The HeartBleed Bug

[JQPublic1]

Just when we thought our ant-virus software was improving security an even mmore sinister flaw surfaces to put a chill on computing! Read it and weep!

April 8, 2014 8:30 PM ET

BOSTON, April 8 (Reuters) - A newly discovered bug in widely used Web encryption technology has made data on many of the world's major websites vulnerable to theft by hackers in what experts say is one of the most serious security flaws uncovered in recent years.

The finding of the so-called "Heartbleed" vulnerability, by researchers with Google Inc and a small security firm Codenomicon, prompted the U.S. government's Department of Homeland Security to advise businesses on Tuesday to review their servers to see if they were using vulnerable versions a type of software known as OpenSSL.

It said updates are already available to address the vulnerability in OpenSSL, which could enable remote attackers to access sensitive data including passwords and secret keys that can decode traffic as it travels across the Internet.

'Heartbleed' bug in web technology seen as major threat to user data: Thomson Reuters Business News - MSN Money

 

[waltky]

Granny says it was prob'ly started by some bleedin' heart lib'ral...

Little Internet users can do to thwart 'Heartbleed' bug
9 Apr.`14 - Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until exploitable websites upgrade their software.

Researchers have observed sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers. OpenSSL is used on about two-thirds of all web servers, but the issue has gone undetected for about two years.

Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced on Monday. By Tuesday, Kaspersky had identified such scans coming from "tens" of actors, and the number increased on Wednesday after Rapid7 released a free tool for conducting such scans. "The problem is insidious," he said. "Now it is amateur hour. Everybody is doing it."

OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators. "There is nothing users can do to fix their computers," said Mikko Hypponen, chief research officer with security software maker F-Secure. Representatives for Facebook Inc, Google and Yahoo Inc told Reuters that have taken steps to mitigate the impact on users. Google spokeswoman Dorothy Chou told Reuters: "We fixed this bug early and Google users do not need to change their passwords." Ty Rogers, a spokesman for online commerce giant Amazon.com Inc, said "Amazon.com is not affected." He declined to elaborate.

Kaspersky Lab's Baumgartner noted that devices besides servers could be vulnerable to attacks because they run software programs with vulnerable OpenSSL code built into them. They include versions of Cisco Systems Inc's AnyConnect for iOS and Desktop Collaboration, Tor, OpenVPN and Viscosity from Spark Labs. The developers of those programs have either updated their software or published directions for users on how to mitigate potential attacks. Steve Marquess, president of the OpenSSL Software Foundation, said he could not identify other computer programs that used OpenSSL code that might make devices vulnerable to attack.

CLEANING UP MESS

 

[g5000]

Heartbleed Bug: How to Protect Yourself - TIME

You need to change your Gmail and Facebook passwords.

You can check any URL for vulnerability here: Test your server for Heartbleed (CVE-2014-0160)

 

[g5000]

According to Mashable’s list of popular Heartbleed-afflicted sites, here are some of the big sites where you should change your password:

Facebook
Tumblr
Yahoo
Google
Dropbox
LastPass
OKCupid
SoundCloud

Other big sites that definitely weren’t vulnerable, according to Mashable:

LinkedIn
Amazon
Microsoft (including Hotmail and Outlook)
AOL
PayPal
Evernote

Also good news: it looks like none of the major banking sites Mashable checked were vulnerable.

Heartbleed Bug: Here Are the Passwords You Should Change - TIME

 

[g5000]

The Amazon shopping site is safe, but Amazon Web Services is not. If you use Amazon Web Services, you need to change your password.

 

[longknife]

Heartbleed Bug: Tech firms urge password reset

By Leo Kelion, Technology desk editor

How long's it been since you reset or changed yours? This isn't the only report as many online companies and organizations urge you to change them regularly.

And, please don't use “password”!

Read more @ BBC News - Heartbleed Bug: Tech firms urge password reset

 

[waltky]

It's spreadin' everywhere!...

'Heartbleed' computer bug threat spreads to firewalls and beyond
10 Apr.`14 - Hackers could crack email systems, security firewalls and possibly mobile phones through the "Heartbleed" computer bug, according to security experts who warned on Thursday that the risks extended beyond just Internet Web servers.

The widespread bug surfaced late on Monday, when it was disclosed that a pernicious flaw in a widely used Web encryption program known as OpenSSL opened hundreds of thousands of websites to data theft. Developers rushed out patches to fix affected web servers when they disclosed the problem, which affected companies from Amazon.com Inc and Google Inc to Yahoo Inc.

