Heartbleed Bug
Example: [Collected via e-mail, April 2014]
WARNING!
READ: "The biggest network security vulnerability in history was revealed
in the last 24 hours. It's called "heartbleed."
Everything you do for the next 24-48 hours will be viewable by
random 3rd parties. Encrypted connections are not secure until
this vulnerability is fixed. Billions will be affected. DO NOT LOG in to
anything. DO NOT change any passwords. DO NOT say or do anything online that
you would not want anonymous 3rd parties observing or copying.
(This came from a reliable source in my family; he said it was okay to write on
fb... or to read email from known sources as long as you observe the above
"do nots.") Don't buy anything online today! Don't log into your bank
account, etc.
Origins: In April 2014, a bug in software used by millions of web servers may have exposed anyone visiting sites they hosted to spying and eavesdropping. The bug, dubbed "heartbleed," resides in a software library called OpenSSL that is used in servers, operating systems, and email and instant messaging systems. Ironically, this software is supposed to protect sensitive data as it travels back and forth.
"Heartbleed" allows hackers to easily trick servers running OpenSSL into revealing decryption keys stored on their memory. With those keys, the ill-intentioned can eavesdrop on encrypted communications, directly steal sensitive information, and impersonate users and services.
OpenSSL is employed in the widely used Apache and Nginx server software.
Statistics from net monitoring firm Netcraft suggest that about 500,000 of the web's
secure servers are running versions of the vulnerable software.
The bug gained its "heartbleed" moniker due to its occurring in the heartbeat extension for OpenSSL.
It was discovered by researchers working for Google and security firm Codenomicon. In a blog entry about their findings, the researchers said the "serious vulnerability" allowed anyone to read chunks of memory in servers supposedly protected with the flawed version of OpenSSL. Via this route, attackers could get at the secret keys used to scramble data as it passes between a server and its users.
The bug has been present in versions of OpenSSL that have been available for over two years. The latest version of OpenSSL released on7 April
2014 is no longer vulnerable to the bug. However, protecting one's computer
from this vulnerability may not be merely a matter of installing the updated
version of OpenSSL because if attackers have already exploited the weakness at
an earlier date, they could have stolen encryption keys, passwords, or other
credentials required to access a server.
Full protection might require updating to the safer version of OpenSSL as well as getting new security certificates and generating new encryption keys. To help people check their systems some security researchers have produced tools that help people work out if they are running vulnerable versions of OpenSSL.
Unfortunately, as security experts have noted, there is not much that individual Internet users can do to protect themselves against the Heartbleed vulnerability, as resolution of the issue depends upon the operators of web sites making changes to their systems:
The bug gained its "heartbleed" moniker due to its occurring in the heartbeat extension for OpenSSL.
It was discovered by researchers working for Google and security firm Codenomicon. In a blog entry about their findings, the researchers said the "serious vulnerability" allowed anyone to read chunks of memory in servers supposedly protected with the flawed version of OpenSSL. Via this route, attackers could get at the secret keys used to scramble data as it passes between a server and its users.
The bug has been present in versions of OpenSSL that have been available for over two years. The latest version of OpenSSL released on
Full protection might require updating to the safer version of OpenSSL as well as getting new security certificates and generating new encryption keys. To help people check their systems some security researchers have produced tools that help people work out if they are running vulnerable versions of OpenSSL.
Unfortunately, as security experts have noted, there is not much that individual Internet users can do to protect themselves against the Heartbleed vulnerability, as resolution of the issue depends upon the operators of web sites making changes to their systems:
Security experts warn there is little
Internet users can do to protect themselves from the recently uncovered
"Heartbleed" bug that exposes data to hackers, at least not until
exploitable websites upgrade their software.
"There is nothing users can do to fix their computers," said Mikko Hypponen, chief research officer with security software maker F-Secure.
Hypponen said computer users could immediately change passwords on accounts, but they would have to do so again if their operators notify them that they are vulnerable.
"Take care of the passwords that are very important to you," he said. "Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely."
Bruce Schneier, a well-known cryptologist and chief technology officer of Co3 Systems, called on Internet firms to issue new certificates and keys for encrypting Internet traffic, which would render stolen keys useless.
That will be time-consuming, said Barrett Lyon, chief technology officer of cybersecurity firm Defense.Net Inc. "There's going to be lots of chaotic mess," he said.
Mark Maxey, a director with cybersecurity firm Accuvant, said it is no easy task for large organizations to implement the multiple steps to clean up the bug, which means it will take some a long time to do so.
"There is nothing users can do to fix their computers," said Mikko Hypponen, chief research officer with security software maker F-Secure.
Hypponen said computer users could immediately change passwords on accounts, but they would have to do so again if their operators notify them that they are vulnerable.
"Take care of the passwords that are very important to you," he said. "Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely."
Bruce Schneier, a well-known cryptologist and chief technology officer of Co3 Systems, called on Internet firms to issue new certificates and keys for encrypting Internet traffic, which would render stolen keys useless.
That will be time-consuming, said Barrett Lyon, chief technology officer of cybersecurity firm Defense.Net Inc. "There's going to be lots of chaotic mess," he said.
Mark Maxey, a director with cybersecurity firm Accuvant, said it is no easy task for large organizations to implement the multiple steps to clean up the bug, which means it will take some a long time to do so.
0 comentarios:
Publicar un comentario
Gracias por tu comentario.