”Catastrophic” is how technology experts are describing...
"Catastrophic” is how technology experts are describing the recently discovered security glitch in Secure Sockets Layer (SSL). Finnish security firm Codenomicon discovered the flaw, called the Heartbleed bug (http://heartbleed.com/), which affects OpenSSL, a cryptographic software library used to secure websites…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
using HTTPS encryption to protect data. The company said the bug allows hackers to access websites’ code, data and passwords, as well as “eavesdrop on communications.” Internet security technologist Bruce Schneier -- a board member of the Electronic Frontier Foundation (EFF) and advisory board member of the Electronic Privacy Information Center (EPIC) -- called the bug “catastrophic,” in a Wednesday blog post (http://bit.ly/1ea7ECa0). “On the scale of 1 to 10, this is an 11,” he said, saying 500,000 sites were vulnerable to the flaw. “The probability is close to one that every target has had its private keys extracted by multiple intelligence agencies,” Schneier said. “The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident.” Karl Volkman, chief technology officer of network service provider SRV Network, said “the threat that this flaw poses is tremendous,” but suggested that changing one’s passwords before major websites fix the flaw “will allow hackers to still have access to personal information.” Johns Hopkins University computer science professor and cryptographer Matthew Green said Heartbleed is “the result of a relatively mundane coding error,” in a Tuesday blog post (http://bit.ly/1oN7UvE). “And predictably, this makes it more devastating than all of those fancy attacks put together.” The FTC recently settled two complaints on mobile apps with allegedly inadequate data security, highlighting both apps’ disabled SSL certificate (CD March 31 p8).