A blog on financial markets and their regulation
Heartbleed and the need for air-gapped backups in finance
April 12, 2014Posted by on
Heartbleed is perhaps the most catastrophic computer security disaster ever (For those not technically inclined, this xkcd comic is perhaps the most readable explanation of the bug). Bruce Schneier says that “On the scale of 1 to 10, this is an 11.” Since the bug has been around for a few years and the exploit leaves no trace on the server, the assumption has to be that passwords and private keys have been stolen from every server that was ever vulnerable. If you have the private key, you can read everything that is being sent to or received from the server until the private key (SSL Certificate) is changed even if the vulnerability itself has been fixed.
Many popular email, social media and other popular sites are affected and we need to change our passwords everywhere. Over the next few weeks, I intend to change every single password that I am using on the web – more than a hundred of them.
Thankfully, only a few banking sites globally seem to be affected. When I check now, none of the Indian banking sites that I use regularly are being reported as vulnerable. However, the banks have not said anything officially and I am not sure whether they were never vulnerable or whether they fixed the vulnerability over the last few days after the bug was revealed. Even the RBI has been silent on this; if all Indian banks were safe, they should publicly say so, and if some were affected and have been fixed, they should say so too. Incidentally, many Indian banking sites do not seem to implement Perfect Forward Security and that is not good at all.
More importantly, I think it is only a matter of time before large financial institutions around the world suffer a catastrophic security breach. Even if the mathematics of cryptography is robust (P ≠ NP), all the mathematics is implemented in code that often goes through only flimsy code reviews. I think it is necessary to have offline repositories of critical financial data so that one disastrous hack does not destroy the entire financial system. For example, I think every large depository, bank, mutual fund and insurance company should create a monthly backup of the entire database in a secure air-gapped location. Just connect a huge storage rack to the server (or perhaps the disaster recovery backup server), dump everything (encrypted) on the rack, disconnect and remove the rack, and store the air-gapped rack in a secure facility. A few thousands of dollars or even a few tens of thousands of dollars a month is a price that each of these institutions should be willing to pay for partial protection against the tail risk of an irrecoverable security breach.