Yet pieces of vulnerable OpenSSL code can be found inside plenty of other places, including email servers, ordinary PCs, phones and even security products such as firewalls. Developers of those products are scrambling to figure out whether they are vulnerable and patch them to keep their users safe. "I am waiting for a patch," said Jeff Moss, a security adviser to the U.S. Department of Homeland Security and founder of the Def Con hacking conference. Def Con's network uses an enterprise firewall from McAfee, which is owned by Intel Corp's security division. "Everybody is going through the exact same thing I'm going through, if you are going through a vendor fix," he said.

An Intel spokesman declined comment, referring Reuters to a company blog that said: "We understand this is a difficult time for businesses as they scramble to update multiple products from multiple vendors in the coming weeks. The McAfee products that use affected versions of OpenSSL are vulnerable and need to be updated." It did not say when they would be released. The Heartbleed vulnerability went undetected for about two years and can be exploited without leaving a trace, so experts and consumers fear attackers may have compromised large numbers of networks without their knowledge.

Companies and government agencies are now rushing to understand which products are vulnerable, then set priorities for fixing them. They are anxious because researchers have observed sophisticated hacking groups conducting scans of the Internet this week in search of vulnerable servers. "Every security person is talking about this," said Chris Morales, practice manager with the cybersecurity services firm NSS Labs. Cisco Systems Inc, the world's biggest telecommunications equipment provider, said on its website that it is reviewing dozens of products to see if they are safe. It uncovered about a dozen that are vulnerable, including a TelePresence video conferencing server, a version of the IOS software for managing routers. A company spokesman declined to comment on how those issues might affect users, saying Cisco would provide more information as it became available.

Oracle Corp has not posted such an advisory on its support site. Company spokeswoman Deborah Hellinger declined to comment on Heartbleed. Microsoft Corp, which runs a cloud computing and storage service, the Xbox platform and has hundreds of millions of Windows and Officer users, said in a statement that "a few services continue to be reviewed and updated with further protections." It did not identify them. Officials with technology giants IBM and Hewlett-Packard Co could not be reached. EMC Corp and Dell said they had no immediate comment. Security experts said the vulnerable code is also found in some widely used email server software, the online browser anonymizing tool Tor and OpenVPN, as well as some online games and software that runs Internet-connected devices such as webcams and mobile phones.

Jeff Forristal, chief technology officer of Bluebox Security, said that version 4.1.1 of Google's Android operating system, known as Jelly Bean, is also vulnerable. Google officials declined comment on his finding. Other security experts said that they would avoid using any device with the vulnerable software in it, but that it would take a lot of effort for a hacker to extract useful data from a vulnerable Android phone. He said he was frustrated because people had figured out that his email and Web traffic is vulnerable and posted about it on the Internet - but he can't take steps to remedy the problem until Intel releases a patch.

'Heartbleed' computer bug threat spreads to firewalls and beyond

 

[depotoo]

Wow, looks like this us running rampant.

 

[longknife]

Heartbleed bug creates confusion on internet

By Mark Ward, Technology correspondent, BBC News

About 500,000 servers are vulnerable to the Heartbleed bug, statistics from net monitoring company Netcraft suggest.

The entire article is worth reading @ BBC News - Heartbleed bug creates confusion on internet

 

[Quantum Windbag]

Just when we thought our ant-virus software was improving security an even mmore sinister flaw surfaces to put a chill on computing! Read it and weep!

April 8, 2014 8:30 PM ET

BOSTON, April 8 (Reuters) - A newly discovered bug in widely used Web encryption technology has made data on many of the world's major websites vulnerable to theft by hackers in what experts say is one of the most serious security flaws uncovered in recent years.

The finding of the so-called "Heartbleed" vulnerability, by researchers with Google Inc and a small security firm Codenomicon, prompted the U.S. government's Department of Homeland Security to advise businesses on Tuesday to review their servers to see if they were using vulnerable versions a type of software known as OpenSSL.

It said updates are already available to address the vulnerability in OpenSSL, which could enable remote attackers to access sensitive data including passwords and secret keys that can decode traffic as it travels across the Internet.

'Heartbleed' bug in web technology seen as major threat to user data: Thomson Reuters Business News - MSN Money

This has nothing to do with viruses, it is an actual flaw in the way secure websites work. I would explain it, but the details get techincal, and I actually have a comic that makes it simple.

 

[Quantum Windbag]

According to Mashable’s list of popular Heartbleed-afflicted sites, here are some of the big sites where you should change your password:

Facebook
Tumblr
Yahoo
Google
Dropbox
LastPass
OKCupid
SoundCloud

Other big sites that definitely weren’t vulnerable, according to Mashable:

LinkedIn
Amazon
Microsoft (including Hotmail and Outlook)
AOL
PayPal
Evernote

Also good news: it looks like none of the major banking sites Mashable checked were vulnerable.

