The internet has become the primary medium of communication in the era of globalization, which is highly dominated by the information and communication technologies. The internet – network of networks – deals with massive data which is transmitted over secure as well as insecure channels and media. The security requirement of data is determined by the value or importance of data. The communication between a user and a newspaper website needn’t be secure, but the channel has to be secure when the user has to log in the password for email access or while using credit card or internet banking for e-commerce. Under the context of data security, encryption plays a very important role, and the strength of encryption algorithm lies in the process of standardization and key or certificate management. The vulnerabilities in the standards or widely used operating systems or application software have a deep impact on the security of the systems and sensitive information.
The recent instances of vulnerabilities being discovered in cryptographic standards and internet explorer have not just opened the Pandora’s Box for security firms and experts, but have also reinforced the reality that cyber domain could be exploited by state or non-state actors. The Heartbleed bug has been a serious vulnerability in the software library of the widely used OpenSSL cryptographic protocol. The Secure Socket Layer (SSL) provides communication security and privacy over the internet for applications such as web, email (SMTP, POP and IMAP protocols), Instant Messaging (IM) and some Virtual Private Networks (VPNs). It has been a standard technology for encrypting the link between a server and a client, being used by millions of users every day on the Internet to transmit confidential information. The identified vulnerability allows the stealing of information protected by SSL under normal conditions, for secure data transmission over the Internet. The stolen information could be used to compromise the secret keys of the cryptographic protocol, which are used for identification, encryption, names and passwords, making eavesdropping easy for the attacker. But it is fascinating to note that Heartbleed is not a design flaw, rather an issue with implementation or a mistake in the programming of one of the library of OpenSSL. The OpenSSL is an open source project, and it finds applications in web servers like Apache and nginx, which support numerous websites across the globe. As a result, this opens up a vast number of websites and users vulnerable to attacks given the penetration and widespread use of the technology. The servers which are still running without the security patch are continuously under threat, a major challenge for both damage assessment and mitigation.
Another incident was the security flaw in the commonly used web browser, Internet Explorer, surfaced by the end of April. This zero-day exploit was found impacting about 55 percent of computer users as they run different versions of Internet Explorer, 6 through 11. The reason for this was the corrupted Adobe Flash file, which once hacked, could let the hackers run arbitrary code on the compromised computer. The vulnerability was supposedly being actively used by the threat actors, and it has been dubbed as “Operation Clandestine Fox”. In this case, the massive user base increases the ease of attack as all the computers running the compromised versions of Internet Explorer are vulnerable to attack, which could lead to breach of network as well.
The vulnerabilities in widely used software and standards are not uncommon. They arise in form of design flaws, bad programming or memory management, lose security controls, human error as well as implementation issues, and they could also be deliberate attempts of security agencies. The National Security Agency (NSA) of the U.S. has been surrounded by controversies over its interference or alleged role in the process of standardization of the encryption protocols. For instance, the key size of the actual algorithm for Data Encryption Standard (DES) was 128 bits, but reduced to 56 bits at the actual adoption of the DES. Moreover, many cryptanalysts have questioned the mysterious S-boxes, which have been designed in close consultation with the NSA and assumed to be the “backdoor”, with which NSA could decrypt data encrypted with DES without the key. In 2007, Bruce Schneier, a world renowned cryptographer, had raised suspicion on the involvement of NSA in the development of the National Instotute of Standards and Technology (NIST) standard: Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), which is used by RSA cryptosystem, as a probable “backdoor”. The instances of such vulnerabilities surfacing in public domain raise many questions on the role of intelligence agencies in stockpiling and exploiting these vulnerabilities for espionage. The NSA was accused for knowing about Heartbleed two years earlier, although the agency denied it.
In conclusion, the vulnerabilities are numerous within the operational software, protocols and standards; the discovered ones are reported and patched, but undiscovered ones are being exploited by attackers for different purposes of information theft, network intrusion, and espionage or cyber crime. Although such vulnerabilities are promptly patched by the software firms, many questions remain unanswered for technology leads: Who has been exploiting the vulnerability and for how long? Which systems were compromised by the vulnerability and especially those comprising the Critical Infrastructure? They have to ensure that the patches across the IT platforms are implemented, security updates are run thoroughly, baselines are maintained, and patches to identified vulnerabilities in the standard software are made on the computing base at the earliest.
There are numerous ways to mitigate the threats, and security leads have to ensure that firewalls are properly configured, antivirus, and Intrusion Detection System or Intrusion Prevention System are in place for early warning or detection. The deep penetration of standard applications leaves many of the systems un-patched, vulnerable to exploit, and many of such systems are running the critical sectors such as energy and banking. Since Microsoft has stopped the support for its widely used operating system, Windows XP, the woes of the banking sector have increased manifold, as banking systems and most of the ATMs are still running on Windows XP. The critical infrastructure sectors need to upgrade the computer security configurations on a daily basis, and manage timely upgrade of software and hardware for business continuity. The security flaws, either discovered as zero-day exploits or as un-patched or deliberately planted, are going to challenge the security of information as it traverses over the Internet.
Disclaimer: The views expressed in this article are personal.
Munish Sharma, Research Assistant, Department of Geopolitics and International Relations, Manipal University.