How Heartbleed Became the Internet’s First Security Superstar

By: Unknown - In: - 0 comments

What's This?


Heratbleed_star

Image: Mashable composite. iStock, filo, Heartbleed


Lance-ulanoff-headshot-sq

By Lance Ulanoff2014-04-14 22:05:50 UTC



For almost as long as we've had personal computers, I've been writing about their various vulnerabilities. Yet in all those years I'd never come across anything like Heartbleed — the Internet's first branded security hole.


Almost as soon as security firm Codenomicon publicized Heartbleed's existence, it was clear this was something different.


Heartbleed.com was a revelation. First of all, the OpenSSL encryption bug had its own logo: the outline of a red heart, ominously dripping blood. It's simple, powerful and most importantly memorable. Codenomicon's Heartbleed FAQ was the clearest security information page I had ever come across. It did not read as if it was written by a company that busies itself testing SSL for the Tier 1 network providers. It was smart and comprehensive, yet utterly comprehensible.


By creating a Heartbleed information destination, Codenomicon spread the news more effectively than if they had run a half dozen commercials on TV. The FAQ did a great job, but it didn't give us the story behind the story — how did Codenomicon do it, and why?



See also: The Heartbleed Hit List: The Passwords You Need to Change Right Now



As we enter week two of Heartbleed awareness, Codenomicon CMO Hope Frank took some time out of her busy schedule to answer our questions via email:


Q: Just how dangerous is Heartbleed at this point? Some say it's worse than we initially thought, others say it's being blown out of proportion.

A: It should be taken seriously. There are numerous services that have not been updated, perhaps partially because of this argument about seriousness or irrelevant topics related to the vulnerability. They key challenge currently is to help people hear about it, and convince them to react quickly. Everyone who was running an affected version of the software and hosting confidential data or devices that are part of critical infrastructure should a) build new secret keys, b) request new certificates and c) Direct everyone to change passwords.


Q: What prompted your team to look for it? Did you get a tip?

A: No. This was part of testing of new features and capabilities in our SSL/TLS fuzzing tools.


Q: Who named it? (I know the name refers to the Heartbeat portion of the code.)

A: Ossi Herrala, one of our experts working on the issue in our Oulu, Finland headquarters.


Q: Were there any rejected logos?

A: Yes.


Q: Can we see them?

A: No. Please note this was not a marketing exercise. Our key goal in all of our FAQ materials at our Heartbleed site was to communicate the significance to several actors using OpenSSL in security-critical places – before – disclosure. After OpenSSL published the vulnerability, we released the FAQ site


Q: Have you created sites devoted to other vulnerabilities or attacks?

A: No. See here for previously reported flaws.


Q: Who are your clients?

A: We produce testing tools for detection of unknown “zero-day” vulnerabilities using technique called model-based fuzzing. Our customers are tier-1 network equipment manufacturers, operators, and carriers, and infrastructure builders. Our tools are also used by security experts proving security assessment services. Another product line for us is focused on situational awareness and automated handling of Network Abuse. This is used in more than 10 national certs around the world, including CERT-FI.


Who are your competitors?

We have not run across competitors. Most of the security testing companies focus only on the web application layer. The market has been mostly "add-on" security; we are more into "build-in" security.


When were you founded?

2001.


How big is the company?

120 people world-wide.


There's no way of knowing if we'll ever see the likes of Heartbleed again. What is clear is that we haven't heard the last of this dangerous security fault.


In the meantime, Codenomicon may have created the model for all future security alerts. Let's just hope that future full-court-press branding is reserved for the truly dangerous ones.


Have something to add to this story? Share it in the comments.


Topics: Apps and Software, heartbleed, Heartbleed Bug, security, Tech




About the author

author Admin

Duis sed tellus et tortor vestibulum gravida. Praesent elementum elit at tellus. Curabitur metus ipsum, luctus eu, malesuada ut, tincidunt sed, diam. Donec quis mi sed magna hendrerit accumsan.

0 comments:

Subscribe to: Post Comments (Atom)

Copyright © 2013 Online Free Magazine and Blogger Templates

Back to Top