The Heartbleed OpenSSL vulnerability dominates today's news, and is likely to do so for days (if not weeks) to come. Ars Technica describes the bug as exposing data "Russian roulette style," and the metaphor's not a bad one: a missing bounds check in source code is said to enable blind access to whatever parts of memory are handling SSL processes. Vendors and security experts are sifting through affected sites and products now and issuing fixes as they're developed.
The Sydney Morning Herald finds the software developer who cops to responsibility for the bug. He explains how the unintentional vulnerability was inadvertently introduced. (Conspiracy-mongers are undeterred from offering alternative attributions.)
It's not clear whether the vulnerability has been exploited in the wild (although a note from Deltek about a breach involving its GovWin product might give one the willies—still, no mention there of Heartbleed) but OpenSSL exploits can be difficult to detect. Experts advise taking protective steps quickly but with caution. Heartbleed is obvious phishbait (Sophos points out); it's also a good wateringhole lure (as SANS notes).
Quartz sees the whole episode as an instance of the tragedy of the commons, where a public good is steadily eroded in the absence of clear property rights and responsibilities.
Retailers face a large Heartbleed problem, adding insult to injury as legislation in several jurisdictions begins to fix liability for data breaches squarely on them.
In non-Heartbleed news, the insurance industry (led by Lloyd's of London) continues to note critical infrastructure's cyber vulnerability.
Today's issue includes events affecting Canada, China, Germany, Norway, Russia, Turkey, United Kingdom, United States..
Sending a "Heartbleed" password reset email? Please don't include a login link!(Naked Security) With all the buzz about resetting your passwords caused by the "Heartbleed" bug, you can imagine what cybercrooks are thinking. TIME TO GO PHISHING! Fortunately, many people these days know to be careful of password reset emails, at least those that helpfully provide a link that takes you to what looks like a login screen
Heartbleed OpenSSL bug: FAQ for Mac, iPhone and iPad users(Intego: the Mac Security Blog) In the last couple of days you cannot fail to have seen the huge number of media articles about the so-called Heartbleed bug. In this article, we'll try and answer some of the common questions that users of Apple products have raised about this issue
Heartbleed: What you should know(Washington Post) Experts have discovered a major flaw in the security software used by millions of Web sites — including banks, e-mail and social media services — that exposes users' names and passwords, the content of their communications, and their data to anyone who knows how to exploit the weakness. This does not mean your information has necessarily been stolen. It may mean that it's been vulnerable to theft and may remain vulnerable until a fix is applied
The Heartbleed Hit List: The Passwords You Need to Change Right Now(Mashable) An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years
How does the Heartbleed bug affect me?(Help Net Security) By now, you have surely heard about the "Heartbleed" bug discovered in Open SSL, and you're wondering how its existence affects you. The situation is, indeed, serious. "'Catastrophic' is the right word," says Bruce Schneier, noted cryptographer and computer security and privacy specialist. "On the scale of 1 to 10, this is an 11"
Difficulty of Detecting OpenSSL Heartbleed Attacks Adds to Problem(Threatpost) The list of products and sites affected by the OpenSSL heartbleed vulnerability continues to grow, and as security teams implement the patch and dig into the thornier work of revoking certificates, a new problem is emerging: It's difficult to know whether an attacker has exploited the vulnerability on a given system
Heartbleed is the new security risk(FierceRetailIT) There's yet another security nightmare staring down retailers as the Heartbleed bug threatens to expose encrypted data in OpenSSL
The Internet's Telltale Heartbleed(New Yorker) The cryptography expert Bruce Schneier, who has been writing about computer security for more than fifteen years, is not given to panic or hyperbole. So when he writes, of the "catastrophic bug" known as Heartbleed, "On the scale of 1 to 10, this is an 11," it's safe to conclude that the Internet has a serious problem. The bug, which was announced on Tuesday—complete with an explanatory Web site and a bleeding-heart logo—is a vulnerability in a widely used piece of encryption software called OpenSSL
The heartbleed bug shows how fragile the volunteer-run internet can be(Quartz) Matthew Prince, CEO of the online security company Cloudflare, watched his company's top cryptographer turn "white as a ghost" after learning about a bug in the essential infrastructure of the internet last week. That flaw, he says now, is the worst thing to happen to the internet since it became a mass medium in the early 2000s
Has the NSA Been Using the Heartbleed Bug as an Internet Peephole?(Wired) When ex-government contractor Edward Snowden exposed the NSA's widespread efforts to eavesdrop on the internet, encryption was the one thing that gave us comfort. Even Snowden touted encryption as a saving grace in the face of the spy agency's snooping. "Encryption works," the whistleblower said last June. "Properly implemented strong crypto systems are one of the few things that you can rely on"
Security Patches, Mitigations, and Software Updates
