Heartbleed Also Affects Mobile Apps and Networking

Apr 19, 2014 7:28 AM  By

heartbleed-tallThe recent Heartbleed vulnerability has potentially exposed millions of passwords, credit card numbers and other personal identifiers.

The flaw created an opening in OpenSSL, the most common encryption technology on the Internet. OpenSSL is designed to protect data in transit including email, instant messaging and e-commerce transactions. The vulnerability in OpenSSL enables hackers to access server memory that could allow hijacking of accounts or theft of private keys used to decrypt communications.

[Heartbleed: 4 Steps You Need to Follow Now]

Since Heartbleed went undetected for so long, the scope of compromised information is still unclear, but many online businesses are urging users to change their passwords as a precautionary measure.

“Today it’s Heartbleed and tomorrow it will be another data breach or vulnerability,” says Alisdair Faulkner, chief products officer, ThreatMetrix. “Passwords are a static means of security and are frankly obsolete as a stand-alone authentication solution in today’s cybersecurity landscape. Once account login information is obtained, cybercriminals have access to personal data used for committing bank fraud or falsifying credit card transactions – the possibilities are endless. Security should not just rely on point-in-time authentication solutions. Instead, continuous evaluation of trust is required based on what the user is attempting to do.”

[Login and Pay with Amazon Offers Convenience and Security Threats]

The Heartbleed security flaw does not only impact websites, but also mobile applications and networking equipment that connects homes and businesses to the Internet (also known as the Internet of Things), such as routers and printers. As more and more devices move online through the Internet of Things, hacks and cybersecurity breaches are becoming more common.

Businesses need to stay one step ahead of threats such as Heartbleed and implement preventative cybersecurity strategies in place of passwords and other forms of static authentication. Suggested strategies include:

Real-time trust analytics: Move beyond just big-data collection and improve effectiveness of controls with real-time analysis of device, location, identity and behavioral context for every authentication attempt. Real-time trust analytics offer unprecedented identity authentication policies for businesses and enterprises by comparing against global benchmarks derived from peers in their industry, the size and scale of the enterprise, geographic location and more.

Enhanced mobile identification: Detects jailbroken devices and offers location-based authentication, protecting mobile transactions by indicating when the mobile operating system has been breached and the security of applications has been compromised.

“To protect against future attacks like Heartbleed, businesses need to move beyond legacy verification and authentication solutions and recognize the benefits of leveraging a collective approach to cybersecurity,” says Faulkner.

[Survey Reveals Mobile Shoppers Prefer Convenience Over Security]

In addition to businesses implementing real-time trust analytics and other collective cybersecurity strategies, consumers can also take responsibility for protecting their online identities. Specifically, consumers can protect against threats such as Heartbleed by ensuring location information on social networks is encrypted, using different passwords across sites and not storing passwords on any devices.

  • Checkbit

    “Potentially”… So remember you should only be potentially worried because this article deals in potentials instead of reality. A quick search will lead you to articles which deal in the reality of the bug and not in fantasy. Oh, and here’s a bit of reality for you: OpenSSL had a patch available before the story even broke.

  • jhoger

    What does detecting jail broken devices have to do with data security? I mean other than securing corporate profits?

  • Cheyenne Kid

    Don’t you know there are vaults apps for you to use. If you are using random generated passwords it is impossible to remember all them so you use a vault to store and organize them protected with a master password. And keep a master list in a safe or any secure location in your home you can access if needed. And use one that logs you into your sites in the apps secure browser. I am using Dashlane myself and am very happy with it. I had an email account hijacked and told myself I am going to make it a lot more difficult to do from now on. And two step verification is another step you can take. When you login they send you a text which Siri or Skyki can display right on your screen for input. And if you lose your phone or it is stolen take the master list and as quick as you can change your passwords. If you have secured your lockscreen and used a vault they have to crack your code or password on your lockscreen and then try to crack the password on your vault if they even can find the app first. So you do have some time but don’t dawdle getting it done!

  • RolfRen

    Luckily I use a password manager (Sticky Password) which helps me with struggling with creating strong and unique passwords for all the websites I have accounts for.

  • Security Maniacs

    As Cheyenne Kid said: If you use password generator with safe password vault, don’t be affraid. My Password Manager (Sticky Password) can only recommend – more about Sticky and heartbleed here – http://blogen.stickypassword.com/sticky-password-and-the-heartbleed-bug/