Bobby Posted April 12, 2014 Share Posted April 12, 2014 Quite personally if you take internet security seriously or perform online transactions, I'd look into this...I also recommend changing your passwords if you use any sites that were affected by this issue. http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/ A major new vulnerability called Heartbleed could let attackers gain access to users' passwords and fool people into using bogus versions of Web sites. Some already say they've found Yahoo passwords as a result. The problem, disclosed Monday night, is in open-source software called OpenSSL that's widely used to encrypt Web communications. Heartbleed can reveal the contents of a server's memory, where the most sensitive of data is stored. That includes private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too. Security vulnerabilities come and go, but this one is extremely serious. Not only does it require significant change at Web sites, it could require anybody who's used them to change passwords too, because they could have been intercepted. That's a big problem as more and more of people's lives move online, with passwords recycled from one site to the next and people not always going through the hassles of changing them."We were able to scrape a Yahoo username & password via the Heartbleed bug," tweeted Ronald Prins of security firm Fox-IT, showing a censored example. Added developer Scott Galloway, "Ok, ran my heartbleed script for 5 minutes, now have a list of 200 usernames and passwords for yahoo mail...TRIVIAL!" Yahoo said just after noon PT that it fixed the primary vulnerability on its main sites: "As soon as we became aware of the issue, we began working to fix it. Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now. We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."However, Yahoo didn't offer advice to users about what they should do or what the effect on them is. Developer and cryptography consultant Filippo Valsorda published a tool that lets people check Web sites for Heartbleed vulnerability. That tool showed Google, Microsoft, Twitter, Facebook, Dropbox, and several other major Web sites to be unaffected -- but not Yahoo. Valsorda's test uses Heartbleed to detect the words "yellow submarine" in a Web server's memory after an interaction using those words. Other Web sites shown as vulnerable by Valsorda's tool include Imgur, OKCupid, and Eventbrite. Imgur and OKCupid both say they've patched the problem, and tests show Eventbrite apparently also did The vulnerability is officially called CVE-2014-0160 but is known informally as Heartbleed, a more glamorous name supplied by security firm Codenomicon, which along with Google researcher Neel Mehta discovered the problem. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users, and the actual content," Codenomicon said. "This allows attackers to eavesdrop communications, steal data directly from the services and users, and to impersonate services and users." To test the vulnerability, Codenomicon used Heartbleed on its own servers. "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails and business critical documents and communication," the company said.However, Adam Langley, a Google security expert who helped close the OpenSSL hole, said his testing didn't reveal information as sensitive as secret keys. "When testing the OpenSSL heartbeat fix I never got key material from servers, only old connection buffers. (That includes cookies though)," Langley said on Twitter. One of the companies affected by the vulnerability was password manager LastPass, but the company upgraded its servers as of 5:47 a.m. PT Tuesday, spokesman Joe Siegrist said. "LastPass is quite unique in that nearly all your data is also encrypted with a key that LastPass servers never get -- so this bug could not have exposed customer's encrypted data," Siegrist added. The bug afflicts version 1.0.1 and 1.0.2-beta releases of OpenSSL, server software that ships with many versions of Linux and is used in popular Web servers, according to the OpenSSL project's advisory on Monday night. OpenSSL has released version 1.0.1g to fix the bug, but many Web site operators will have to scramble to update the software. In addition, they'll have to revoke security certificates that now might be compromised."Heartbleed is massive. Check your OpenSSL!" tweeted Nginx in a warning Tuesday. OpenSSL is one implementation of the encryption technology variously called SSL (Secure Sockets Layer) or TLS (Transport Layer Security). It's what keeps prying eyes out of communications between a Web browser and Web server, but it's also used in other online services such as email and instant messaging, Codenomicon said. The severity of the problem is lower for Web sites and others that implemented a feature called perfect forward secrecy, which changes security keys so that past and future traffic can't be decrypted even when a particular security key is obtained. Although big Net companies are embracing perfect forward secrecy, it's far from common. LastPass has used perfect forward secrecy for the last six months, but is assuming its certificates could have been compromised before that. "This bug has been out there a long time," Siegrist said. "We have to assume our private keys were compromised, and we will be reissuing a certificate today." Link to comment
Gladz Posted April 12, 2014 Share Posted April 12, 2014 http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-main-link Link to comment
Pyrolord Posted April 13, 2014 Share Posted April 13, 2014 I went ahead a changed my passwords as soon as patches were released. Some people need to get a life if they spend all day and night searching for ways to steal people's info. Link to comment
Rafi Posted April 14, 2014 Share Posted April 14, 2014 I went ahead a changed my passwords as soon as patches were released. Some people need to get a life if they spend all day and night searching for ways to steal people's info. They have a life. It's called theft. They are professional thieves. Once they get caught they become professional jailbait. Link to comment
Bryce Posted April 15, 2014 Share Posted April 15, 2014 I went ahead a changed my passwords as soon as patches were released. Some people need to get a life if they spend all day and night searching for ways to steal people's info. They have a life. It's called theft. They are professional thieves. Once they get caught they become professional jailbait.u mean professional bitches? Link to comment
Bobby
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now