Lieberman Software
  Follow us on Twitter  Follow us on LinkedIn  Blog  Lieberman Software on
                            YouTube  Google Plus
April 2014      

Top of Mind

The Next Big Thing

Philip Lieberman
President & CEO

Lieberman Software

April has been a whirlwind of tradeshows, product announcements, and vulnerability disclosures. Starting off the month we had the Heartbleed saga that indicted the open-source software project OpenSSL; and, in the last few days we received the announcement that the US Government has advised everyone to stop using Microsoft Internet Explorer. So much for the claim of “superior security” in the eternal battle of: commercial vs. open source solutions.

The Cloud and Open Source

This month’s disclosures also brought to light one fundamental difference between commercial and open source software: the ability to patch vulnerabilities. For the large commercial web sites that used OpenSSL, and were vulnerable to Heartbleed, we saw remediation in hours, or at worst days. The companies that were running the large sites and cloud based SAAS providers demonstrated that they were capable of patching their open source software and taking control over the situation.

The Internet of Things: Not a Good Story

Unfortunately, there are also billions of devices in the wild that use this same compromised OpenSSL code, but these devices will never be patched because there is no universal and pervasive mechanism that is commercially viable to update them.

Consider all the cell phones and applications on cell phones that use this compromised library. The cell phones in most US consumers hands are walled gardens whose operating code is controlled by the cell phone providers. Because of the economics of cell phones, most all of these devices will probably not get a patch for this vulnerability (heck, they will not even release the latest version of Android for my Motorola Razr Maxx HD).

In the case of routers, cable boxes, switches and other consumer devices, these too will probably never get a patch, because there is nothing ubiquitous to provide updates or the economics of an update are not there for the company that provided the devices or sold them to consumers.

Open Source = Profit

The beauty of open source solutions is that they provide an incredibly lucrative opportunity for device manufacturers to create solutions with a minimal cost for the software used in those devices. Since minimal cost is the goal for most embedded devices, things like automatic updates and device support are almost non-existent. For compromised devices, there are few options other than complete replacement of a broken device (non-secure devices are not covered under any warranty that I am familiar with on the consumer side of the world). Heartbleed pointed out that in the world of the cloud providers, open source works; however in the world of embedded software, you are on your own.

An Eternal Sea of Compromised Systems

As we live with the sea of compromised flotsam and jetsam of the Internet caused by the Heartbleed bug, at least I can live in some comfort that Microsoft will patch Internet Explorer and most people will get the patch automatically. On the other hand, there is the issue of all those billions of XP machines running older versions that will never get another patch from Microsoft; automatic or otherwise.

What do you think? Email me at:
. You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.

What's New in Identity Week

Featured commentary on our
Identity Week blog this month includes:
  • The Heartbleed Vulnerability – Now What? Just when the general public seemed to take the Internet for granted as a secure means to conduct financial transactions and communicate personal data, along comes Heartbleed...
  • Strategies for Victory in Cyber Warfare. Today we live in a world where the “giants” are lined up against us. Cyber Crime, Cyber Sabotage and Cyber Espionage is a daily fact of life. Whether we’re talking about botnets, defacing of web sites, spear-phishing or theft of intellectual property, everyone seems to be defenseless against the relentless cyber warfare attacks targeting everything from your Facebook page to the SCADA systems controlling nuclear power stations...

Events / Press / Analysts
  • Lieberman Software aims to ramp up European sales. MicroScope. Identity management player Lieberman Software is planning to increase its activity across Europe building on its recent investment in regional offices in the UK, Germany and the Netherlands.
  • Many Devices Will Never Be Patched to Fix Heartbleed Bug. MIT Technology Review. A security bug uncovered this week affects an estimated two-thirds of websites and has Internet users scrambling to understand the problem and update their online passwords. But many systems vulnerable to the flaw are out of public view and are unlikely to get fixed.
  • RSA Conference 2014 Annual Trip Report. Cyber Defense Magazine. In our discussions, Lieberman Software's CEO discussed how Target's breach was also a common wake up call for many at the conference confirming that even at the largest companies in the world, the basics of simply having different random passwords on each device and server was not being done.
  • Survey Suggests Trust in the Cloud is Slowly Increasing. InfoSecurity. A survey of almost 300 IT security professionals at RSA 2014 shows that trust in cloud security has increased slightly over the last 15 months – but not by very much. By February 2014 the number of professionals who prefer to keep sensitive corporate data within their own network had fallen from 86% (November 2012) to 80%.

Tech Tip of the Month

Automatically Manage Expired or Inactive User Accounts

Managing a large number of user accounts is an ongoing challenge for most organizations.

Account Reset Console (ARC) provides an automated password management system to identify accounts with expired or near-expired passwords, or that have been inactive for a certain number of days.

To manage these accounts, ARC provides several options including customized emails to the account owner, status reporting to Admin or HelpDesk staff, and even automatic disabling or enabling of the account.

Lieberman Software Corporation respects your right to privacy, and believes any information you provide us should be protected from disclosure to others. For more information, please read our privacy policy. You are receiving this email because you have granted us permission to contact you. If you do not wish to receive email messages from Lieberman Software in the future, please click here.

Lieberman Software Corporation
1900 Avenue of the Stars, Suite 425
Los Angeles, CA  90067
           |    (01) 310-550-8575  |