Morning Security Brief: Stabbing Rampage at High School, Heartbleed Bug Updates, And More
A student has been charged as an adult after stabbing 21 at a Pennsylvania high school yesterday morning. The Heartbleed flaw has experts scrambling to find a solution for both Web site owners and users. And a software engineer says he warned the University of Maryland of their security flaw four months before the school was hacked.
►Sixteen-year-old sophomore Alex Hribal has been charged with attempted homicide, aggravated assault, and weapons possession after stabbing 21 students and a security officer at a Murrysville, Pennsylvania, high school yesterday. Murrysville police chief Thomas Seefeld said a lengthy investigation will be conducted to determine exactly what happened Wednesday morning in the halls of Franklin Regional Senior High School. The investigation will consider whether bullying may have been involved. Hribal allegedly ran through the halls of the school, swinging two kitchen knives until a security officer apprehended him, according to the Pittsburgh Post-Gazette. There are at least five students in critical condition at local hospitals.
►Experts are scrambling to assess the scope of the Heartleed bug , a significant flaw in software that was supposed to provide an extra layer of protection for approximately 66 percent of servers on the Internet, according to the Dallas Morning News. “This is one of the worst security issues we’ve seen in the last decade and will remain within the top five for many years to come,” said Adam Ely, COO of Bluebox Security. Many sites urged users to change their passwords, but security experts say this action may be useless until the flaw is fixed. Michael Coates, director of product security with Shape Security, tells Security Management that attackers exploiting the Heartbleed vulnerability will leave no trace within Web server logs and; therefore, it is impossible to determine if a Web site has been exploited. Coates recommends that Web site owners upgrade OpenSSL as soon as possible and reissue security certificates for SSL/TLS, as a site’s private key may have been compromised. “It is prudent to assume breach and proactively reissue security certificates,” he says. He also says that site owners should implement "perfect forward secrecy," an additional layer of security that issues random keys for each session. To view whether a Web site or server has been affected by Heartbleed, visit this site .
►Software engineer David Helkowski says he warned the University of Maryland of a huge flaw in their cybersecurity system four months before it was revealed that the personal information of hundreds of thousands of students and employees had been compromised. Helkowski, who worked for software consulting firm The Canton Group, discovered the flaw and reported it to his employer, assuming it would be addressed. However, he said the hole in security was never fixed and became worse over time, according to CBS Baltimore. He then went directly to the University of Maryland police department to take more immediate action. After meetings with the university and his employer, he assumed the flaw would be fixed—but discovered a few weeks later nothing had changed. Helkowski then began to post anonymous online warnings, and posted University President Wallace Loh’s social security number online to bring attention to the issue. The FBI are now investigating Helkowski, who no longer works for The Canton Group.