NSA accused of using HeartBleed. Tests confirm Heartbleed bug can expose server's private key. Four researchers working separately have demonstrated a server’s private encryption key can be obtained using the Heartbleed bug, an attack thought possible but unconfirmed.
The findings come shortly after a challenge created by CloudFlare, a San Francisco-based company that runs a security and redundancy service for website operators. CloudFlare asked the security community if the flaw in the OpenSSL cryptographic library, made public last week, could be used to obtain the private key used to create an encrypted channel between users and websites, known as SSL/TLS (Secure Sockets Layer/Transport Security Layer). The private key is part of a security certificate that verifies a client computer isn’t connecting with a fake website purporting to be a legitimate one. Browsers indicate a secure connection with a padlock and show a warning if the certificate is invalid. CloudFlare set up a server running the nginx-1.5.13 web server software using OpenSSL version 1.0.1.f on Ubuntu 13.10 x86_64. Heartbleed hacks hit Mumsnet and Canada's tax agency. 14 April 2014Last updated at 14:12 ET By Leo Kelion Technology desk editor The BBC's Rory Cellan-Jones explains what users should do next A leading UK site for parents and the Canadian tax authority have both announced they have had data stolen by hackers exploiting the Heartbleed bug.
Mumsnet - which says it has 1.5 million registered members - said that it believed that the cyber thieves may have obtained passwords and personal messages before it patched its site. The Canada Revenue Agency said that 900 people's social insurance numbers had been stolen. These are the first confirmed losses. The Internet's Telltale Heartbleed. The cryptography expert Bruce Schneier, who has been writing about computer security for more than fifteen years, is not given to panic or hyperbole.
So when he writes, of the “catastrophic bug” known as Heartbleed, “On the scale of 1 to 10, this is an 11,” it’s safe to conclude that the Internet has a serious problem. The bug, which was announced on Tuesday—complete with an explanatory Web site and a bleeding-heart logo—is a vulnerability in a widely used piece of encryption software called OpenSSL. Heartbleed is as bad as it is possible for a security flaw to be. It can be easily exploited by anyone on the Internet without leaving a trace, and it can be used to obtain login names, passwords, credit-card information, and even the keys that keep our encrypted communications safe from eavesdroppers. The bug first appeared in OpenSSL code that was released in March, 2012—so the vulnerability has been open to exploitation for more than two years.
Photograph: Ben Torres/Bloomberg/Getty. Heartbleed bug affects gadgets everywhere - Apr. 11, 2014. The Heartbleed Internet bug affects a lot of the gear we all use at work.
Fixing it all will be a herculean task. NEW YORK (CNNMoney) Tech giants Cisco (CSCO, Fortune 500) and Juniper (JNPR) have identified about two dozen networking devices affected by Heartbleed, including servers, routers, switches, phones and video cameras used by small and large businesses everywhere. The companies are also reviewing dozens more devices to determine whether they're impacted by the bug as well.
That means for two years now, someone could have been able to tap your phone calls and voicemails at work, all your emails and entire sessions at your computer or iPhone. What is Heartbleed, anyway? If you're an IT professional, gadget blogger or token geek in your circle of friends, chances are, you've been hounded relentlessly over the past couple of days about "this Heartbleed thing.
" "Do I need to update my antivirus? " "Can I login to my bank account now? " "Google already fixed it, right? " We've heard them all, but the answers aren't all that clear or simple. Untitled. Mashable. A week after the Heartbleed OpenSSL vulnerability wreaked havoc across the web, the conversation is shifting from reaction to reflection.
The discussion is no longer about what to do now, but what can be done to prevent another Heartbleed from happening in the future. In other words, we're entering the blame game chapter in this saga. GovWeek: Heartbleed worldwide roundup special issue. Heartbleed is about to get worse, and it will slow the Internet to a crawl. Efforts to fix the notorious Heartbleed bug threaten to cause major disruptions to the Internet over the next several weeks as companies scramble to repair encryption systems on hundreds of thousands of Web sites at the same time, security experts say.
Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. Heartbleed bug: What you need to know (FAQ) The Heartbleed bug, a newly discovered security vulnerability that puts users' passwords at many popular Web sites at risk, has upended the Web since it was disclosed earlier this week.
It's an extremely serious issue, and as such, there's a lot of confusion about the bug and its implications as you use the Internet. CNET has compiled a list of Frequently Asked Questions to help users learn more about the bug and protect themselves. The Heartbleed situation is ongoing, and we'll update this FAQ as new issues arise. Check back for new information. Heartbleed bug fixes threaten to cause major Internet disruptions in coming weeks. The Results of the CloudFlare Challenge. Many Devices Will Never Be Patched to Fix Heartbleed Bug. A security bug uncovered this week affects an estimated two-thirds of websites and has Internet users scrambling to understand the problem and update their online passwords.
But many systems vulnerable to the flaw are out of public view and are unlikely to get fixed. OpenSSL, in which the bug, known as Heartbleed, was found, is widely used in software that connects devices in homes, offices, and industrial settings to the Internet. The Heartbleed flaw could live on for years in devices like networking hardware, home automation systems, and even critical industrial-control systems, because they are infrequently updated. Network-connected devices often run a basic Web server to let an administrator access online control panels. In many cases, these servers are secured using OpenSSL and their software will need updating, says Philip Lieberman, president of security company Lieberman Software.
Welcome to Forbes. Heartbleed bug: What you need to know (FAQ)