Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Who's to blame for 'catastrophic' Heartbleed Bug?

Ellen Messmer | April 11, 2014
German software engineer steps forward to take blame for OpenSSL mistake, but issue goes wider

So who's to blame for the Heartbleed Bug?
Seggelmann takes the blame for introducing the flaw into OpenSSL two years ago by mistake when he sought to add new features. An article quotes him as saying, he "missed validating a variable containing a length," and this oversight, "though trivial," was a simple error.

Is the mistake with this enormous consequence to the whole of Internet security an indictment of the open-source code-vetting process? Responses to that question are mixed.

"A mistake was made and quickly corrected," says Glenn Dodi, senior director, security intelligence and research labs, ThreatTrack Security. Software has bugs all the time, he points out. "Given enough time, effort and money, someone can find a vulnerability in nearly every piece of software. After all, humans are the ones who coded it."

But Dodi expressed hope that "open source technologies should be better funded. Perhaps, if this had more support than it currently does, this vulnerability could have been caught sooner."

Wayne Jackson, CEO of Sonatype, says the flaw in OpenSSL was introduced in version 1.01.1 in March of 2012. "This is not a failing of any standards body, more likely a simple coding error," Jackson says. "Among other things, this event highlights the unfortunate reality that nearly all software will be found to be defective over time. The fact that this took two years to surface is not unusual."

However, he noted the scope of the impact of the Heartbleed Bug is very wide indeed, much more than is being generally reported, he says.

"OpenSSL is embedded in a huge array of technologies — routers, wifi, hubs, firewalls, control systems," and much more, he noted. And these are not necessarily easy or often updated. "This issue will be with us for a long, long time," he adds.

Jackson also says a lesson to be drawn from the Heartbleed Bug is that "we as an industry have dramatically underinvested in software integrity and generally ignored, for a security perspective, the open source building blocks on which the Internet functions. Open source is everywhere. It is the foundation of all modern software applications."

Have cyber-criminals or government spy agencies been exploiting the Heartbleed Bug to steal data?

Of course, many are wondering if attacks are occurring to exploit the newly-disclosed vulnerabilities associated with Heartbleed Bug, since some honeypots are set up to monitor the Internet and identify live attacks. Many wonder if an intelligence agency, such as the National Security Agency, deliberately inserted the big into OpenSSL, though there is no evidence to that. Experts like Schneier say it's an important question but probably not the case with Heartbleed.

The civil liberties group Electronic Frontier Foundation said it is worrying that "blackhats and/or intelligence agencies may have had a long period when they knew about the attack and could use it at their leisure."

 

Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.