Heartbleed Bug: Here Are the Passwords You Should Change - TIME

You probably shouldn't change your passwords on all those sites yet, the best thing to do is wait until they patch the flaw and get a new certificate. Use this to site to determine if you should change your password.

https://lastpass.com/heartbleed/

 

[Gracie]

I jsut got an email from Pinterest that said I should change my password...even though they didn't find any problems but just in case, it was suggested to do so. And they had a link to do it. I deleted the email and went straight to Pinterest and changed my password from there. I don't trust emails from supposed sites. Too many look exactly like the site but are fake.

 

[Ava]

I jsut got an email from Pinterest that said I should change my password...even though they didn't find any problems but just in case, it was suggested to do so. And they had a link to do it. I deleted the email and went straight to Pinterest and changed my password from there. I don't trust emails from supposed sites. Too many look exactly like the site but are fake.

An expert on this two year old virus, one of the all-time worst, said today, it would be too late for anyone to change their passwords.... It was on the news when I came home around 4 M.

Maybe better be safe than sorry, though? Never hurts to err on the side of caution.

 

[JQPublic1]

Just when we thought our ant-virus software was improving security an even mmore sinister flaw surfaces to put a chill on computing! Read it and weep!

April 8, 2014 8:30 PM ET

BOSTON, April 8 (Reuters) - A newly discovered bug in widely used Web encryption technology has made data on many of the world's major websites vulnerable to theft by hackers in what experts say is one of the most serious security flaws uncovered in recent years.

The finding of the so-called "Heartbleed" vulnerability, by researchers with Google Inc and a small security firm Codenomicon, prompted the U.S. government's Department of Homeland Security to advise businesses on Tuesday to review their servers to see if they were using vulnerable versions a type of software known as OpenSSL.

It said updates are already available to address the vulnerability in OpenSSL, which could enable remote attackers to access sensitive data including passwords and secret keys that can decode traffic as it travels across the Internet.

'Heartbleed' bug in web technology seen as major threat to user data: Thomson Reuters Business News - MSN Money

This has nothing to do with viruses, it is an actual flaw in the way secure websites work. I would explain it, but the details get techincal, and I actually have a comic that makes it simple.

correct! Heartbleed isn't a virus, worm or Trojan. It's a flaw/vulnerability. BTW, I have not had time to reply to your responses because I have been contacting various financial entities to see if they were aware of the problem and to inquire as to what they are doing about it. without exception, all institutions that I contacted have been aware of the bug for some time and have tried to reassured me, at least verbally, that their security isn't affected. Frankly, though, I am reconsidering the use of online banking or other online transactions.Too risky.

 

[mudwhistle]

Just when we thought our ant-virus software was improving security an even mmore sinister flaw surfaces to put a chill on computing! Read it and weep!

April 8, 2014 8:30 PM ET

BOSTON, April 8 (Reuters) - A newly discovered bug in widely used Web encryption technology has made data on many of the world's major websites vulnerable to theft by hackers in what experts say is one of the most serious security flaws uncovered in recent years.

The finding of the so-called "Heartbleed" vulnerability, by researchers with Google Inc and a small security firm Codenomicon, prompted the U.S. government's Department of Homeland Security to advise businesses on Tuesday to review their servers to see if they were using vulnerable versions a type of software known as OpenSSL.

It said updates are already available to address the vulnerability in OpenSSL, which could enable remote attackers to access sensitive data including passwords and secret keys that can decode traffic as it travels across the Internet.

'Heartbleed' bug in web technology seen as major threat to user data: Thomson Reuters Business News - MSN Money

NSA Said to Exploit Heartbleed Bug for Intelligence for Years
By Michael Riley Apr 11, 2014 11:00 PM CT

April 11 (Bloomberg) -- Ghostery Senior Director of Research Andy Kahl and Bloomberg’s Michael Riley discuss the NSA’s knowledge of the Heartbleed bug on Bloomberg Television's “Street Smart.” (Source: Bloomberg)

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The agency’s reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. The NSA, after declining to comment on the report, subsequently denied that it was aware of Heartbleed until the vulnerability was made public by a private security report earlier this month.

“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” according to an e-mailed statement from the Office of the Director of National Intelligence.



Heartbleed appears to be one of the biggest flaws in the Internet’s history, affecting the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. (CSCO) to Juniper Networks Inc. to provide patches for their systems.




Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.​

Link

NSA Said to Exploit Heartbleed Bug for Intelligence for Years - Bloomberg