Heartbleed bug not a failure of tech security

Cape Town - The Heartbleed bug does not represent a failure in the technology behind security, rather it indicates that there was a lack of implementation, a security expert has said.

Computer security professionals have been in panic over the bug which can be exploited to steal encrypted information such financial data.

"Heartbleed does not represent a failure in math behind the security. In fact, it was an implementation flaw in a part of code that had nothing to do with encryption," John Miller, Trustwave Security Research manager told News24.

The bug exploits a vulnerability in OpenSSL which is used to transmit encrypted data. Typically, access to a secure website is provided by typing in "https", but the bug allows hackers to steal data transmitted through secure channels.

"Heartbleed will stand as a reminder that security is hard and that even simple bugs can have wide ranging and unexpected consequences," said Miller.

Detection systems

In 2013, reports emerged that banks lost millions to an international card fraud syndicate.

The scam hit businesses that make use of the point of sales terminals and the Dexter malware as it is known, was used to gather customer information and sold to other criminals.

"Unfortunately, as much as we'd all like to see perfection, we're stuck in an imperfect world and must deal with such events when they occur. An organisation's response to these severe events can serve as a metric of their trustworthiness," Miller warned.

He said that automated system controls serve to slow a criminal attacking a network, but without a response, these controls don't provide much of a defence.

"Automated security controls serve to slow an attacker, detect and alert when an attack is occurring, and allow a system defender to respond. Without all three of those components, security controls don't end up providing all that much security."

Heartbleed attacks can slip through detection systems because the bug leaves no trace and only allows small bits of information to be compromised at a time.

"With a compromised SSL key, an attacker is able to impersonate the affected server nearly undetectably. Human behaviour comes into play when we consider how users establish trust in other systems," Miller said, adding that people could be duped into trusting a malicious system.

"For SSL, users rely on a chain of trust going from their software to a set of root certificate authorities. Any failure in that chain can result in users incorrectly trusting a malicious system."

 - Follow Duncan on Twitter
We live in a world where facts and fiction get blurred
In times of uncertainty you need journalism you can trust. For 14 free days, you can have access to a world of in-depth analyses, investigative journalism, top opinions and a range of features. Journalism strengthens democracy. Invest in the future today. Thereafter you will be billed R75 per month. You can cancel anytime and if you cancel within 14 days you won't be billed. 
Subscribe to News24
Voting Booth
Please select an option Oops! Something went wrong, please try again later.
Nappies, they cost too much
6% - 171 votes
Formula and food, it's getting so expensive
18% - 496 votes
Creche and school fees are a struggle every month
76% - 2143 votes
Rand - Dollar
Rand - Pound
Rand - Euro
Rand - Aus dollar
Rand - Yen
Brent Crude
Top 40
All Share
Resource 10
Industrial 25
Financial 15
All JSE data delayed by at least 15 minutes Iress logo
Editorial feedback and complaints

Contact the public editor with feedback for our journalists, complaints, queries or suggestions about articles on News24.