India not bitten by  Heartbleed

India not bitten hard by ‘Heartbleed’ bug

India not bitten hard by ‘Heartbleed’ bug

HYDERABAD, APRIL 14, 2014:

As the news of the deadly Heartbleed threat engulfs computer users across the globe, security experts have noticed an immediate threat to 611 websites with a .in top-level domain (TLD) or extension that comes at the end of the website’s address.

The impact of this deadly bug in India is not as huge as it was initially thought. Not that we are geared up well to face such attacks. The vulnerability is lower in India as many of the websites have not updated to the version of OpenSSL that was susceptible to the attack.

Potentially, the major application of security vulnerability could impact two-thirds of websites. It could result in cybercriminals accessing your user IDs and passwords. A bug in OpenSSL (the open-source cryptography library), the software that encrypts packets of information between the websites (their servers) and the users, results in the vulnerability. The hackers could peep into the conversations and steal data from the affected server, using this backdoor.

Some security experts feel that end-users could do little as the problem lies with the servers and managers of websites.

“Another possible reason for lesser impact in India is that relatively a few servers use the most recent versions of Linux (and so use older versions of OpenSSL without this vulnerability),” an executive of the Internet security solutions firm Trend Micro told Business Line.

Severe impact

If this is good news, we are in for some bad news as security experts expect a severe adverse impact on smartphones. The main reason for this apprehension is that mobile apps are also connected to online servers and services to complete a number of tasks that keep you connected with the other digital devices via the cloud. Look at this scenario. You key in your credit or debit card details when you make a purchase through a mobile app. “Your card data is stored in the server that the mobile app did the transaction with and may stay there for an indeterminate period of time. As such, cybercriminals can take advantage of the Heartbleed bug to target that server and steal the card info,” Dhanya Thakkar, Managing Director, India & SEA, Trend Micro, told Business Line. The firm scanned about 3.90 lakh apps on Google Play (the Android app store) and found that about 1,300 apps connected to vulnerable servers. This includes 15 bank-related apps, 39 online payment-related and 10 shopping apps.

Venkatesh Sundar, Chief Technology Officer of Indusface, said his company found five percent of the premium Indian transactional websites were exposed to the Heartbleed vulnerability.

“This exposure was not as bad as we thought it could be. One of the reasons for this could be the slower Internet infrastructure upgrades by these websites. Older infrastructure (older OpenSSL) was not impacted by this,” he said.

Tips to safeguard

What safeguards one must take to prevent the attack?

“You need to organize a quick security incidence response team in place. Upgrade the impacted application or software components to the latest versions available. Regenerate SSL server keys and request users to update their passwords, post the upgrade,” he said.

Some e-security firms have launched free tools to check the health of websites. On Monday, eScan has launched one such solution that tells how vulnerable the website they are viewing for the Heartbleed bug.

Indusface
Indusface

Indusface is a leading application security SaaS company that secures critical Web, Mobile, and API applications of 5000+ global customers using its award-winning fully managed platform that integrates web application scanner, web application firewall, DDoS & BOT Mitigation, CDN, and threat intelligence engine.

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.