The Next Big Thing
April has been a whirlwind of tradeshows,
product announcements, and vulnerability disclosures. Starting off the
month we had the Heartbleed saga that indicted the open-source software
project OpenSSL; and, in the last few days we received the announcement
that the US Government has advised everyone to stop using Microsoft
Internet Explorer. So much for the claim of “superior security” in the
eternal battle of: commercial vs. open source solutions.
President & CEO
The Cloud and Open Source
This month’s disclosures also brought to light one fundamental
difference between commercial and open source software: the ability to
patch vulnerabilities. For the large commercial web sites that used
OpenSSL, and were vulnerable to Heartbleed, we saw remediation in
hours, or at worst days. The companies that were running the large
sites and cloud based SAAS providers demonstrated that they were
capable of patching their open source software and taking control over
The Internet of Things:
Not a Good Story
Unfortunately, there are also billions of devices in the wild that use
this same compromised OpenSSL code, but these devices will never be
patched because there is no universal and pervasive mechanism that is
commercially viable to update them.
Consider all the cell phones and applications on cell phones that use
this compromised library. The cell phones in most US consumers hands
are walled gardens whose operating code is controlled by the cell phone
providers. Because of the economics of cell phones, most all of these
devices will probably not get a patch for this vulnerability (heck,
they will not even release the latest version of Android for my
Motorola Razr Maxx HD).
In the case of routers, cable boxes, switches and other consumer
devices, these too will probably never get a patch, because there is
nothing ubiquitous to provide updates or the economics of an update are
not there for the company that provided the devices or sold them to
Open Source = Profit
The beauty of open source solutions is that they provide an incredibly
lucrative opportunity for device manufacturers to create solutions with
a minimal cost for the software used in those devices. Since minimal
cost is the goal for most embedded devices, things like automatic
updates and device support are almost non-existent. For compromised
devices, there are few options other than complete replacement of a
broken device (non-secure devices are not covered under any warranty
that I am familiar with on the consumer side of the world). Heartbleed
pointed out that in the world of the cloud providers, open source
works; however in the world of embedded software, you are on your own.
An Eternal Sea of
As we live with the sea of compromised flotsam and
jetsam of the Internet caused by the Heartbleed bug, at least I can
live in some comfort that Microsoft will patch Internet Explorer and
most people will get the patch automatically. On the other hand, there
is the issue of all those billions of XP machines running older
versions that will never get another patch from Microsoft; automatic or
you think? Email me at: Phil@liebsoft.com.
You can also follow me on Twitter: @liebsoft
or connect with me via LinkedIn.
New in Identity Week
Featured commentary on our Identity
Week blog this month includes:
- The Heartbleed Vulnerability – Now What?
Just when the general public seemed to take the Internet for granted as
a secure means to conduct financial transactions and communicate
personal data, along comes Heartbleed...
- Strategies for Victory in Cyber Warfare.
Today we live in a world where the “giants” are lined up against us.
Cyber Crime, Cyber Sabotage and Cyber Espionage is a daily fact of
life. Whether we’re talking about botnets, defacing of web sites,
spear-phishing or theft of intellectual property, everyone seems to be
defenseless against the relentless cyber warfare attacks targeting
everything from your Facebook page to the SCADA systems controlling
nuclear power stations...
Events / Press /
Software aims to ramp up European sales. MicroScope.
Identity management player Lieberman Software is planning to increase
its activity across Europe building on its recent investment in
regional offices in the UK, Germany and the Netherlands.
- Many Devices Will Never Be Patched to Fix
Heartbleed Bug. MIT
Technology Review. A security bug uncovered this week affects
an estimated two-thirds of websites and has Internet users scrambling
to understand the problem and update their online passwords. But many
systems vulnerable to the flaw are out of public view and are unlikely
to get fixed.
- RSA Conference 2014 Annual Trip Report. Cyber Defense Magazine. In our
discussions, Lieberman Software's CEO discussed how Target's breach was
also a common wake up call for many at the conference confirming that
even at the largest companies in the world, the basics of simply having
different random passwords on each device and server was not being done.
- Survey Suggests Trust in the Cloud is
InfoSecurity. A survey of almost 300 IT security professionals
at RSA 2014 shows that trust in cloud security has increased slightly
over the last 15 months – but not by very much. By February 2014 the
number of professionals who prefer to keep sensitive corporate data
within their own network had fallen from 86% (November 2012) to 80%.
Tech Tip of the Month
Automatically Manage Expired or Inactive User Accounts
Managing a large number of user accounts is an ongoing challenge for
Account Reset Console (ARC) provides an automated password management
system to identify accounts with expired or near-expired passwords, or
that have been inactive for a certain number of days.
To manage these accounts, ARC provides several options including
customized emails to the account owner, status reporting to Admin or
HelpDesk staff, and even automatic disabling or enabling of the account. Here's