EP019

Preemptive heartbleed

Music provided by: Denis Kreynin https://soundcloud.com/denis-kreynin

Recorded April 9 2014

 

XP’s last patch cycle for the public came out this week. https://www.pcworld.com/article/2140806/patch-tuesday-last-call-for-windows-xp.html

 

News dominated by very severe vulnerability with a widely used implementation of SSL and TLS (what keeps your confidential information private over things like https) called Heartbleed (https://heartbleed.com/).

Coverage for the public: https://www.reuters.com/article/2014/04/09/us-cybersecurity-internet-bug-idUSBREA3804U20140409

Best video for technical details: https://vimeo.com/91425662

EFF discovers some people potentially taking advantage of this over half a year before made public and puts a tin foil hat spin on it (not unlike I did): https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013

Also affects client software (i.e. the stuff you run your your home computer) if there’s a malicious server taking advantage of you: https://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/

 

Security program fundamentals include having a healthy IT environment. You need:

Inventory management (the more complete the better)

Management support (the higher up the better)

A mesh of governance that supports IT including:

  – Policies, standards, and procedures

  – Vulnerability scanning and patch deployment automation

  – Security awareness

  – IT auditors

You may even have regulators of your industry inquiring how you keep your customers safe like https://business.financialpost.com/2014/04/09/heartbleed-bug-prompts-osfi-to-check-in-with-canadas-banks/