Heartbleed Bug: A Major Vulnerability on the Web Exposed
Heartbleed Bug: A flaw in software that is used to secure Web communications exposes sensitive data.
A major new vulnerability called Heartbleed has let attackers gain access to users passwords and fool people into using fake versions of Web sites.
The issue comes from an open-source software called OpenSSL (OpenSSL 1.0.1 through 1.0.1.f was affected) This software is used to encrypt Web communications for a large number of websites. Heartbleed can reveal the contents of a server’s memory, where the most sensitive of data is stored. This includes private data such as usernames, passwords, and credit card numbers. An attacker is able to get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.
Security vulnerabilities come and go, but this one is extremely serious. Not only does it require significant change at Web sites, it could require anybody who’s used them to change passwords too, because they could have been intercepted. A really big problem with this is that most people reuse their passwords on different websites. Therefore if an attacker was able to get their password for one site the attacker would have all of their passwords for sites that work not affected like banking sites.
The vulnerability is officially called CVE-2014-0160 but is known informally as Heartbleed, a more glamorous name supplied by security firm Codenomicon, which along with Google researcher Neel Mehta discovered the problem.
“This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users, and the actual content,” Codenomicon said. “This allows attackers to eavesdrop communications, steal data directly from the services and users, and to impersonate services and users.”
To test the vulnerability, Codenomicon used Heartbleed on its own servers. “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails and business critical documents and communication,” the company said.
CNET’s Jason Cipriani has a live and constantly updated list of all the sites affected by the Heartbleed bug. Check out https://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/ to see what sites have been Patched and what sites you should change your passwords for.
Here at Orange County Computer, we recommend having a different secure Password for every site you access. Secure Passwords should be at least eight characters long and have a mixture of uppercase, lowercase, numbers, and special terms like !@#. If you feel that your system or network may be at risk, or the security of your system has been compromised, contact the Cyber Security Experts at Orange County Computer® so we can minimize the damage. Call our Tech Center at (949) 699-6619 or visit us online at OrangeCountyComputer.com. We are happy to help.
Information originally obtained by CNET’s Stephen Shankland. See Stephan Shankland’s story here.