background preloader

Heartbleed

Facebook Twitter

NSA accused of using HeartBleed. Tests confirm Heartbleed bug can expose server's private key. Four researchers working separately have demonstrated a server’s private encryption key can be obtained using the Heartbleed bug, an attack thought possible but unconfirmed. The findings come shortly after a challenge created by CloudFlare, a San Francisco-based company that runs a security and redundancy service for website operators. CloudFlare asked the security community if the flaw in the OpenSSL cryptographic library, made public last week, could be used to obtain the private key used to create an encrypted channel between users and websites, known as SSL/TLS (Secure Sockets Layer/Transport Security Layer).

The private key is part of a security certificate that verifies a client computer isn’t connecting with a fake website purporting to be a legitimate one. Browsers indicate a secure connection with a padlock and show a warning if the certificate is invalid. CloudFlare set up a server running the nginx-1.5.13 web server software using OpenSSL version 1.0.1.f on Ubuntu 13.10 x86_64. Heartbleed hacks hit Mumsnet and Canada's tax agency. 14 April 2014Last updated at 14:12 ET By Leo Kelion Technology desk editor The BBC's Rory Cellan-Jones explains what users should do next A leading UK site for parents and the Canadian tax authority have both announced they have had data stolen by hackers exploiting the Heartbleed bug. Mumsnet - which says it has 1.5 million registered members - said that it believed that the cyber thieves may have obtained passwords and personal messages before it patched its site.

The Canada Revenue Agency said that 900 people's social insurance numbers had been stolen. These are the first confirmed losses. The Mumsnet site's founder Justine Roberts told the BBC that it became apparent that user data was at risk when her own username and password were used to post a message online. She said the hackers then informed Mumsnet's administrators that the attack was linked to the Heartbleed flaw and told them the company's data was not safe.

"We have no way of knowing which Mumsnetters were affected by this. The Internet's Telltale Heartbleed. The cryptography expert Bruce Schneier, who has been writing about computer security for more than fifteen years, is not given to panic or hyperbole. So when he writes, of the “catastrophic bug” known as Heartbleed, “On the scale of 1 to 10, this is an 11,” it’s safe to conclude that the Internet has a serious problem. The bug, which was announced on Tuesday—complete with an explanatory Web site and a bleeding-heart logo—is a vulnerability in a widely used piece of encryption software called OpenSSL. Heartbleed is as bad as it is possible for a security flaw to be. It can be easily exploited by anyone on the Internet without leaving a trace, and it can be used to obtain login names, passwords, credit-card information, and even the keys that keep our encrypted communications safe from eavesdroppers. The bug first appeared in OpenSSL code that was released in March, 2012—so the vulnerability has been open to exploitation for more than two years.

Photograph: Ben Torres/Bloomberg/Getty. Heartbleed bug affects gadgets everywhere - Apr. 11, 2014. The Heartbleed Internet bug affects a lot of the gear we all use at work. Fixing it all will be a herculean task. NEW YORK (CNNMoney) Tech giants Cisco (CSCO, Fortune 500) and Juniper (JNPR) have identified about two dozen networking devices affected by Heartbleed, including servers, routers, switches, phones and video cameras used by small and large businesses everywhere. The companies are also reviewing dozens more devices to determine whether they're impacted by the bug as well. That means for two years now, someone could have been able to tap your phone calls and voicemails at work, all your emails and entire sessions at your computer or iPhone. You also could have been compromised if you logged into work from home remotely.

And you'll probably never know if you were hacked. "That's why this is being dubbed the biggest exploit of the last 12 years. Related story: The Heartbleed bug, explained What does exposure actually mean? But fixing the bug on those devices won't be easy. ​What is Heartbleed, anyway? If you're an IT professional, gadget blogger or token geek in your circle of friends, chances are, you've been hounded relentlessly over the past couple of days about "this Heartbleed thing.

" "Do I need to update my antivirus? " "Can I login to my bank account now? " "Google already fixed it, right? " We've heard them all, but the answers aren't all that clear or simple. In an attempt to take the pressure off -- it is the weekend after all -- we've put together a primer that should answer all of those questions and a few more. How it works The problem affects a piece of software called OpenSSL, used for security on popular web servers. OpenSSL is an open-source project, meaning it was developed by really talented volunteers, free of charge, to help the internet community.

Heartbleed exploits a built-in feature of OpenSSL called heartbeat. Heartbleed exploits a built-in feature of OpenSSL called heartbeat. What should I do? If you need the TL;DR, here it is: do not panic. The internet sure is fun! Untitled. Mashable. A week after the Heartbleed OpenSSL vulnerability wreaked havoc across the web, the conversation is shifting from reaction to reflection. The discussion is no longer about what to do now, but what can be done to prevent another Heartbleed from happening in the future. In other words, we're entering the blame game chapter in this saga. So who is to blame for Heartbleed? If OpenSSL, the software package at the root of the vulnerability, were a piece of commercial software, we could blame the company behind the app. In fact, when Apple released an emergency patch for its own SSL/TLS bug back in February, the company was scrutinized by security experts, programmers and pundits a like. But OpenSSL isn't a commercial program.

Because OpenSSL is open source, there isn't an immediate figure or organization to blame. So if you can't blame an entity — the first recourse for some — is the model of open-source software itself to blame? Linus's Law Didn't Fail In Eric S. But we can't know that. GovWeek: Heartbleed worldwide roundup special issue. Heartbleed is about to get worse, and it will slow the Internet to a crawl. Efforts to fix the notorious Heartbleed bug threaten to cause major disruptions to the Internet over the next several weeks as companies scramble to repair encryption systems on hundreds of thousands of Web sites at the same time, security experts say. Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information.

The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy. Stealing the certificate is labor intensive. Heartbleed bug: What you need to know (FAQ) The Heartbleed bug, a newly discovered security vulnerability that puts users' passwords at many popular Web sites at risk, has upended the Web since it was disclosed earlier this week.

It's an extremely serious issue, and as such, there's a lot of confusion about the bug and its implications as you use the Internet. CNET has compiled a list of Frequently Asked Questions to help users learn more about the bug and protect themselves. The Heartbleed situation is ongoing, and we'll update this FAQ as new issues arise. Check back for new information. What is Heartbleed? Heartbleed is a security vulnerability in OpenSSL software that lets a hacker access the memory of data servers. The vulnerability also means an attacker could steal a server's digital keys that are used to encrypt communications and get access to a company's secret internal documents.

What is OpenSSL? Let's start with SSL. OpenSSL is open-source software for SSL implementation across the Web. Who discovered the bug? Heartbleed bug fixes threaten to cause major Internet disruptions in coming weeks. The Results of the CloudFlare Challenge. Many Devices Will Never Be Patched to Fix Heartbleed Bug. A security bug uncovered this week affects an estimated two-thirds of websites and has Internet users scrambling to understand the problem and update their online passwords. But many systems vulnerable to the flaw are out of public view and are unlikely to get fixed.

OpenSSL, in which the bug, known as Heartbleed, was found, is widely used in software that connects devices in homes, offices, and industrial settings to the Internet. The Heartbleed flaw could live on for years in devices like networking hardware, home automation systems, and even critical industrial-control systems, because they are infrequently updated. Network-connected devices often run a basic Web server to let an administrator access online control panels. In many cases, these servers are secured using OpenSSL and their software will need updating, says Philip Lieberman, president of security company Lieberman Software.

However, this is unlikely to be a priority. Welcome to Forbes. Heartbleed bug: What you need to know (FAQ)