As IT security consultants, we are constantly surveying the landscape to see what the next threat will be for our clients. What made Heartbleed so dangerous is that it existed in a piece of software that most Internet users depend on (infrastructure) and that the exploit itself yielded immediately consumable security data (payload) like certificate keys, user names and passwords, and other sensitive information. In other words, the more dependent you are on the type of infrastructure that is exploited, the larger the potential audience will be.
Most people depend on the same types of infrastructure whether they know it or not like the operating system that runs on their desktop, laptop, tablet or smart phone, DNS servers, mail servers, browsers, and all sorts of software libraries that these and other applications/devices use all of the time.
In all likelihood, there are two vectors where the next kind of Heartbleed-like problem will come from:
1)an exploit with a specific fundamental service/device like DNS – which allows people to use names like www.google.com instead of IP addresses like 192.168.1.100) – or a Cisco router
2)an exploit with a common software library function like OpenSSL – which many websites and services use to provide communication security and privacy – that many other systems, services and devices depend on
Obviously, the latter is much more egregious in that like Heartbleed the common software would be used by many different vendors, operating systems, devices and applications which makes resolving the problem significantly more complex and unpredictable. To be specific, it’s likely to be some type of Open Source software just like OpenSSL was.
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.