Newly-discovered OpenSSL bug potentially leaves over two-thirds of global web servers vulnerable to attack
Experts
at Gulf Information Security Expo & Conference to deliver valuable
insight on resources and latest developments in the field
Dubai, United Arab Emirates
More
than 17% of the Internet's secure web servers are believed to be
vulnerable to the Heartbleed security bug attack*, allowing the theft
of servers' private keys and users' session cookies and passwords. To
address the countermeasures against this potentially devastating bug,
leading experts will provide ‘Healing’ insights at the
second Gulf Information Security Expo & Conference (GISEC) 2014 from 9
to 11 June at Dubai World Trade Centre (DWTC).
The
Heartbleed bug is a serious vulnerability in the popular OpenSSL
cryptographic software library that allows stealing information
protected
under normal conditions, by the SSL/TLS encryption used to secure the
Internet. SSL/TLS provides communication security and privacy over the
Internet for applications such as web, email, instant messaging (IM) and
some virtual private networks (VPNs).
Leading
information security experts including Robert Bigman, former Chief
Information Security Officer at the CIA; Mikko Hypponen, Chief
Research Officer at F-Secure; Nader Henein, Advance Security Solutions,
Advisory Division, Blackberry and Nicolai Solling, Director of
Technology Services at Help AG, which is currently into assessing the
market requirements for Managed Security Services,
will tackle various subjects about Heartbleed that was publicly
disclosed as recently as 7 April 2014.
“Heartbleed
is exactly what happens when you stop paying attention to the details.
This race to the bottom that seems to have taken over
the industry with the push to consumerisation is not about sacrificing
security for usability, it’s about finding a solution that does not
require you to compromise on either, there is no such thing as “Good
Enough” when it comes to security.” said Nader Henein,
Advance Security Solutions, Advisory Division, Blackberry.
Nicolai
Solling, Director of Technology Services at Help AG said: “What I can
say is that organisations have been very busy making sure
they are not vulnerable to cyberattacks. Immediately after news of the
vulnerability broke, we sent out communications from our support
help-desk and were continuously in touch with our customers in
addressing the impact. In the first three days alone since
it was exposed, there were over 60 cases that were registered and
numerous devices were patched, and certificates re-issued.
“The
response has been excellent and all the customers, whom we provided the
service as per the contract agreements, are now secured against
Heartbleed. I must emphasise that it is important not only to patch the
affected servers but also to reissue the certificates since the private
keys were exposed by the vulnerability,” he added.
Konstantinos
Karagiannis, Director of Ethical Hacking Centre of Excellence at BT,
commented: “The panic surrounding Heartbleed reminded
the industry what could happen when many applications and servers
around the world are vulnerable to a security flaw. Imagine what would
happen if every secure communication stream in the world became
vulnerable. Quantum computing has the potential to enable
the first organisations that build such machines to eavesdrop on
virtually any encrypted data streams at will. BT is working with
partners to develop the next generation of encryption schemes that may
be a requirement for true data safety in the near future.”
The
Heartbleed bug allows anyone on the Internet to read the memory of the
systems protected by the vulnerable versions of the OpenSSL software.
This compromises the secret keys used to identify the service providers
and to encrypt the traffic, the names and passwords of the users and
the actual content. This allows attackers to eavesdrop on
communications, steal data directly from the services and
users and to impersonate services and users.
“GISEC
has identified that the Heartbleed bug could have disastrous
consequences if the threat is not managed properly and quickly. With
several eminent authorities in the field of information security
convening at GISEC, those who would like to learn more about Heartbleed
can find their answers at the event and they will gain global insight as
well as grasp the regional impact and the industry’s
latest response to this threat,” said Trixie LohMirmand, Senior Vice
President, Dubai World Trade Centre, organisers of the exhibition and
conference.
In
this context, topics such as ‘Learn how we can prevent another
Heartbleed’, ‘Maximising incident response speed’, ‘How to avoid
‘Heartbleed’
threat’, ‘7 Ways to Stop the Heartbleed’ amongst others will be
discussed by speakers and vendors alike.
Robert
Bigman’s keynote address of Day 1 of the GISEC Conference will shed
light on the vulnerability of Heartbleed, especially clear prevention
methods the audience can use to protect their internal corporate
networks under the theme ‘Change the way you connect to the internet’.
Mikko Hypponen - the man who tracked down the authors of the first PC
virus ever recorded - will deliver his keynote address
on Day 2 of the GISEC Conference and will discuss critical information
security issues to empower one with superior protection. Wim Remes, Chairman
of the Board of Directors at (ISC)2 will focus on strategies
to map out existing infrastructures to adequately protect them against
realistic threats among several others.
The conference segment of GISEC, from 10 to 11 June,
will host delegates from over 18 countries and explores issues on
global cybersecurity vulnerabilities
and threats against systems, applications, and personal networks. The
free-to-attend security sessions on vendor-run educational
presentations, workshops, demonstrations, informative speeches and
case-studies will give I.T. professionals useful insights to
help defend their businesses from cyberattacks.
As
the region’s only large-scale information security platform, GISEC will
gather industry, government and thought leaders as well as
international and regional
cybersecurity experts in various business verticals such as I.T., oil
& gas, banking & finance, government, legal, healthcare and
telecoms to meet the growing requirements for information security and
countermeasures in the region.
The
must-attend event is set to draw 3,000 trade visitors from 51 countries
and more than 100 exhibitors from the world’s leading information
security companies
and brands. 91% of last year’s attendees were purchasing decision makers from a wide range of industries.
Powered
by GITEX TECHNOLOGY WEEK, the region’s leading Information and
Communications Technology (ICT) event, GISEC is strictly a trade-only
event and
is open to business and trade visitors from within the industry only.
GISEC is open 10am-6pm from 9-11 June. Visitor attendance is free of charge. For more information, please visit
www.gisec.ae.
*Note:
-
The Heartbleed bug was independently discovered by a team of security
engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of
Google Security, who first reported
it to the OpenSSL team. Codenomicon team found Heartbleed bug while
improving the SafeGuard feature in Codenomicon's Defensics security
testing tools and reported this bug to the NCSC-FI for vulnerability
coordination and reporting to OpenSSL team.
- Heartbleed bug image source: nickstech.net