Heartbleed vendor notifications(Internet Storm Center: InfoSec Handlers Diary Blog) As people are running around having an entertaining day we thought it might be a good idea to keep track of the various vendor notifications. I'd like to start a list here and either via comments or sending it let us know of vendor notifications relating to this issue. Please provide comments to the original article relating to the vulnerability itself, and use this post to only provide links to vendor notifications rather than articles etc about the issue
Facebook Privacy: 4 Changes In Works(InformationWeek) Facebook plans to give users more control over sharing, including new photo privacy settings and reminders about public posts. Here's what to expect
A closer look at Microsoft's April Patch Tuesday(Help Net Security) April's Microsoft Patch Tuesday is on par with the prior releases this year. There are only four bulletins being released, two rated "Critical" and two rated "Important". Of course the long coming, but somehow still apocalyptic news that Windows XP is dead has overshadowed these bulletins
Cyber threat moving to critical infrastructure, study shows(ComputerWeekly) The cyber threat is moving from data breaches to global critical infrastructure, an insurance industry commissioned study shows. Technology running the world's critical infrastructure is increasingly at risk of cyber attack, according to in-depth research by Lloyd's of London insurer Aegis London
Financial malware on the rise(Gadget) According to Kaspersky Lab's Financial cyber threats in 2013 study, the number of cyber attacks involving financial malware increased to 28.4 million — 27.6% more than 2012
Universities Ripe for Hacker Plundering(Tripwire) Universities are falling way behind in the race to secure sensitive data from the threat of compromise, and the trend is expected to continue in perpetuity because they lack the financial and technical resources required to safeguard critical systems, according to a recent study
Attitudes about best practices for physical access control(Help Net Security) An HID Global survey of 600 respondents revealed enterprise end users' perceptions about change and the importance of industry best practices, and how well today's technology and policy best practices are being implemented
Innovation, Expansion and Channel Growth Highlight First Anniversary of ThreatTrack Security(Providence Journal) In its first year as an independent company, ThreatTrack Security has successfully expanded its operations and solutions portfolio to better serve the most pressing cybersecurity needs of enterprises and government agencies. The development and recent launch of ThreatSecure™ — the industry's first solution to provide real-time detection and endpoint remediation of advanced malware threats — is the culmination of the company's strategy to empower organizations of all sizes to protect themselves from the world's most sophisticated malware
Former US Policy Chief Joins Cyber Firm's Board(DefenseNews) Endgame, the cybersecurity firm most famous for selling information about system vulnerabilities, has added former Pentagon policy chief James Miller to its advisory board, the company will announce today
Products, Services, and Solutions
Check Point Receives Internationally Recognized Common Criteria Certification(MarketWatch) Check Point® Software Technologies Ltd. CHKP +0.31%, the worldwide leader in securing the Internet, today announced it has achieved the distinction of Common Criteria (CC) certification for Check Point R77 and Check Point Endpoint Security. As part of Check Point's on-going certification efforts, the CC certifications for R77 and Endpoint further demonstrate the company's continued commitment to support the Government market and provide independent validation of its security solutions and capabilities
Cybersecurity Is About Attitude, Culture — Not Strictly Compliance(Wired) How do you avoid becoming the Next Big Retail Breach Target? There are plenty of points — and counterpoints — on the topic. As a cybersecurity professional who has specialized in compliance with the Payment Card Industry (PCI) Data Security Standard for more than a decade, I have a great deal of thoughts to share. So consider this the first of a five-part blog in which I'll lend my perspective about the state of systems protection in the retail industry — and how to safeguard your business
Compliance misconceptions, challenges and tips(Help Net Security) In this interview, Paul Koziarz, President and General Manager of Regulatory Compliance at CSI, talks about the misconceptions related to compliance, provides advice for CSOs and discusses the difference between being compliant and being secure
Metrics matter in privacy engineering(FierceGovernmentIT) As the privacy field seeks greater precision in a bid to make technical implementation of privacy controls a possibility, it should be cautious about the metrics it adopts, warns a computer scientist
UK seeks input on cybersecurity plan similar to NIST framework(Inside Cybersecurity) The British government is seeking comment on a proposed cybersecurity "scheme" that mirrors key elements of the Obama administration's recently released framework of voluntary standards. Both the British plan and U.S. framework call for a tiered system that allows businesses and organizations to determine the level of compliance appropriate for them
Best practices for secure use of Windows XP(Help Net Security) Microsoft's support for Windows XP ended yesterday, April 8, 2014. However, Gartner estimates that one-third of enterprises currently have more than 10 percent of their systems remaining on XP
Research and Development
New IDS project spots anomalous system behavior(Help Net Security) A team of researchers from Binghamton University have been working on a new intrusion detection approach based on monitoring the behavior of systems and spotting when it differs from the one that is considered normal
