BBC: Everything you need to know about Heartbleed bug
Posted: Wed Apr 09, 2014 4:58 pmWhy Heartbleed is the most dangerous security flaw on the web
""You might want to stay away from the internet entirely for the next few days while things settle.""
Monday afternoon, the IT world got a very nasty wakeup call, an emergency security advisory from the OpenSSL project warning about an open bug called "Heartbleed." The bug could be used to pull a chunk of working memory from any server running their current software. There was an emergency patch, but until it was installed, tens of millions of servers were exposed. Anyone running a server was suddenly in crisis mode.
If the "Heartbleed" name sounds dramatic, this bug seems to live up to the hype. It’s already far worse than the GoToFail bug that embarrassed Apple earlier this year, both by the scale of computers affected and the depth of the breach. The new bug would let attackers pull the private keys to the server, letting attackers listen in on data traffic and potentially masquerade as the server. Even worse, it’s old: the bug dates back two years, and it's still unclear how long anyone's known about it.
OpenSSL isn't widely known outside of the coding world, but as many as two out of three servers on the web rely on its software. The sudden reveal means anyone involved is now scrambling for a fix. Already, Yahoo has been exposed by the bug, and experts have advised any Yahoo users to steer clear of their accounts until the company has time to update their servers. (A Yahoo representative tells The Verge the core sites are now patched, although the team is still working to implement the fix across the rest of the site.) Dozens of other smaller companies have also reportedly been affected, including Imgur, Flickr, and LastPass (although LastPass says no unencrypted data was exposed). "It is catastrophically bad, just a hugely damaging bug," says ICSI security researcher Nicholas Weaver.
Discovered by Google researcher Neel Mehta, the bug allows an attacker to pull 64k at random from a given server's working memory. It's a bit like fishing — attackers don't know what usable data will be in the haul — but since it can be performed over and over again, there's the potential for a lot of sensitive data to be exposed. The server's private encryption keys are a particular target, since they're necessarily kept in working memory and are easily identifiable among the data. That would allow attackers to eavesdrop on traffic to and from the service, and potentially decrypt any past traffic that had been stored in encrypted form.
Lots more info:
http://www.theverge.com/2014/4/8/559426 ... e-internet
""You might want to stay away from the internet entirely for the next few days while things settle.""
Monday afternoon, the IT world got a very nasty wakeup call, an emergency security advisory from the OpenSSL project warning about an open bug called "Heartbleed." The bug could be used to pull a chunk of working memory from any server running their current software. There was an emergency patch, but until it was installed, tens of millions of servers were exposed. Anyone running a server was suddenly in crisis mode.
If the "Heartbleed" name sounds dramatic, this bug seems to live up to the hype. It’s already far worse than the GoToFail bug that embarrassed Apple earlier this year, both by the scale of computers affected and the depth of the breach. The new bug would let attackers pull the private keys to the server, letting attackers listen in on data traffic and potentially masquerade as the server. Even worse, it’s old: the bug dates back two years, and it's still unclear how long anyone's known about it.
OpenSSL isn't widely known outside of the coding world, but as many as two out of three servers on the web rely on its software. The sudden reveal means anyone involved is now scrambling for a fix. Already, Yahoo has been exposed by the bug, and experts have advised any Yahoo users to steer clear of their accounts until the company has time to update their servers. (A Yahoo representative tells The Verge the core sites are now patched, although the team is still working to implement the fix across the rest of the site.) Dozens of other smaller companies have also reportedly been affected, including Imgur, Flickr, and LastPass (although LastPass says no unencrypted data was exposed). "It is catastrophically bad, just a hugely damaging bug," says ICSI security researcher Nicholas Weaver.
Discovered by Google researcher Neel Mehta, the bug allows an attacker to pull 64k at random from a given server's working memory. It's a bit like fishing — attackers don't know what usable data will be in the haul — but since it can be performed over and over again, there's the potential for a lot of sensitive data to be exposed. The server's private encryption keys are a particular target, since they're necessarily kept in working memory and are easily identifiable among the data. That would allow attackers to eavesdrop on traffic to and from the service, and potentially decrypt any past traffic that had been stored in encrypted form.
Lots more info:
http://www.theverge.com/2014/4/8/559426 ... e-internet
