'Heartbleed' Bug: Change ALL Of Your Passwords Warn Security Experts
'Heartbleed bug' exposes encryption keys; How to test your favourite sites for safetyNot much consumers can do to fix the problem.Published 09 April 2014 | Brownie MarieEmail Print Text Size Larger SmallerMore Sharing Services ShareCodenomiconA flaw in the popular OpenSSL software has left millions of people vulnerable to having their banking information, tax files, emails, and other online data exposed. And there's no way to know if someone has accessed your information.Nicknamed "Heartbleed," the "bug" is actually a weakness in OpenSSL's cryptographic software that makes SSL/TLS encryption backfire on computer users. The "https" protocol that is supposed to identify a secure website is actually a signal to hackers that the site is vulnerable to cyber attack. The hackers can then trick a computer's server into sending data stored in its memory.Google security researcher Neel Mehta was the first to discover Heartbleed, and the weakness was confirmed by internet security firm Codenomicon. Alarmingly, researchers found that the Heartbleed flaw has been in OpenSSL for two years. It is unknown if attacks have been carried out, because exploiting the software loophole leaves no trace.In addition to exposing users' passwords, personal files, and credit card information, hackers can also steal encryption keys-- the code that translates computer-generated nonsense into usable information."It may even be able to use the secret key to impersonate the server, tricking users into divulging their password and other sensitive information," Vox Media wrote.Codenomicon states that because of the wide-spread use of OpenSSL and the untraceability of Heartbleed, consider your accounts compromised."You are likely to be affected either directly or indirectly," their website, Heartbleed.com states. "OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL."To end Heartbleed's hold on the server, vendors and service providers must adopt the Fixed OpenSSL, which was released Monday."Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users," Codenomicon instructs. "Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use."Changing your passwords before the server has adopted Fixed OpenSSL is useless. As of today, most of the major websites, including Yahoo, Google, and Facebook, have fixed the problem. To check if a website has installed the updated OpenSSL software, visit http://filippo.io/Heartbleed/....................................................................,,...................................................................................................................................................................................................................Yahoo Among Millions of Websites Vulnerable to 'Heartbleed' OpenSSL Security BugA new security bug has been found in OpenSSL, the cryptographic library that secures most of the internet's websites, and Yahoo is one of the of the most well-known domains known to have been compromised.Security researchers are very concerned as the bug - dubbed Heartbleed - has been around for two years and affects encryption of data sent over the internet, meaning users' passwords and other sensitive data are open to being spied on.Other websites featured on the top 1,000 websites list compiled by Mustafa Al-Bassam (a former member of the LulzSec hacker collective who is now a computer science student) include popular websites like Imgur, Flickr, OKCupid, WeTransfer, Eventbrite, Web.de, Outbrain, Stackexchange and Kickass Torrents.It will be difficult to discover if or when you have been compromised as attackers are able to exploit the flaw without leaving any trace of their presence. What is OpenSSL? OpenSSL is the software library used in servers, operating systems, email and instant messaging systems to protect internet traffic as it travels back and forth. More than 53% of the web servers which host more than 500 million websites use the software which relies on OpenSSL (Source: NetCraft)DiscoveredThe bug was first brought to light by security firm Codenomicon, who attempted to attack their own servers:"We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication," they wrote on an in-depth information page.Codenomicon adds that anyone on the internet exploiting the flaw will be able to read the memory of a machine that's protected by a vulnerable version of the OpenSSL library.Security researcher Filippo Valsorda has developed an online test that allows anyone to find out whether a server is vulnerable to being attacked, simply by entering the server's hostname.Not an TLS/SSL flawA new version of OpenSSL, version 1.0.1g is now available to download to patch the flaw, which was caused by an implementation problem in the OpenSSL cryptography library, not a design flaw in SSL/TLS - the protocols used to provide secure communication online."There is no flaw in the TLS protocol or the way it is designed, it's simply an implementation bug that has a catastrophic failure mode. The error is the code equivalent of a typo. But some typos are worse than others," explains Paco Hope, Principal Consultant, at Cigital, a consulting firm which helps organisations to develop secure software."The vulnerabilities in the software you use matter just as much as vulnerabilities in code you write. Finding and fixing such bugs requires applying security throughout the software lifecycle and on all the relevant code, not exclusively at the end and not just exclusively on code you write. And if you acquire software from third parties, you care about what they integrate into the product as much as what they write for you."Fox IT has published a list of indicators that can help companies to identify if their servers may be vulnerable.According to Fox IT, attackers can retrieve the source code of the website, usernames and passwords, as well as private SSL keys.
Nikki Howard ● 3913d0 Comments