When it comes to malware and other types of computer bugs it seems like we are falling into a problematic pattern. In fact, it has made the words “wreak havoc” almost cliché.
The pattern consists of researchers or “ethical hackers” exposing the existence of a software vulnerability—which the headlines first scream is a harbinger of online Armageddon. What then follows are explanations by true security professionals suggesting that, while problems exist, the nature of the threats are over-blown. The past two weeks saw this pattern in practice with the hysteria surround first the VENOM cyber attack vulnerability and then questioning of the validity of hacker Chris Roberts claims of being able to take navigational control of a United Airline while in-flight by hacking a plane’s entertainment system, which is now being challenged.
We close out this week with yet another example. On May 19, the Wall Street Journal ran a story about the discovery of a computer bug called LogJam. The headline read, “New Computer Bug Exposes Broad Security Flaws: Fix for LogJam bug could make more than 20,000 websites unreachable.” Yikes! The revelation that 20,000 websites could be unreachable certainly got the Internet buzzing.
At week’s end, it turns out that LogJam—which has its roots in U.S. government regulations from over 20 years ago that made exportation of strong encryption software illegal (which was subsequently lifted)—has yet to be exploited by bad guys. Plus the fix is already in.
This is not to minimize the nastiness at hand, so don’t bury your heads in the sand just yet. LogJam allows one computer to tell others that they must use weaker encryption which is an easy crack, and can also fool a website into thinking it was using strong encryption when in reality it is not. Yet, as the professionals have weighed in and patches have become available, it seems safe to say that those favorite websites that might have been unreachable will still come up when you click.
When these things happen, my inbox gets inundated with comments from the professionals and as a bit of a public service I like to share a sampling of their views.
Branden Spikes, CEO and CTO of Spikes Security (www.spikes.com) which develops technology for secure online Web browsing commented that:
“It’s a good move for browsers to raise the bar on encryption key strength as compute power increases, and hackers gain access to botnets and cryptocurrency mining devices which make key cracking a bit too trivial for comfort. I think you can probably blame this archaic support for weak keys on the U.S. cryptography export laws, which are hopefully well enough in our rear view mirror by now to move on.
What really concerns me about LogJam and vulnerabilities giving hackers access to encrypted web traffic is that it further exposes browsers to ‘watering hole’ attacks. Imagine if attackers gain credentials and access to content authoring suites at popular websites, and use this access to maliciously customize trusted content to spread malware via drive-by without any need for phishing.
It’s great that browsers are getting patched to address this, but now the burden rests with users and IT professionals to distribute the patches. I think the task of updating billions of browsers on all platforms, including those browsers nested within mobile apps and IoT devices, might be daunting and take a long time. Suffice to say if LogJam gets exploited in the wild, we’re in for quite a busy summer. Centralized and efficient control of browsers should be top of mind for network administrators.”
eCSI security expert Márton Illés, Product Evangelist at BalaBit had similar thoughts:
"The security versus usability debates continues: the LogJam bug underscores the dilemma of vendors on fixing the problem without breaking access to thousands of websites. There are some interesting lessons to be learned from this:
"How long would it take to fix a known security issue from a vulnerable site? We'd hope that after publishing Freak and Heartbleed bugs, most sites would not be vulnerable, but interestingly even top websites struggle with applying fixes for months. Site owners and companies need to understand their responsibility to patch vulnerabilities, just like they must fix other technical issues. Of course, fixing a problem that would take a site down is always more important and more visible then fixing a security problem—but this attitude creates problems when a data breach comes, always a very real but unwanted possibility.
"Security vs. usability is a debate raging on, and LogJam informs it. Security people must understand that security isn't the ultimate goal of a company, but businesses must also understand that security is essential. Implementing a new security rule that limits the usability of the system is a hard decision, but sometimes tradeoffs must be made—it's a choice to find the right balance. It is a very interesting situation when applying a security fix results in a serious usability, accessibility issue because someone else—in this case, our website owners—did not do their homework. Should we put ourselves in jeopardy because another party is too lazy?
"In one way, it's great that this increases awareness of the need to continually maintain and apply fixes. LogJam is a strong message: what if updated browsers refuse to communicate with non-updated, vulnerable sites? What would a site owner do to keep their sites updated? The separate security and availability issues become one, and one that must be addressed.”
Interestingly, there was a log jam (pardon the pun) of bad news on the security front this week. This includes the data breach at Telstra’s Asian subsidiary Pacnet (News - Alert) which saw a malicious party attain access to Pacnet’s corporate IT network, including email and other administrative systems, through a SQL vulnerability that enabled malicious software to be uploaded to the network. It also includes the domain hijacking and Web address re-directing of the St. Louis Federal Reserve.
So there is reason to be concerned but most importantly to be vigilant and keep up with fixes for known problems. The bad guys are becoming more sophisticated and audacious with their exploits but we all need to be careful in evaluating the real risks versus headline ones before we get too stressed out.
For those in the U.S. who are about to celebrate the long Memorial Day Weekend, hopefully this provides a little peace of mind.