News

 

The Hindu - Business Line

India not bitten hard by ‘Heartbleed’ bug

HYDERABAD, APRIL 14, 2014:

As the news of the deadly Heartbleed threat engulfs computer users across the globe, security experts have noticed an immediate threat to 611 websites with a .in top-level domain (TLD) or extension that comes at the end of the website’s address.

The impact of this deadly bug in India is not as huge as it was initially thought. Not that we are geared up well to face such attacks. The vulnerability is lower in India as many of the websites have not updated to the version of OpenSSL that was susceptible to the attack.

Potentially, the major application security vulnerability could impact two thirds of websites. It could result in cyber criminals accessing your user IDs and passwords. A bug in OpenSSL (the open-source cryptography library), the software that encrypts packets of information between the websites (their servers) and the users, results in the vulnerability. The hackers could peep into the conversations and steal data from the affected servers, using this backdoor.

Some security experts feel that end users could do little as the problem lies with the servers and managers of websites.

“Another possible reason for lesser impact in India is that relatively a few servers use the most recent versions of Linux (and so use older versions of OpenSSL without this vulnerability),” an executive of the Internet security solutions firm Trend Micro told Business Line.

Severe impact

If this is good news, we are in for some bad news as security experts expect a severe adverse impact on smartphones. The main reason for this apprehension is that mobile apps are also connected to online servers and services to complete a number of tasks that keep you connected with the other digital devices via the cloud. Look at this scenario. You key in your credit or debit card details when you make a purchase through a mobile app. “Your card data is stored in the server that the mobile app did the transaction with, and may stay there for an indeterminate period of time. As such, cyber criminals can take advantage of the Heartbleed bug to target that server and steal the card info,” Dhanya Thakkar, Managing Director, India & SEA, Trend Micro, told Business Line. The firm scanned about 3.90 lakh apps on Google Play (the Android app store) and found that about 1,300 apps connected to vulnerable servers. This includes 15 bank-related apps, 39 online payment-related and 10 shopping apps.

Venkatesh Sundar, Chief Technology Officer of Indusface, said his company found five per cent of the premium Indian transactional websites were exposed to the Heartbleed vulnerability.

“This exposure was not as bad as we thought it could be. One of the reasons for this could be the slower Internet infrastructure upgrades by these websites. Older infrastructure (older OpenSSL) was not impacted by this,” he said.

Tips to safeguard

What safeguards one must take to prevent the attack?

“You need to organise a quick security incidence response team in place. Upgrade the impacted application or software components to the latest versions available. Regenerate SSL server keys and request users to update their passwords, post the upgrade,” he said.

Some e-security firms have launched free tools to check the health of websites. On Monday, eScan has launched one such solution that tells how vulnerable the website they are viewing for the Heartbleed bug.