Venom, Heartbleed and Bash might sound like the line-up at a heavy metal concert, but these are actually three of the most publicised vulnerabilities to have swept the internet over the last year…
For those unfamiliar with the term, a vulnerability is a security flaw inherent in a piece of software that can leave it susceptible to attack. Just like a loophole in a legal document, it’s often identified by people probing for weaknesses; another similarity is that it can be difficult to repair the damage once it’s occurred.
So why do you need to know about vulnerabilities?
Hackers and criminals are constantly probing software looking for points of entry, while security experts and software companies try to spot and repair such weaknesses. If a vulnerability is identified by the hackers first, valuable personal information like passwords or online banking details could be stolen. Indeed, this has just happened to the US Government. Sometimes, the actions of cyber-criminals can be so harmful that a vulnerability issue becomes global news, as it did last autumn when Russian hackers known as CyberVor stole usernames and passwords from 420,000 websites worldwide and compromised over half a billion email addresses.
Most vulnerabilities are less significant, but they can still be hugely damaging. For instance, Linux and Unix distros running the Bash shell were exposed last autumn as having a critical vulnerability. This allowed hackers to remotely execute their own code, exploiting a hitherto-unknown flaw relating to function definitions. Earlier in 2014, a problem with secure socket layer protocols risked exposing the security of encrypted data like passwords on web servers around the world. Known as Heartbleed, it had been present for two years before a Google security researcher identified its presence. Heartbleed was particularly significant because it targeted the servers hosting trusted platforms like Facebook and Gmail whose information should always be transmitted securely.
Is there anything you can do to protect yourself?
From a personal perspective, there are various steps that can be taken to secure your data against unforeseen vulnerabilities in third-party software. Never open emails from unknown sources or click on links contained within an email body – some spam messages look surprisingly authentic nowadays. Always ensure you have effective antivirus and malware software installed on home computers, with automatic updates and regular scheduled scans.
Obscure passwords can also reduce the risk of data being compromised. It’s extremely unlikely anyone could guess your password if it comprised the registration plates of the first two cars you owned. Did you know that the odds of randomly guessing F636KGAE65JSC are 170,581,728,179,578,208,256 to one? It can be tricky to remember passwords constructed using a mixture of upper/lowercase letters, numbers and symbols, but non-words are safer than anything listed in a dictionary. Change your passwords in the event of any security breach being reported, and write down the new codes in an offline location like a diary.
Site administrators should consider installing a two-step verification process, which can provide another layer of security. Online banking is a good example of this, where a user/account number is typically followed by personal information like partial dates of birth or specific characters from an additional password. It’s also possible to receive email alerts from organisations like Microsoft and US-CERT, providing updates on the latest security issues and vulnerabilities.
Finally, bear in mind that we specialise in responding to security threats and preventing unauthorised security breaches. When Heartbleed was first reported we immediately checked our servers and protected our customers against this global OpenSSL vulnerability.
Choose UK2 to host your website, and we’ll be on top of all things security.