Scramble to fix huge security bug
#1
Scramble to fix huge 'heartbleed' security bug

[Image: kQd1Lj8.jpg]
The researchers who discovered the bug publicised their findings via the web

A bug in software used by millions of web servers could have exposed anyone visiting sites they hosted to spying and eavesdropping, say researchers.

The bug is in a software library used in servers, operating systems and email and instant messaging systems.

Called OpenSSL the software is supposed to protect sensitive data as it travels back and forth.

It is not clear how widespread exploitation of the bug has been because attacks leave no trace.

"If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle," said a blog entry about the bug published by the Tor Project which produces software that helps people avoid scrutiny of their browsing habits.

'Serious' vulnerability

A huge swathe of the web could be vulnerable because OpenSSL is used in the widely used Apache and Nginx server software. Statistics from net monitoring firm Netcraft suggest that about 500,000 of the web's secure servers are running versions of the vulnerable software.

"It's the biggest thing I've seen in security since the discovery of SQL injection," said Ken Munro, a security expert at Pen Test Partners. SQL injection is a way to extract information from the databases behind web sites and services using specially crafted queries.

Many firms were scrambling to apply patches to vulnerable programs and others had shut down services while fixes were being worked on, he said. Many were worried that with proof of concept code already being shared it would only be a matter of time before cyber thieves started exploiting the vulnerability.

Mojang, maker of the hugely popular Minecraft game, took all its services offline while Amazon, which it uses to host games, patched its systems.

The bug in OpenSSL was discovered by researchers working for Google and security firm Codenomicon.

In a blog entry about their findings the researchers said the "serious vulnerability" allowed anyone to read chunks of memory in servers supposedly protected with the flawed version of OpenSSL. Via this route, attackers could get at the secret keys used to scramble data as it passes between a server and its users.

"This allows attackers to eavesdrop [on] communications, steal data directly from the services and users and to impersonate services and users," wrote the team that discovered the vulnerability. They called it the "heartbleed" bug because it occurs in the heartbeat extension for OpenSSL.

The bug has been present in versions of OpenSSL that have been available for over two years. The latest version of OpenSSL released on 7 April is no longer vulnerable to the bug.

"Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously," wrote the researchers.

Installing an updated version of OpenSSL did not necessarily mean people were safe from attack, said the team. If attackers have already exploited it they could have stolen encryption keys, passwords or other credentials required to access a server, they said.

Full protection might require updating to the safer version of OpenSSL as well as getting new security certificates and generating new encryption keys. To help people check their systems some security researchers have produced tools that help people work out if they are running vulnerable versions of OpenSSL.

source
Reply
#2
Heartbleed Bug: Public urged to reset all passwords

[Image: nghGEYZ.jpg]
Users are warned that the flaw may have exposed passwords and sensitive data

Several tech firms are urging people to change all their passwords after the discovery of a major security flaw.

The Yahoo blogging platform Tumblr has advised the public to "change your passwords everywhere - especially your high-security services like email, file storage and banking".

Security advisers have given similar warnings about the Heartbleed Bug.

It follows news that a product used to safeguard data could be compromised to allow eavesdropping.

OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.

If an organisation employs OpenSSL, users see a padlock icon in their web browser - although this can also be triggered by rival products.

Those affected include Canada's tax collecting agency, which halted online services "to safeguard the integrity of the information we hold".

Copied keys

Google Security and Codenomicon - a Finnish security company - revealed on Monday that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code.

They said that if attackers made copies of these keys they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.

They nicknamed it the Heartbleed Bug because the flaw caused the "leak of memory contents" between servers and their clients.

It is not known whether the exploit had been used before the revelation, since doing so would not leave a trail - unless the hackers published their haul online.

"If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested," said Ari Takanen, Codenomicon's chief technology officer.

"In that sense it's a good idea to change the passwords on all the updated web portals."

Other security experts have been shocked by the revelation

"Catastrophic is the right word. On the scale of one to 10, this is an 11," blogged Bruce Schneier.

The BBC understands that Google warned a select number of organisations about the issue before making it public, so they could update their equipment to a new version of OpenSSL released at the start of the week.

However, it appears that Yahoo was not included on this list and tech site Cnet has reported that some people were able to obtain usernames and passwords from the company before it was able to apply the fix.

[Image: RuJf4h1.png]
The bug has been called Heartbleed to reflect data leaking from computer servers

"Our team has successfully made the appropriate corrections across the main Yahoo properties - Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr - and we are working to implement the fix across the rest of our sites right now," said a spokeswoman for the company.

New passwords

NCC Group - a cybersecurity company that advises many members of the FTSE 250 - described the situation as "grave".

"The level of knowledge now needed to exploit this vulnerability is substantially less than it was 36 hours ago," the company's associate director Ollie Whitehouse told the BBC.

"Someone with a moderate level of technical skills running their own scripts - the Raspberry Pi generation - would probably be able to launch attacks successfully and gain sensitive information.

"As long as service providers have patched their software it would now be a prudent step for the public to update their passwords."

Several security firms and independent developers have published online tests to help the public discover if the services are still exposed.

However, there is no simple way to find out if they were vulnerable before.

Organisations that used Microsoft's Internet Information Services (IIS) web server software would not have been affected.

But Codenomicon has noted that more than 66% of the net's active sites rely on the open source alternatives Apache and Nginx, which do use OpenSSL.

Even so, some of these sites would have also employed a feature called "perfect forward secrecy" that would have limited the number of their communications that could have been hacked.

'No rush'

A researcher at the University of Cambridge Computer Laboratory said it would be an overreaction to say everyone should drop what they are doing to reset all their passwords, but that those concerned should still act.

"I think there is a low to medium risk that any given password has been compromised," said Dr Steven Murdoch.

"It's not the same as previous breaches where there's been confirmed password lists posted to the internet. It's not as urgent as that.

"But changing your password is very easy. So it's not a bad idea but it's not something people have to rush out to do unless the service recommends you do so."

source
Reply
#3
So what do you guys think? Are you changing your passwords? I am at least changing my banking information. A small chance is still a chance after all.
Reply
#4
There would be some pretty serious fundamental flaws with a service, if any passwords/hashes were leaked.
If anything, you could change your password to forcefully invalidate all previous sessions.
Reply
#5
LastPass Heartbleed checker

Check here to see if a site is vulnerable to heartbleed - LastPass Heartbleed Checker
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Millions at risk from 'Freak' bug Scrumptious 0 12,172 Mar 07, 2015, 07:07 am
Last Post: Scrumptious
  Security Researcher Punches Holes In NBC's 'Everyone Going To Sochi Will Be ... Mike 0 11,889 Feb 08, 2014, 04:46 am
Last Post: Mike
  Brazilian earns Facebook bug reward Scrumptious 0 11,795 Jan 27, 2014, 15:04 pm
Last Post: Scrumptious



Users browsing this thread: 1 Guest(s)