by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : May 2014
CYBEREYE BY WILLIAM JACKSON HEARTBLEED, the OpenSSL vulnerability that potentially exposes data in otherwise secure transactions, has raised once again the ques- tion of security in open source software. Some maintain that open source, because of all the eyes looking at it, is likely to be more secure. Others say that with anyone able to tamper with it, of course it can t be trusted. The truth is that neither open source nor proprietary software is inherently more secure. A recent report by Cov- erity from security scans of 750 million lines of code on 700 open source projects found for the first time that the quality of open source surpassed pro- prietary projects, with an error density of .59 per 1,000 lines of code for open source compared to .72 for proprietary code scanned. But that is not the whole story, said Zack Samocha, Coverity s senior director of products. The quality of the code depends on the commit- ment to security, he said. "You need to be really committed and fix issues as they come." Proprietary code produced under pressure of market de- mands also can be buggy. Users should test the products they are using to make sure they do what they are supposed to do. And if you are using open source, review the code and take part in its development, said Barrett Lyon, founder and CTO of Defense.Net. "You should contribute," Lyon said. "If it s open source and it s not secure, it s partly your fault." With all of the eyes that could have looked at OpenSSL, the surprising thing is that Heartbleed escaped detec- tion for two years. How did it happen in the first place? Like many security problems, it was the result of a trade-o with performance. Earlier versions of OpenSSL had a feature called memory manage- ment security that prevented memory leaks. But Lyon, in reviewing the code, saw that in version 1.0.1 a developer disabled the feature because it hurt performance in some implementations. "It comes down to humans making mistakes," said Jona- than Rajewski, an assistant professor and director of the Leahy Center for Digital Investigation at Champlain College. "This is an ah-ha! mo- ment that we can learn from, because it will happen again." The "fix" that caused the problem is in versions 1.0.1 through 1.01f of OpenSSL. The "fix" was fixed in version 1.0.1g. One of the most serious concerns for agencies using a ected versions of OpenSSL is the possibility of digital certificates being exposed. But there are a few bright spots. Although security experts preach the gospel of the timely update, this is a situation where procrastina- tion could be a blessing. Many government administrators are conservative in their updating; a diplomatic way of saying they don t have time to keep their software up-to- date. This means that many agencies are running OpenSSL 1.0.0 versions, which are not vulnerable. Another bright spot is that there are tools to detect vulner- able software. The Nessus scan- ner from Tenable, for example, will detect it through its remote and local checks. And although exploits of the vulnerability don t leave direct footprints, there are some telltale signs. Because exposed memory is gathered in 64 kilobyte chunks, it takes a large number of re- peated log-ins to gather useful information, and this kind of anomalous behavior should be detected by logs. But there is yet another chal- lenge. Because users are being advised to replace their pass- words, a flood or reset requests could overwhelm help desks or automated reset systems. "It s going to be interesting," Lyon said. • IN THE WAKE OF HEARTBLEED, OPEN SOURCE SOFTWARE IS UNDER SCRUTINY 12 GCN MAY 2014 • GCN.COM 5 CHALLENGES FACING THE FEDERAL CISO Addressing government cyber threats today requires treating IT security as a function of an agency's primary mission rather than a back-end function, according to former Admiral Thad Allen, who leads Booz, Allen and Hamilton's justice and homeland security efforts. A recent IDC white paper sponsored by BAY, lays out the primary challenges in government information security: 1. The greatest threat is from foreign governments or other foreign entities, whose activities can range from espionage to sabotage. 2. Agencies are being hit by high-volume attacks, sometimes hundreds a day, and at the same time are being targeted by more stealthy advanced persistent threats. 3. Government must take a part in protecting private infrastructure as well as government networks and must work closely with industry. 4. Distributed denial-of- service attacks are common against agencies. 5. Authentication and access control: compliance with HSPD-12 access control requirements still is not complete. -- William Jackson