By this time, almost everyone must have heard something about the Heartbleed Bug. It is a serious vulnerability in the encryption technology, OpenSSL cryptographic software library, to malicious attack and compromise passwords and personal data.
OpenSSL is an open-source software package that allows web users to protect the privacy of information they transmit over the internet. For instance, when you visit a secure website such as Gmail.com, you'll see a 'lock sign' next to the URL, indicating that your communications with the site are encrypted.
Once a weakness has been exposed, it allows easy stealing of the protected information by the SSL/TLS encryption used to secure the Internet. OpenSSL has had this flaw for about 2 years.
In short, the Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Who are and will be affected?
There are no official figures released, but some conservative release stated that out of the 10,000 websites tested so far, 627 were found to vulnerable to the bug. Yahoo sites (including email and Tumblr) were vulnerable, as was the popular dating site OkCupid.
A more realistic estimate, though, pegged the number of vulnerable servers to around 600,000. Worse, the malicious “bot” software may have been attacking servers with the vulnerability for some time — in at least one case, traces of the attack have been found in audit logs dating back to last November 2013. Attacks based on the exploit could date back even further.
The researchers who discovered the flaw notified the OpenSSL team and other key stakeholders several days ago. That allowed OpenSSL to announce a fixed version of the software at the same time the vulnerability was announced to the public. To address the problem, websites need to change their encryption keys and ensure they're running the latest version of OpenSSL.
Who can exploit the Heartbleed Bug?
Software to exploit the vulnerability is widely available online, and while the software isn't as user-friendly as an iPad app, anyone with basic programming skills can figure out how to use it.
It is obvious that right now the bug is likely to be most valuable to intelligence agencies, which have the infrastructure and resources to intercept user traffic on a mass scale. The US National Security Agency (NSA), for instance, has secret agreements with American telecommunications providers to tap into the Internet backbone. Users might have thought that the SSL encryption on websites such as Gmail and Facebook protected them from this kind of snooping, but the Heartbleed bug could easily allow the NSA to obtain the private keys needed to unscramble these private communications.
Is there anything that you can do?
Unfortunately, there's nothing users can do to protect themselves if they visit a vulnerable website. The administrators of vulnerable websites will need to upgrade their software before users will be protected.
However, once an affected website has fixed the problem on their end, users can protect themselves by changing their passwords. It is not advisable to change passwords at this time because attackers still have the means to intercept new attempts.
What can be done for now is just to search the list of vulnerable sites online and see if your email provider is one of those mentioned. Keep in mind that many of the sites that were vulnerable yesterday have since fixed their security problem. Check your inbox — if a site you use has been made safe again, it may have emailed you to let you know.
OpenSSL is an open-source software package that allows web users to protect the privacy of information they transmit over the internet. For instance, when you visit a secure website such as Gmail.com, you'll see a 'lock sign' next to the URL, indicating that your communications with the site are encrypted.
Once a weakness has been exposed, it allows easy stealing of the protected information by the SSL/TLS encryption used to secure the Internet. OpenSSL has had this flaw for about 2 years.
In short, the Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Who are and will be affected?
There are no official figures released, but some conservative release stated that out of the 10,000 websites tested so far, 627 were found to vulnerable to the bug. Yahoo sites (including email and Tumblr) were vulnerable, as was the popular dating site OkCupid.
A more realistic estimate, though, pegged the number of vulnerable servers to around 600,000. Worse, the malicious “bot” software may have been attacking servers with the vulnerability for some time — in at least one case, traces of the attack have been found in audit logs dating back to last November 2013. Attacks based on the exploit could date back even further.
The researchers who discovered the flaw notified the OpenSSL team and other key stakeholders several days ago. That allowed OpenSSL to announce a fixed version of the software at the same time the vulnerability was announced to the public. To address the problem, websites need to change their encryption keys and ensure they're running the latest version of OpenSSL.
Who can exploit the Heartbleed Bug?
Software to exploit the vulnerability is widely available online, and while the software isn't as user-friendly as an iPad app, anyone with basic programming skills can figure out how to use it.
It is obvious that right now the bug is likely to be most valuable to intelligence agencies, which have the infrastructure and resources to intercept user traffic on a mass scale. The US National Security Agency (NSA), for instance, has secret agreements with American telecommunications providers to tap into the Internet backbone. Users might have thought that the SSL encryption on websites such as Gmail and Facebook protected them from this kind of snooping, but the Heartbleed bug could easily allow the NSA to obtain the private keys needed to unscramble these private communications.
Is there anything that you can do?
Unfortunately, there's nothing users can do to protect themselves if they visit a vulnerable website. The administrators of vulnerable websites will need to upgrade their software before users will be protected.
However, once an affected website has fixed the problem on their end, users can protect themselves by changing their passwords. It is not advisable to change passwords at this time because attackers still have the means to intercept new attempts.
What can be done for now is just to search the list of vulnerable sites online and see if your email provider is one of those mentioned. Keep in mind that many of the sites that were vulnerable yesterday have since fixed their security problem. Check your inbox — if a site you use has been made safe again, it may have emailed you to let you know.
Posts
0 comments
Post a Comment