Caught Between The Lines: How Online Censorship Harms Corporate Security(Tripwire) National governments are increasingly powerful stakeholders on the internet, changing and filtering the digital landscape in the process. Recently we saw instances of Twitter and YouTube access blocked, performed by Turkish authorities due to circulation of a series of confidential recordings with evidence of alleged corrupt practices
The Kremlin's Digital Gulag(Moscow Times) A Moscow city lawmaker, Alexei Lisovenko, is trying to resuscitate a government push to expand Russia's "digital sovereignty." On April 3, Lisovenko appealed to State Duma Deputy Sergei Zheleznyak, asking him to pass legislation that would require all online social networks to house users' personal data on servers located on Russian soil. Lisovenko, an active member of Facebook, Twitter, and Instagram, cites former National Security Agency contractor Edward Snowden's revelations about U.S. spying as a reason for the move. "Snowden has confirmed that the largest intelligence-gathering corporation there is — the National Security Agency — is monitoring our social media accounts," Lisovenko said
Dueling dilemmas for national security reform(Politico) Congress is awash in ideas for revamping the government surveillance programs exposed by Edward Snowden. Although behind-the-scene talks have picked up in recent days, lawmakers' appetite, the path and timing for reform remains far from clear
New law seeks to make retailers financially responsible for data breaches(Naked Security) When it comes to massive data breaches — such as the ones at Target and Neiman Marcus — in which millions of customers' credit and debit card numbers were breached, who should foot the bill? Banks and credit card companies have been stuck paying for the damages stemming from hacking of payment data in such crimes, but a new law introduced in California last week seeks to pass the buck right on back to the retailers that spawn the breaches
How the IRS is Leaving Your Financial Data Unprotected(Nextgov) The tax agency needs to better audit its own accounts, according to the Government Accountability Office. GAO officials during the past year discovered that Internal Revenue Service was not sufficiently monitoring databases for abnormal activity that could indicate a breach. They also found poor encryption on key agency systems
Big data used to catch bulk cash smugglers(FierceBigData) Bulk cash is exactly what it sounds like: oodles of money bound, hidden and smuggled from one country to another as one of the three top preferred international money laundering schemes used by criminals. We're talking about seriously big time criminals here with really big bags of cash. This is not a small time players' game. Somehow it seems fitting that big data would be the tool most likely to find bulk cash, doesn't it? Here's how that works
Whistleblower Says He Warned University Of Maryland Before Data Breach(CBSBaltimore) A data breach drew the nation's attention to the University of Maryland. It exposed sensitive information, including Social Security numbers of hundreds of thousands of current and former students and employees, and it led to an FBI raid on the home of a software engineer in Baltimore County whose former employer contracted with the university
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Cyber Security EXPO(, January 1, 1970) Securing information, mobility, cloud, and social interaction for the modern enterprise. Disruptive technologies such as cloud computing, mobile, bring your own device (BYOD) and social media are pushing...
SOURCE(, January 1, 1970) The purpose of SOURCE Conference is to bridge the gap between technical excellence and business acumen within the security industry. SOURCE fosters a community of learning where business and security professionals...
2014 Computer Security Day(Eugene, Oregon, USA, April 11, 2014) The Fourth Computer Security Day at the University of Oregon will feature a slate of distinguished speakers from academia, industry, and government, discussing current challenges and future opportunities...
Women in Cybersecurity Conference(, January 1, 1970) WiCyS is an effort to bring together women (students/faculty/researchers/professionals) in cybersecurity from academia, research and industry for sharing of knowledge/experience, networking and mentoring.
NSA Procurement in today's business arena(Elkridge, Maryland, USA, April 16, 2014) An opportunity to gain inside perspective on market trends in NSA Procurement. The guest speaker will be William Reybold, National Security Agency's Deputy Senior Acquisition Executive (SAE), who manages...
Suits and Spooks San Francisco(, January 1, 1970) S3+: Surveillance, Security, Sovereignty and other Critical Issues. Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss...
US News STEM Solutions: National Leadership Conference(, January 1, 1970) The STEM crisis in the United States demands solutions—and nowhere is the search more concentrated than at U.S. News STEM Solutions. Now in its third year, this premier national leadership conference is...
East Africa Banking and ICT Summit(Kampala, Uganda, April 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations,...
InfoSecIndy(Indianapolis, Indiana, USA, April 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.
United States Cyber Crime Conference 2014(, January 1, 1970) This is the only event of its kind that provides both hands-on digital forensics training and an interactive forum for cyber professionals to network. The conference covers the full spectrum of topics...
Infosecurity Europe 2014(, January 1, 1970) Infosecurity Europe is Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.