Heartbleed, heartburn and how to deal with today’s events
Christian Karasiewicz 270005XS4E Visits (6200)
This blog post contributed by Bhargav Perepa, a WebSphere IT Spec
Are you feeling confused with mobile withdrawal symptoms? Are you living like Neanderthals disconnected from your mobile devices due to uncovering of Heartbleed vulnerability in the OpenSSL library? Rest assured you are in a very large company.
A billion smartphones were sold in 2013 according to mobilethinking.com, and smartphone users employ their devices for many reasons, for example:
We engage in daily routine and mission critical activities (for both personal and business purposes) using mobile devices, and OpenSSL is present in many of these engagements behind the scene.
Mobile devices are uniquely positioned to be more vulnerable for a couple of reasons. One is their portability: since they are portable they are prone to physical theft or user forgetfulness or misplacement. Another is that mobile devices have a concept known as rooting and jailbreaking. Rooting refers to acquiring administrative privileges on the device in an unapproved sense from some stakeholder’s perspective (the device OS vendor or your IT department, or from a running application perspective).
Consider the following wisdom from Tech Net:
If a bad guy has unrestricted physical access to your mobile device, it's not your mobile device anymore (nor his if someone else steals from him).
Given how critical mobile devices are to our daily lives, we need to be extra aware of mobile vulnerabilities. The moral of the story is: do not lose your smartphone if you have rooted or jailbroken it—if you can help it!
How could Heartbleed vulnerability potentially affect the Worklight community?
Here is an update from our IBM Worklight, WebSphere development and thought leadership team members respectively (Bill Dodd, Bill J. O’Donnell and Dustin Amrhein).
For the Worklight Server: We do not use OpenSSL in IBM Worklight Server. SSL termination for the Worklight Server is handled by the application server (WebSphere, Liberty or Tomcat). WebSphere and Liberty are not affected by this vulnerability. Per our understanding, Tomcat may be using OpenSSL, depending on configuration options. Hence clients using Worklight Server on Tomcat should verify if their Tomcat installation is vulnerable and, if so, take recommended actions.
For the Worklight client: Customers using Worklight client mobile applications with FIPS 140-2 capabilities enabled (for data in motion security) are at risk of the Heartbleed vulnerability. For more information, please visit IBM Security Bulletins.
Stay ahead of threats
IBM X-Force Research and Development employs security professionals to monitor and analyze a variety of security issues, including threats stemming from usage of mobile and portable technologies. It also produces the IBM X-Force Threat Intelligence Quarterly report to help clients.
IBM X-Force Threat Intelligence Quarterly - 1Q 2014 is available now and covers the topic of "Mobile threats: Perception versus reality” (page 12). As I mentioned previously, when mobile devices are stolen or forgotten or otherwise orphaned, these devices could potentially contain valuable enterprise data related to electronic protected health information (ePHI—such as lab results or other patient information in email format), personally identifiable information (PII—such as SSN) or intellectual property (such as a filed but undisclosed patent). As part of this mobile topic coverage, X-Force research uncovered no reported incidents of ePHI being lost or stolen from mobile devices (see Figure 1).
Figure 1: Public disclosures of ePHI by mobile media type, 2009 to 2013
For more insights on the most recent IT security threat landscape and to better understand the mobile threats with regard to perception versus reality, please read our latest and complete IBM X-Force report here.
Have you ever thought about the vulnerability of ePHI, PII or your enterprise’s intellectual property on your BYOD smartphone or tablet? Share your insights, tips and wisdom with me on Twitter @Bperepa.