Notes

Huge Security Bug Known As Heartbleed

Scramble to fix a massive 'heartbleed security flaw



8 April 2014



Researchers say that a bug in the software used by millions million of web servers could have allowed anyone to spy on and listen in on any person who visited their websites.
Info


The bug is in a library of software that is used in operating systems, servers, email and instant messaging systems.



Also known as OpenSSL the software is supposed to protect sensitive data while it moves between two locations.



Since attacks leave no evidence and leave no trace, it is difficult to determine how the bug's spread was.



"If you are in need of a strong level of privacy or anonymity online it is possible that you should not to access the internet at all for the next few days as things settle down," said a blog post by the Tor Project, which creates software that allows users to avoid being scrutinized about their internet usage habits.



'Serious' vulnerability



A large portion of the web could be at risk because OpenSSL is used in the widely used Apache and Nginx server software. Netcraft has reported that statistics from the monitoring firm Netcraft suggest that about 500,000 of the web's secure servers are running vulnerable versions of the software.



"It's the most significant thing I've witnessed in security since the discovery of SQL injection," said Ken Munro, a security expert at Pen Test Partners. SQL injection is a method to obtain information from databases behind websites and services using specially designed queries.



He noted that many companies were scrambling for patches to vulnerable programs. Some had even shut down services as they worked to fix them. Many were worried that cyber thieves would soon exploit the vulnerability, as proof of concept code had already been shared.



Mojang is the creator of the immensely popular Minecraft game, has shut down all its services while Amazon hosting games, patched their systems.



Researchers at Codenomicon and Google discovered a bug in OpenSSL.



Researchers wrote a blog post about their findings. They claimed that the "serious vulnerability” allowed anyone to read large chunks of memory on servers that were supposed to be protected by the flawed OpenSSL version. This allows attackers to gain access to secret keys that can be used to scramble data between servers and their users.



"This allows attackers to listen on communications, steal data directly from the services and users and to impersonate users and services," wrote the team who discovered the vulnerability. They referred to it as the "heartbleed" bug because it is found in the heartbeat extension for OpenSSL.



This bug was present in OpenSSL versions that have been in use for more than two years. The most recent version of OpenSSL released on the 7th of April is no longer prone to the bug.



Researchers wrote that they should be aware of the long-term effects to exploitation, the ease of use, and attacks that leave no evidence due to this exposure.



The team stated that the fact that someone has updated OpenSSL does not mean they are safe from attacks. They warned that attackers could have gained access encryption keys or passwords, as well as any other credentials required to access servers if they had already exploited it.



Full protection could require updating to the safer version of OpenSSL as well as getting new security certificates and creating new encryption keys. Security researchers have developed tools that help users determine if they are using vulnerable versions of OpenSSL.



Global push to fix the power plant code



4 April 2014



Target data theft impacted 70 million



10 January 2014



The drug website is shut down due to theft of Bitcoin



2 December 2013



Heartbleed



Codenomicon



Tor Project



Netcraft



Pen Test Partners


Homepage: https://aseanbiotechnology.info/