Roj Bash Kurdistan

[Anthea]

BBC News Technology

Scramble to fix huge 'heartbleed' security bug



A bug in software used by millions of web servers could have exposed anyone visiting sites they hosted to spying and eavesdropping, say researchers.

The bug is in a software library used in servers, operating systems and email and instant messaging systems.

Called OpenSSL the software is supposed to protect sensitive data as it travels back and forth.

It is not clear how widespread exploitation of the bug has been because attacks leave no trace.

"If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle," said a blog entry about the bug published by the Tor Project which produces software that helps people avoid scrutiny of their browsing habits.

'Serious' vulnerability

A huge swathe of the web could be vulnerable because OpenSSL is used in the widely used Apache and Nginx server software. Statistics from net monitoring firm Netcraft suggest that about 500,000 of the web's secure servers are running versions of the vulnerable software.

"It's the biggest thing I've seen in security since the discovery of SQL injection," said Ken Munro, a security expert at Pen Test Partners. SQL injection is a way to extract information from the databases behind web sites and services using specially crafted queries.

Many firms were scrambling to apply patches to vulnerable programs and others had shut down services while fixes were being worked on, he said. Many were worried that with proof of concept code already being shared it would only be a matter of time before cyber thieves started exploiting the vulnerability.

Mojang, maker of the hugely popular Minecraft game, took all its services offline while Amazon, which it uses to host games, patched its systems.

The bug in OpenSSL was discovered by researchers working for Google and security firm Codenomicon.

In a blog entry about their findings the researchers said the "serious vulnerability" allowed anyone to read chunks of memory in servers supposedly protected with the flawed version of OpenSSL. Via this route, attackers could get at the secret keys used to scramble data as it passes between a server and its users.

"This allows attackers to eavesdrop [on] communications, steal data directly from the services and users and to impersonate services and users," wrote the team that discovered the vulnerability. They called it the "heartbleed" bug because it occurs in the heartbeat extension for OpenSSL.

The bug has been present in versions of OpenSSL that have been available for over two years. The latest version of OpenSSL released on 7 April is no longer vulnerable to the bug.

"Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously," wrote the researchers.

Installing an updated version of OpenSSL did not necessarily mean people were safe from attack, said the team. If attackers have already exploited it they could have stolen encryption keys, passwords or other credentials required to access a server, they said.

Full protection might require updating to the safer version of OpenSSL as well as getting new security certificates and generating new encryption keys. To help people check their systems some security researchers have produced tools that help people work out if they are running vulnerable versions of OpenSSL.

http://www.bbc.co.uk/news/technology-26935905

[Anthea]

The Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

What leaks in practice?

We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

How to stop the leak?

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

PLEASE FOLLOW IMPORTANT LINK TO LEARN MORE:

Q&A

http://heartbleed.com/

[Anthea]

BBC News Technology

Heartbleed fix finds more security bugs in server code

The discovery of Heartbleed prompted a global scramble to patch the bug

More security holes have been uncovered in the same software that was found to harbour the dangerous "Heartbleed" bug.

Heartbleed was found in security software used on many websites to ensure data was not spied upon as it passed back and forth.

About 500,000 websites were believed to be vulnerable to attacks that exploited the Heartbleed vulnerability.

The newly discovered bugs are not thought to be as serious as Heartbleed and are harder to exploit.

The software package harbouring all the vulnerabilities is known as OpenSSL and is used to scramble, or encrypt, data as it is swapped between users and a site.

Tech companies including Google, Facebook, Yahoo and Amazon and many others all use OpenSSL.

The fresh batch of vulnerabilities was found as a result of work done to close Heartbleed and ensure other parts of the software were secure. The discovery of Heartbleed led to many big firms pledging cash to the small organisation that developed OpenSSL to help it improve its bug finding and fixing efforts.

Updated versions of OpenSSL that have the bugs patched are now available and anyone running vulnerable versions are being urged to update as soon as possible.

"They are going to have to patch. This will take some time," Lee Weiner, a spokesman for security firm Rapid7 told Reuters.

If exploited the bugs would let attackers run their own programs on a target server or stop it working. The most serious bug would let an attacker interpose themselves between a victim and the server they were using and spy on the data as it passed back and forth.

Writing on the blog of security firm Sophos, Chester Wisniewski said there was no need to panic about the latest bug reports.

"Patch early and patch often," he said. "You will likely see updates for many of your programs on your computer and Android smartphones being updated over the next few weeks."

http://www.bbc.co.uk/news/technology-27732266