Software Licensing Featured Articles

Protecting Hardware from 'Heartbleed' and Other Bugs with Automatic Software, Firmware Patches

By Michael Guta, TMCnet Contributing Writer

Although the Heartbleed bug was discovered only recently, the mistake that allowed hackers to exploit this vulnerability was made by programmers on New Year's Eve of 2011. This mistake created an open door and, according to reports, everyone from the National Security Administration (NSA) to criminals took advantage of this flaw to break into personal and business systems to obtain classified information.

The bug affected virtually everyone that is online because the Open SSL is used by more than two-thirds of the Internet. This includes individuals, businesses and global enterprises such as Cisco (News - Alert) and Juniper. According to an article written by Ann Reist on the Flexera Software blog, she highlights the Hearbleed bug found in Cisco Routers and Juniper Gear and the difficulty hardware manufacturers have in fixing their system compared to online organizations such as Amazon, Yahoo and Netflix, who were able to quickly patch the whole.

According to security experts, it is more difficult for these companies because their equipment is used by organizations that don't check their network equipment as often as they should, affecting the routers, switches and firewalls.

Because these equipment are connected to the web and the risks of hackers exploiting the vulnerabilities is high, Reist suggests device manufacturers like Cisco and Juniper to implement options to automatically send patches and updates to their customers in order to avoid security breaches.

She recommends several suggestions as to how they can go about doing this. This includes:

• Using tamper-resistant licensing code to help reduce hacks for applications that sit at the operating system level
• Strengthening the protection and make changes at the machine level by investing in reverse engineering to embed software on the devices
• Simplify and expedite the process in which security patches and updates can be delivered e with an automated mechanism for all devices including mobile device management systems
• Make customers aware of the dangers of security breaches by encouraging product registration and firmware upgrade whenever they're available
• Monitor all devices for application issues and ensure only authorized personnel are using applications
• Send all updates to the right people using secure download URLs that expire

Because this process requires the collaboration of both the hardware manufacturer and the customer, she recommends practical guidance for users of this equipment when they are connected to the web. This includes fully understanding the product documentation that comes with the device and following the security recommendations to the letter as well as registering the product so the manufacturer can make the necessary fixes if there is a breach.