GDPR, OpenSSL, Heartbleed and a Cascade of Security Breaches

GDPR, OpenSSL, Heartbleed and a Cascade of Security Breaches

The upcoming EU General Data Protection Regulation (GDPR), which goes into effect in 2018, is going to have a significant impact on any organization that controls or processes personal data on European citizens, and that includes U.S. and U.K. businesses. A harbinger of things to come with GDPR is the six-figure fine recently issued to Gloucester City Council in England for a breach of UK data protection laws.

The council failed to ensure open source software it was using was updated to fix the “Heartbleed” vulnerability, a critical security flaw that can expose secure communications. Even though Heartbleed was discovered over three years ago, and IT staff at the council flagged the need to update the software, a patch issued for the software was never applied. Gloucester City Council “did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made,” said the entity imposing the £100,000 fine, UK's Information Commissioner's Office (ICO).

According to the notice I linked to above, the council’s failure resulted in the following cascade of security breaches:

  • In July 2014 Gloucester sent an email to its staff warning them that Twitter accounts belonging to senior officers at Gloucester had been compromised by an attacker.
  • The same attacker responded to this email by stating that he had also gained access to 16 users' mailboxes via the Heartbleed vulnerability in the SonicWall appliance (containing an affected version of OpenSSL) that was used for routing traffic to Gloucester's services.
  • The attacker was able to download over 30,000 emails from a senior officer's mailbox, containing financial and sensitive personal information on past and current employees.

“Gloucester appears to have overlooked the need to ensure that it had robust measures in place to ensure that the [OpenSSL] patch was applied,” the report concludes.

Many organizations don’t pay sufficient attention to the security exposures created by vulnerable open source components, and may not even be aware these exposures exist. In Black Duck’s most recent analysis of more than 1,000 commercial applications67 percent of the applications containing open source contained known vulnerabilities.

OpenSSL, the open source software targeted by Heartbleed, was among the most common high-risk components found by the Black Duck audits. OpenSSL, an open source project contained in hundreds of thousands of applications that need to secure communications over computer networks against eavesdropping, is used by many businesses for their websites, email and chat servers, and client-side software. As well as the breach into Gloucester City Council, Heartbleed was used in 2014 to steal personal taxpayer data from the Canada Revenue Agency.

Learn Your 4 Options for Vulnerability Remediation

Yet, years later, many companies still use a version of OpenSSL containing the Heartbleed vulnerability due to a lack of insight into their open source use, opening themselves to possible data breaches and fines. Thousands of similar vulnerabilities — some less dangerous than Heartbleed, some even more so — exist in many open source components today. 

The £100,000 fine imposed on the Gloucester City Council should serve as a reminder to all organizations of the need to manage the security risks of open source software, which often goes unnoticed and unpatched. Hefty finesup to 4% of annual global revenue, or €20 million, whichever is greater  – will come with the GDPR when it goes into force. It will be of great importance that companies keep all softwareboth open source and commercial up to date and ensure that their data, particularly sensitive personal data, remains secure.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Devil’s Ivy, Bad Taste, & New SambaCry Vulnerability

| Jul 21, 2017

We have two CVEs of the week this week, CVE-2017-9765, better-known as “Devil’s Ivy,” and CVE-2017-11421, dubbed “Bad Taste” by its discoverer. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library from gSOAP. When exploited, it allows an attacker

| MORE >

Black Duck Teams with Google, Connected Cars, FinTech Compliance

| Jul 14, 2017

Black Duck and Google partner so that open source vulnerability management can be integrated directly with build and deployment activities in the cloud. Connected car news includes BMW adding on to its connected car services; concerns on how code vulnerabilities might lead to driving dangers; and

| MORE >

Top Picks for Black Hat, GDPR & Open Source Webinar, UN Cybersecurity Report

| Jul 7, 2017

Our vulnerability of the week is CVE-2017-7526, which resides in the Libgcrypt cryptographic library used by GnuPG. Exploiting the vulnerability, security researchers were able to successfully extract the secret RSA-1024 key to decrypt data. Libgcrypt has released a fix for the issue in Libgcrypt

| MORE >