Notes

Scramble to Fix Huge 'heartbleed' Security Bug

Scramble to fix an enormous security flaw known as "heartbleed"



8 April 2014



A flaw in the software used by millions of web servers could have exposed anyone who visits websites hosted by them to surveillance and eavesdropping, say researchers.



The issue is in a library of software used in operating systems, servers, instant messaging and email systems.



Also known as OpenSSL the program is intended to protect sensitive data while it moves back and forth.



Since attacks leave no evidence, it is difficult to know how widespread the bug was.



"If you are in need of a strong level of privacy or anonymity on the internet You might not want to access the internet at all for the next few days while things settle," was the message on a blog posted by the Tor Project, which creates software that lets users not be scrutinized for their browsing habits.



'Serious' vulnerability



A vast portion of the internet could be at risk because OpenSSL is utilized in the widely-used Apache and Nginx server software. Statistics from net monitoring firm Netcraft indicate that 500, 000 of the internet's secure servers are running versions of the vulnerable software.



"It's the most important thing I've observed in security since the discovery of SQL injection," said Ken Munro Security expert at Pen Test Partners. SQL injection is a technique to obtain information from databases behind websites and other services by using specially-crafted queries.



Many companies were scrambling to apply patches to vulnerable programs. other companies had shut down their services while fixes were being implemented, he added. Many were concerned that with proof of concept code already being shared , it would just be a matter of time until cybercriminals began exploiting the vulnerability.



Mojang, maker of the extremely well-known Minecraft game, shut down all its services offline while Amazon, which hosts its games, updated its systems.



Researchers from Codenomicon and Google discovered a flaw in OpenSSL.



Researchers wrote a blog post about their findings. They claimed that the "serious vulnerability” allowed anyone to read large amounts of memory on servers that were supposed to be protected by the flaws in the OpenSSL version. By exploiting this vulnerability attackers could access the secret keys used to scramble data when it is passed between a server and its users.



The vulnerability was discovered by a team who wrote: "This allows attackers [to] eavesdrop on communications and steal data directly from the users and services, and to impersonate these services and users." They called it the "heartbleed" bug since it is found in the heartbeat extension for OpenSSL.



The bug has been present in various versions of OpenSSL that have been in circulation for over two years. The bug is not present in the latest OpenSSL version, which was released on April 7.



"Considering the long-term exposure, ease of exploitation and attacks leaving no trace this exposure must be considered serious," wrote the researchers.



The team said that just because someone has updated OpenSSL does not mean they are secure from attacks. They said that attackers could have gained access to encryption keys or passwords or other credentials required to access servers if they already exploited it.



Full protection may require you to update to the safer version of OpenSSL and create new encryption keys. To help people check their systems, security experts have created tools to assist users in determining whether they are running vulnerable versions of OpenSSL.



Global push to fix the power plant code



4 April 2014



Target data theft has claimed 70 million



10 January 2014



Drug website shut down because of bitcoin theft



2 December 2013



Heartbleed



Codenomicon



Tor Project



Netcraft



Pen Test Partners

gaming blog
Here's my website: https://evina.si/