Vulnerability: Come In. The Door is Open.

Today’s world is filled with battles, attacks, threats and vulnerabilities. Whether you flip a page, change a channel or click a mouse, you are continually reminded that you may or may not be totally protected by that large wall of safety and security you believed would keep your castle sheltered and warmed against the throws of oncoming attackers. Yes, the battle is raging and, if we would like to admit it or not, the data and information we covet, are the primary targets. Not to be a source of negative news, but the world contains those who live to exploit our vulnerabilities and gain an advantage on our security, livelihood and peace. The simple truth is that we should not avoid thinking about these obvious insidious threats just because they are invisible and we cannot hold them in our hands.

This being an opinion piece, these statements are obviously not meant to downplay the threats that are currently stepping over physical walls and taking human lives as you continue reading. They are here to hopefully broaden ones vision of “threat” and compared it to how we respond to those threats which are more visible and how we categorize them as truly life threatening. Terrorism, political violence and contagious, deadly diseases are very real and tangible but share the same personality traits of their distant cousins – these so called “invisible threats” that infect the cyber world. Threatening and fatal but just at a different level. As Ebola, al-Qaeda and ISIS militants do within their realms of disease and violent extremism, recent threats like Heartbleed and Shellshock unleash a serious danger to it’s vulnerable victims in the technological world. We should not assume that world of technology is not filled with walls, windows and doors like those which exist in our physical world. This assumption and denial is the first of several symptoms of serious vulnerable thinking. We also may not realize that in this invisible world many of our “houses” have signs posted on their doors which read: “Come in. The door is open.”

heartbleed logoThe security exploit known as Heartbleed was first made public on April 7, 2014 as a security bug in the OpenSSL cryptography library used     widely in the implementation of the Transport Layer Security (TLS) protocol. When the existence of Heartbleed was announced, security experts noted that it may be exploited “regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client.” The bug – named by an engineer at the Finnish cybersecurity company Codenomicon – comes from “improper input validation in the implementation of the TLS heartbeat extension.” When the bug was disclosed, it was reported by security researchers around the globe that approximately half a million web servers (that were previously believed to be secure and certified by “trusted authorities“) were said to be open and vulnerable to attack. In a very short period of time this unexpected security “hole” had become very real and extremely threatening.

Codenomicon immediately launched the website Heartbleed.com to educate the public about the bug, released the “bleeding heart logo” as a quick identifier for information and continuing news regarding the issue. This hole would then allow attackers to enter and steal private server keys, user passwords and internet session cookies easily. Security experts and technology organizations from around the globe considered Heartbleed to be a “catastrophic” event.  Forbes magazine wrote that the Heartbleed bug  “is the worst vulnerability found since commercial traffic began to flow on the Internet.” OpenSSL was fixed on the same day of Heartbleed’s disclosure but the words warning and caution was still hanging on the lips of the global security community. After all the concern, panic and shots of warning ringing out through the invisible world, there was still a problem. Logically, you would think most would respond to an announcement labeled catastrophic the same as anyone would to news of a lethal virus in the water supply or armed going door to door killing innocent people. Obviously, what is not seen is not necessarily that important or real.

Governments around the world warned the public that passwords should be changed on all the websites they use. Some organizations announced that anyone wanting true privacy and security online should “stay away from the Internet entirely for the next few days while things settle.” Over one month after the public disclosure and released fix of the Heartbleed bug, researchers reported that approximately 1% of the 800,000 most popular TLS-enabled websites still were running with Heartbleed vulnerabilities. Two months following the disclosure, reports indicated that over 300,000 websites still remained untouched without an attempt of running the needed patches to plug the hole. Considering that all the major players in the technology world including Google, Apple, Microsoft and other large producers were quick to respond to this threat, a larger slice which populates ground that many of us walk through still may be vulnerable. Do most people take the necessary precautions before walking through an environment infected with a known deadly virus? Why is this scenario much different? The reality is there is no difference. Ignorance in both cases can result in catastrophe.

shellshock-bug-inlineIn the wake of Heartbleed, another security bug known as Shellshock or Bashdoor was disclosed on September 24th 2014. Shellshock is known as a “family” of security bugs which exist in the Unix Bash shell which has been widely used for some time. Bash is used by web servers to launch and process specific commands. A vulnerable version would allow unauthorized access a computer system by a hacker or let an attacker execute their own commands within the open environment. After a continual evaluation of Bash source code, researchers estimate that these vulnerabilities were alive and well inside Bash for over 20 years. Soon after the bug was disclosed and reports of the vulnerability began to surface, it was confirmed that attackers began to create botnets and launch distributed denial-of-service (DDOS) attacks and vulnerability scanning on compromised computers.

Security firms around the globe reported millions of attacks and invasions related to Shellshock. It has been compared to Heartbleed and has the potential to compromise millions of computer systems, servers and additional related devices. Reports were released regarding attacks against Akamai Technologies, the United States Department of Defense and Yahoo clarifying the severity of the Shellshock bug. Numerous web site and security experts including Incapsula and CloudFlare reported more than 17,400 attacks on more than 1,800 web domains, originating from 400 unique IP addresses in a 24 hour time frame previous to their probe. It is estimated that 55% of Shellshock related attacks originated in China and the United States. It was also reported that approximately 1.5 million attacks and probes had been tracked each day directly related to this bug.

If you have any understanding of technology today and see the value of data – the precious information created by us – which is now the very fuel that runs our lives and motivates society, you must agree that threats against this data have damaging potential of catastrophic proportions. The math of seriousness works better if you look at this compared with disease, violence and terrorism activity in today’s world. For example, if Ebola was left unattended and allowed to freely spread and roam about leaving it’s carriers with no outside efforts to combat it’s progress, the acceleration and damage would be staggering. We are witnesses to the worry, stress and paranoia that are attached with it’s presence. It is logical that the projected implications of an uncontrolled outbreak have launched the combative effort at historic levels. With all this effort we still see death, we still see it spread, we still see it getting into our safe places. Why? Because vulnerabilities exist and entrances are so often willingly or stupidly left open so the threat can walk in freely. As the world’s political and social climate changes and generations become lost in thoughts of an unpredictable or gloomy future, we witness the daily acts of terrorism as it’s wolves roam to devour and destroy.

We now wake each morning with dark events of terror and violence painted into our reality through our media outlets. Why does their growth continue even while in the midst of such powerful anti-terrorist defenses? How do they break ground so easily by capturing our fears? Again, they have learned about our vulnerabilities and how to exploit them. Do the threats that walk through the technology realm function much differently? Do they have a unique purpose, course and result? Why should we treat security threats with less effort and vigor? Do these threats have less potential to do serious harm to us economically and socially if left to roam, attack and infect without an established system of protection in place to stop them? The evidence from recent years has shown that the general public grossly assumed that cyber threats cannot bring the same level of devastation to our world as disease and extremists. Unfortunately this mindset needs to change by learning about these threats and understanding how much damage they can bring to the visible world. Threats like Heartbleed, Shellshock, the many flavors of malicious software and other exploits are real and very dangerous. Knowing more will only help to strengthen our defenses and protect us from disaster on a completely unique level.

Read previously published articles regarding Heartbleed, Shellshock and other exploits and vulnerabilities in the Hostwinds Blog Archive.

2 Replies to “Vulnerability: Come In. The Door is Open.”

  1. That’s why it’s extremely important to keep everything on your server up-to-date. I would much rather fix a site compatibility issue than deal with hackers taking advantage of outdated and vulnerable software.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.