With numerous high profile security disclosures this year – Heartbleed, POODLE and Bash are there more vulnerabilities in today’s software or are we just paying more attention?
A Rash of Incidents
January 2014 started the year with a dose of paranoia and alarm as Target Corporation announced it had been the victim of a wide-scale malware attack specifically written to attack Point of Sale (POS) systems. With millions of credit cards captured by thieves, the public spotlight was starting to shine brightly on the topic of information security.
In April, a vulnerability was discovered in OpenSSL – a tool that helps encrypt data between clients and web servers – used on millions of websites. The spotlight on information security grew brighter as articles in mainstream media like the Washington Post and New York Times reported on this newly discovered vulnerability.
In the following months several additional high profile disclosures were made - another Point of Sale vulnerability was discovered, news broke of a massive issue in Linux and Unix’s Bourne-Again Shell (Bash) and a nasty issue with SSL 3.0 was discovered.
What's Going On?
Why are all of these different types of systems having issues? Why are mainstream media picking up on it?
I think there are several reasons for this. First is that security is not something that “someone else" takes care of anymore. As people depend on computers and systems for nearly everything – from their bank, car and even refrigerator - people are becoming more aware of the impact security has on these systems. They pay more attention to what’s going on around them and are more wary of systems.
The second thing is that there really haven’t been more issues than in the past – it is just that these specific vulnerabilities are very visible because the US Media makes them visible. SSL v3, OpenSSL and Bash are all widely used systems and so when a vulnerability is found everyone runs around screaming that the internet is going to fall apart.
The Next Step
Unfortunately, fear and hype get more page views than less sexy vulnerabilities like Microsoft’s MS14-058 “Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution" or the 57 vulnerabilities that came before it this year. Even though MS14-058 affects every single Windows computer running Vista and newer and is rated “Critical," I don’t recall seeing any New York Times articles about it.
If we use the US Computer Emergency Response Team’s (US-CERT) alerts as any indication, 2013 was a much more vulnerable year than 2014. US-CERT issues alerts in order to “provide timely information about current security issues, vulnerabilities and exploits." US-CERT issued 26 alerts in 2013 but only 10 as of October 2014.
So what should the take-away be for all of this? As long as humans write software, there will be software bugs. You should do your best to protect your data by using strong passwords and being a smart consumer – don’t click on links in email, don’t give personal information to untrusted sources, never give out your password. Also, be sure to keep your computer up to date – install security and bug fixes soon after they are released. Companies will do their part too to patch vulnerable systems. The last bit of advice is to be wary of articles claiming the next big vulnerability is going to kill off the internet. Bugs will be found and bugs will be fixed. Yes, data will be compromised but this is all part of life on the digital highway. No one said it would be a smooth ride.