Monday, April 14, 2014
HYDERABAD, APRIL 14, 2014:
As the news of the deadly Heartbleed threat engulfs computer users across the globe, security experts have noticed an immediate threat to 611 websites with a .in top-level domain (TLD) or extension that comes at the end of the website’s address.
The impact of this deadly bug in India is not as huge as it was initially thought. Not that we are geared up well to face such attacks. The vulnerability is lower in India as many of the websites have not updated to the version of OpenSSL that was susceptible to the attack.
Potentially, the major application security vulnerability could impact two thirds of websites. It could result in cyber criminals accessing your user IDs and passwords. A bug in OpenSSL (the open-source cryptography library), the software that encrypts packets of information between the websites (their servers) and the users, results in the vulnerability. The hackers could peep into the conversations and steal data from the affected server, using this backdoor.
Some security experts feel that end users could do little as the problem lies with the servers and managers of websites.
“Another possible reason for lesser impact in India is that relatively a few servers use the most recent versions of Linux (and so use older versions of OpenSSL without this vulnerability),” an executive of the Internet security solutions firm Trend Micro told Business Line.
If this is good news, we are in for some bad news as security experts expect a severe adverse impact on smartphones. The main reason for this apprehension is that mobile apps are also connected to online servers and services to complete a number of tasks that keep you connected with the other digital devices via the cloud. Look at this scenario. You key in your credit or debit card details when you make a purchase through a mobile app. “Your card data is stored in the server that the mobile app did the transaction with, and may stay there for an indeterminate period of time. As such, cyber criminals can take advantage of the Heartbleed bug to target that server and steal the card info,” Dhanya Thakkar, Managing Director, India & SEA, Trend Micro, told Business Line. The firm scanned about 3.90 lakh apps on Google Play (the Android app store) and found that about 1,300 apps connected to vulnerable servers. This includes 15 bank-related apps, 39 online payment-related and 10 shopping apps.
“This exposure was not as bad as we thought it could be. One of the reasons for this could be the slower Internet infrastructure upgrades by these websites. Older infrastructure (older OpenSSL) was not impacted by this,” he said.
Tips to safeguard
What safeguards one must take to prevent the attack?
“You need to organise a quick security incidence response team in place. Upgrade the impacted application or software components to the latest versions available. Regenerate SSL server keys and request users to update their passwords, post the upgrade,” he said.
Some e-security firms have launched free tools to check the health of websites. On Monday, eScan has launched one such solution that tells how vulnerable the website they are viewing for the Heartbleed bug.
"Indusface has proved to be a valuable security partner with its Total Application Security solution. Their 'detect-protect-monitor' package handles security worries so we can focus on improving services for our customers. Vulnerability detection, attack blocking and near real-time reports are some of the key differentiators that we enjoy with them. The web application scanning and web protection combination ..."
"As one of the leading banks in India, securing application infrastructure is critical for us. Indusface’s Total Application Security package allows us to scan vulnerabilities continuously and prevent attacks. Indusface also provides the unique benefits of expert handling and tuning on custom rules with round-the-clock traffic monitoring and protection through on-premise appliances ..."
"Our complete ecommerce infrastructure is hosted on the cloud and we are glad to have Indusface as partner for web security. Due to their association with cloud service providers and prompt deployment options, Indusface was the preferred security choice. The on-demand and scheduled scanning helps us keep track of vulnerabilities that may otherwise damage our website or put customers at risk ..."