Notes

Scramble to Fix Huge Heartbleed Security Bug

Scramble to fix heartbleed security flaw



8 April 2014



Researchers say that a bug in the software that is used by million of web servers could have allowed anyone to monitor and eavesdrop on anyone visiting their sites.



The bug is in a library of software that is used in operating systems, servers, email and instant messaging systems.



OpenSSL is a program that protects sensitive information while it travels back-and-forth.



Since attacks leave no evidence, it is difficult to determine how the bug's spread was.



"If you require a strong level of privacy or security on the internet, you may be advised to stay off the internet entirely for the next few days as things settle down," read a blog post about the issue that was published by the Tor Project which produces software that allows users to avoid scrutiny of their internet browsing habits.



'Serious' vulnerability



A large portion of the web could be at risk because OpenSSL is commonly used in Apache and Nginx server software. Statistics from net monitoring firm Netcraft indicate that 500, 000 of the internet's secure servers are running vulnerable versions of the software.



"It's the biggest thing I've witnessed in security since the discovery of SQL injection," said Ken Munro Security expert at Pen Test Partners. SQL injection is a way to get information from databases behind web sites and services using specially designed queries.



Many companies were scrambling to apply patches to vulnerable programs, and other companies had shut down their services while fixes were being implemented, he added. Many were worried that cybercriminals will soon exploit the vulnerability, since proof of concept code was already released.



Mojang, the maker of the wildly well-known Minecraft game, shut all of its services, while Amazon, which hosts games, updated their systems.



Researchers from Codenomicon and Google discovered a flaw in OpenSSL.



Researchers wrote a blog post about their findings. They claimed that the "serious vulnerability” allowed anyone to read large chunks of memory on servers that were supposed to be protected by the flaws in the OpenSSL version. Via this route attackers could access the secrets keys used to scramble data when it is passed between a server and its users.



The vulnerability was discovered by a group who wrote: "This allows attackers [to] eavesdrop on communications, steal data directly form the services and users, and to impersonate these services and users." It is part of the Heartbeat extension for OpenSSL.



This bug was found in OpenSSL versions that have been around for more than two years. The bug is not present in the most recent OpenSSL version which was released on April 7.



Researchers wrote that they should consider the long-term risk, ease of exploitation, and attacks leaving no trace because of this exposure.
that's how to be me


Installing the latest version of OpenSSL does not guarantee that users were safe from attacks, according to the team. They said that attackers could have gained access encryption keys, passwords, or any other credentials required to access servers if they already exploited it.



For full protection, you may need to upgrade to a safer version OpenSSL and create new encryption keys. To help users check their systems, security researchers have developed tools that can assist users in determining whether they're running vulnerable versions of OpenSSL.



Global push to fix the power plant codes



4 April 2014



Target data theft impacted 70 million



10 January 2014



Bitcoin theft closes drug website



2 December 2013



Heartbleed



Codenomicon



Tor Project



Netcraft



Pen Test Partners


Homepage: https://free51.net/