light bulb

Did You Know?



Reply
Highlighted
Posts: 2,085
Topics: 1,065
Kudos: 2,189
Registered: ‎10-14-2013

Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping

Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.

The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.

"Bugs in single software or library come and go and are fixed by new versions," the researchers who discovered the vulnerability wrote in a blog post published Monday. "However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously."

 

Full Article

SigBVIP.png original.png

Posts: 6,068
Topics: 4,010
Kudos: 7,781
Registered: ‎06-12-2013

'Heartbleed' bug undoes Web encryption, reveals user passwords

By exposing the contents of memory of a Web site's server, the OpenSSL Heartbleed bug lets attackers steal the most sensitive information and impersonate those servers.

A major new vulnerability in OpenSSL, the open-source software package widely used to encrypt Web communications, means that computer attackers could get access not just to people's private data but to a server's digital keys used to encrypt past and future communications.

 

Full Article

Sr. Community Leader

Posts: 6,068
Topics: 4,010
Kudos: 7,781
Registered: ‎06-12-2013

'Heartbleed' bug in OpenSSL puts encrypted communications at risk

Administrators are advised to patch and revoke old private keys

Computer security experts are advising administrators to patch a severe flaw in a software library used by millions of websites to encrypt sensitive communications.

The flaw, nicknamed "Heartbleed," is contained in several versions of OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. Most websites use either SSL or TLS, which is indicated in browsers with a padlock symbol.

 

The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8, according to a special website set up by researchers who found the problem.

The flaw, which was introduced in December 2011, has been fixed in OpenSSL 1.0.1g, which was released on Monday.

 

Full Article

Sr. Community Leader

Posts: 858
Registered: ‎02-03-2012

Re: 'Heartbleed' bug in OpenSSL puts encrypted communications at risk

      Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.

 ‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys — Krebs on Security

Community Guide

Posts: 5,538
Topics: 216
Kudos: 5,400
Ideas: 9
Registered: ‎02-03-2012

Re: 'Heartbleed' bug in OpenSSL puts encrypted communications at risk

[ Edited ]

Heartbleed security patches coming fast and furious

 

Summary: Fixes for the highly dangerous OpenSSL Heartbleed security hole are arriving now. Update your servers ASAP.

 

By Steven J. Vaughan-Nichols for Networking | April 8, 2014 -- 19:02 GMT (20:02 BST)

 

Make no mistake about it. The OpenSSL Heartbleed security hole is as serious for Internet security as a stage four cancer diagnosis would be for you. Worse still, OpenSSL 1.01 —  the one production version affected — had been shipping since March 12, 2012. That meant tens of millions of Web sites had been potentially vulnerable to attacks via this hole. Fortunately, OpenSSL repaired this with the release of OpenSSL 1.01g on April 7.

 

How bad is this bug? Popular sites such as Yahoo, Imgur, and OKCupid have all been hit by it. Since OpenSSL is the default secure-socket layer/Transport Layer Security (SSL/TLS) for the Apache and NGINX Web servers, some estimates claim that as many as two-thirds of all "secured" Web sites are vulnerable to Heartbleed.

 

Worse still, proof-of-concept scripts are now available for script-kiddies to try to attack secure Web sites. Is your Website vulnerable to such assault? You can check your site with the Heartbleed test.

 

 

Full Article

 

At least the forces of good are starting to marshall to the cause...Hurrah!

       Untitled-1.png


Webroot SecureAnywhere Complete Beta Tester v9.0.0.65...+ VoodooShield v2.75 ...working together as the NEW perfect combination! And backed up by Macrium Reflect v6

Posts: 858
Registered: ‎02-03-2012

Re: 'Heartbleed' bug in OpenSSL puts encrypted communications at risk

         

Heartbleed Detection Update | Qualys Technology | Qualys Community

 

 

Admins: why not review config standards as you fix Heartbleed? - F-Secure Weblog : News from the Lab

As you have to update your SSL anyway, why not make sure your configuration is up to modern standards?

There has been plenty of noise about Heartbleed, so if you're an admin, you already know what to do.

1. Find everything you have using vulnerable versions of OpenSSL
2. Update to the latest OpenSSL version
3. Create new private keys and SSL certificates as the old ones may have leaked
4. Revoke old certificates

But since you have to touch your server configuration and create new SSL certificates, we would recommend that you also go through certificate generation settings and server configuration. Heartbleed is not the only problem in SSL/TLS implementations, a poorly chosen protocol or weak cipher can be just as dangerous as the Heartbleed bug.

 

 

 

 

Community Guide

Posts: 858
Registered: ‎02-03-2012

Re: 'Heartbleed' bug in OpenSSL puts encrypted communications at risk

 

The bad news is that about 600,000 servers are still vulnerable to attacks exploiting the bug. The worse news is that malicious “bot” software may have been attacking servers with the vulnerability for some time—in at least one case, traces of the attack have been found in audit logs dating back to last November. Attacks based on the exploit could date back even further.

Security expert Bruce Schneier calls Heartbleed a catastrophic vulnerability. "On the scale of 1 to 10, this is an 11," he said in a blog post today. The bug affects how OpenSSL, the most widely used cryptographic library for Apache and nginx Web servers, handles a service of Transport Layer Security called Heartbeat—an extension added to TLS in 2012.

 Heartbleed vulnerability may have been exploited months before patch [Updated] | Ars Technica

Community Guide

Posts: 735
Topics: 248
Kudos: 699
Registered: ‎02-15-2012

Re: 'Heartbleed' bug in OpenSSL puts encrypted communications at risk

It seems as if  are Heartbleed bug updates by the hour. Here are two other interesting recent stories about the most talked about security topic of the week.

 

1. According to a CNNMoney report, Cisco and Juniper are saying that Heartbleed doesn't only affect websites, but has also affected about 24  networking devices including routers, servers, phones, and others. You can read that article here. Here is a snippet from the story:

"But fixing the bug on those devices won't be easy. Cisco and Juniper can't just press a button and immediately replace the vulnerable software running on the machines. The onus is on each person or company using those devices. And that's were the problem lies."

Heartbleed Affecting More Than Websites.jpg

(Source: CNNMoney)

 

2. On the other hand, The Verge is reporting that, according to content distribution network Cloudfare, the previous thought that Heartbleed exploiters would have access to the private SSL keys may not actually be the case. Apparently, researchers at Cloudfare have been trying to to do so for two weeks, but have not been succesful.

"If it is possible, it is at a minimum very hard," researcher Nick Sullivan writes. "And we have reason to believe...that it may in fact be impossible." If true, it makes Heartbleed much less dangerous than many had feared, offering a saving grace for compromised sites."

Heartbleed.jpg

(Source: The Verge)

--Yegor P--
Social Media Content Coordinator

New to the Community? Sign up for FREE today.
Posts: 5,538
Topics: 216
Kudos: 5,400
Ideas: 9
Registered: ‎02-03-2012

Re: 'Heartbleed' bug in OpenSSL puts encrypted communications at risk

Thanks, Yegor

 

That is really interesting information...worrying...but really good to know/understand.

 

Cheers

 

 

 

Baldrick

       Untitled-1.png


Webroot SecureAnywhere Complete Beta Tester v9.0.0.65...+ VoodooShield v2.75 ...working together as the NEW perfect combination! And backed up by Macrium Reflect v6

Posts: 6,068
Topics: 4,010
Kudos: 7,781
Registered: ‎06-12-2013

Re: 'Heartbleed' bug in OpenSSL puts encrypted communications at risk

[ Edited ]

Thank you Yegor. That was a great article ending with a glimmer of hope.

Sr. Community Leader