Heartbleed slows down the internet

News by Steve Gold

As Hearbleed slows down the internet, experts say that two-factor authentication may the way forward to protect our web sessions.

Trend Micro has warned that the Heartbleed openSSL vulnerability may be slowing down the Internet - to the extent of significantly hitting the Deep Web, including services such as TOR (The Onion Router), which is used by millions of people worldwide as a means of anonymising their web sessions. 

According to Trend Micro's VP of technology and solutions JD Sherry, the SSL exploit that the Heartbleed open-source coding error has opened up may be causing a slowdown of the Web, especially in the so-called Deep Web, where pay-for anonymous services exist.  

In parallel with this development news filtered overnight that 19-year-old Canadian Stephen Arthuro Solis-Reyes had been arrested for hacking into the website of the Canada Revenue Agency (CRA).  Solis-Reyes has been arrested in connection with hacking into the CRA's website by the Royal Canadian Mounted Police, which alleges that the teenager stole around 900 social insurance numbers. 

Mike McLaughlin, a senior penetration tester with First Base Technologies, told SCMagazineUK.com that the Heartbleed issue highlights the fact that web users - especially those in business - should really be using multiple players of security when accessing the Internet, including the use of 2FA (two-factor authentication) to better secure their sessions. 

It is, he explained, turning out to be a very expensive issue for a great many companies, as they scramble to remediate the openSSL vulnerability. 

The problem that Heartbleed highlights, he says, is that commercial enterprises have placed their faith in open source coding professionals who are not being paid for their efforts. A commercial company, he adds, would have coding professionals in place to ensure their applications are coded securely. 

"The key takeout for me is that people now need to realise how important the use of 2FA security is," he said. 

McLaughlin's comments were echoed by Andy Kemshall, technical director with tokenless 2FA specialist SecurEnvoy, who said that users of the tokenless 2FA process would not be compromised by the Heartbleed issue. 

"This is because, at best, cyber-criminals would only be able to capture single use passcodes from computer memories. But these are valid only once and would have already expired, that is, ceased to be functional," he explained. 

Tom Cross, Lancope's director of security research, is also in favour of 2FA security to counter Heartbleed security issues, saying that it would be good to see wider use of 2FA on the Web, as attacks that compromise passwords are a frequent event.

"Some 2FA technologies provide additional protection against Heartbleed - in that credentials stolen from a server cannot be replayed, and private keys stored on a smart card are not stored in client memory," he said. 

Stephen Coty, chief security evangelist for Alert Logic, agreed, saying he is a big believer in the `security in depth strategy.' 

"On top of using SSL for web browsing, for the average user I would use web reputation tools such as web of trust, Avast Browser Security and Web Reputation Plugin, that will check and verify the site you are going to for reported malicious activity and Internet reputation of the IP space its using." he said. 

"Sometimes your anti-virus solution will have a plug-in for your browser. So check the tools available in your AV suite. If you are browsing from a corporate space there are Web filters that can be used from a corporate level. There are great tools like Websense and Bluecoat that deliver daily/hourly updates to their filtration that denies traffic to environments that would be reported as malicious by scans, reputation or analysis," he added. 

Andy Davies, head of researcher with Pentura, the security consultancy, however, argued against the need for extra layers of security such a 2FA technology, saying that, once the Heartbleed vulnerability is fixed, he does not believe an additional layer of security is needed to protect users' browsing. 

"It is possible to use Heartbleed to grab a server's private encryption key, allowing an attacker to spoof a connection or create a faked, legitimate-looking Web site to collect user data," he said, adding that the user would have to be connected for a long time for an attacker to capture sufficient sensitive information. 

"And as the Heartbleed fix is being rolled out widely, there are much bigger everyday security risks for users, such as connecting to open WiFi hotspots which could be sniffing traffic," he noted.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews