingly essential for businesses. Real-time stream processing is needed in a variety of different industries such as Manufacturing, Oil and Gas, Automobile, Finance, Online Retail, Smart Grids, and Healthcare. Azure Stream Analytics is a fully managed distributed stream computation service that provides low latency, scalable processing of ...
Everyone talks about continuous integration and continuous delivery but those are just two ends of the pipeline. In the middle of DevOps is continuous testing (CT), and many organizations are struggling to implement continuous testing effectively. After all, without continuous testing there is no delivery. And Lab-As-A-Service (LaaS) enhances the CT with dynamic on-demand self-serve test topologies. CT together with LAAS make a powerful combination that perfectly serves complex software developm...
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
As more intelligent IoT applications shift into gear, they’re merging into the ever-increasing traffic flow of the Internet. It won’t be long before we experience bottlenecks, as IoT traffic peaks during rush hours. Organizations that are unprepared will find themselves by the side of the road unable to cross back into the fast lane. As billions of new devices begin to communicate and exchange data – will your infrastructure be scalable enough to handle this new interconnected world?
In today's digital world, change is the one constant. Disruptive innovations like cloud, mobility, social media, and the Internet of Things have reshaped the market and set new standards in customer expectations. To remain competitive, businesses must tap the potential of emerging technologies and markets through the rapid release of new products and services. However, the rigid and siloed structures of traditional IT platforms and processes are slowing them down – resulting in lengthy delivery ...
Whether you like it or not, DevOps is on track for a remarkable alliance with security. The SEC didn’t approve the merger. And your boss hasn’t heard anything about it. Yet, this unruly triumvirate will soon dominate and deliver DevSecOps faster, cheaper, better, and on an unprecedented scale. In his session at DevOps Summit, Frank Bunger, VP of Customer Success at ScriptRock, will discuss how this cathartic moment will propel the DevOps movement from such stuff as dreams are made on to a prac...