Three weeks ago, the Badlock vulnerability was announced with the creation of a Badlock website and logo by SerNet, a German security firm. Badlock is a security bug that affects most versions of Microsoft Windows and Samba, versions 4.2 and later. It was discovered by a Samba developer who works for SerNet.
Samba is an open-source software that enables users to access shared resources such as files and print services. Widely used in corporate environments, Samba typically connects Linux and Unix servers and Windows devices on a network. Many suspect that Badlock makes it possible for a hacker to gain admin-level access on a network, but this has not been confirmed. A patch for Badlock will be available April 12.
The Badlock announcement is eerily similar to Heartbleed in 2013, the most highly publicized of the “branded” vulnerabilities. The creation of a branded website and logo makes the announcement of the vulnerability sound more like the launch of a publicity campaign than a simple disclosure of a serious problem as claimed by SerNet. It doesn’t take a public relations or marketing genius to see that names like Heartbleed and Badlock are created to generate media buzz and invite speculation about the nature of the vulnerability.
In the case of Heartbleed, a patch was deployed on the same day that the website and logo were unveiled. In the case of Badlock, there has been a three-week gap between the announcement and the fix, with little detail provided about the actual vulnerability. The early announcement of the bug and the ensuing publicity don’t just provide hackers with an extended opportunity to exploit the bug. It reeks of ulterior motive. People are accusing SerNet of trying to overhype the vulnerability and profit from what amounts to fixing their own code. In fact, the person from SerNet who registered the Badlock.org domain said in a since-deleted tweet that a “serious bug gets attention and marketing for us and our open source business is a side effect of course.”
Organizations are already concerned with a constant barrage of cyberattacks on their networks. Now you hear allegations that security firms that are trusted to protect these networks are looking for ways to manipulate disclosures and withhold information in the name of “public awareness.” Branded vulnerabilities and the questionable motives behind them further reinforce the importance of protecting yourself with a robust security strategy.
What is your patch management strategy? Who is overseeing it? Are you using network segmentation to control access to sensitive data and applications and meet compliance requirements? How are these environments being monitored? Are your firewalls, intrusion prevention system, encryption, antimalware and other software up to date? Let Atlantic-IT.net, your outsourced IT department, implement and manage your security strategy and help you distinguish between legitimate threats and media hype.