OpenSSL
Latest
Google banks on its own tech to protect Chrome users from another Heartbleed
Last month Google said that it was tired of mashed-together bug fixes for OpenSSL and decided to create its own fork called BoringSSL. It has now implemented that variant in the latest Chromium build, the open-source software that eventually arrives in Chrome. OpenSSL is software used for secure connections -- created largely by volunteers -- and an overlooked code problem recently caused the infamous Heartbleed bug. When BoringSSL was first announced, there was some grumbling from the security community about yet another flavor of SSL. But Google said that with over 70 patches now in OpenSSL, it was becoming much too unwieldy to implement in Chrome. It added that it wasn't trying to replace OpenSSL and would continue to send any of its own bug fixes to that group. It'll likely be implemented in the next version of Chrome, but you'll be able try the beta soon here, if you're feeling lucky. [Image credit: AP/Mark Lennihan]
OpenSSL bug allows hackers to see private communication
The world hasn't yet recovered from the Heartbleed vulnerability in OpenSSL and now there's news of a new bug affecting the popular open-source security package. This recently announced, and already patched, exploit could allow an attacker to see and modify traffic between an OpenSSL client and an OpenSSL server. This sounds worse than it really is. The extent of the issue is extremely limited because we're talking about specific versions of OpenSSL server. Plus, you need to be using that same server software on a client application, and the attack itself is quite a complicated affair.
The Open Source Initiative hopes public awareness is Heartbleed's 'silver lining'
Looking for a positive take to cut though all the negative press that Heartbleed has been getting? Then the Open Source Initiative (OSI) has one. The news has been full of stories about the exploit in OpenSSL (itself, an open-source project) that has caused a wave of panic around the internet. With much of the public not understanding what open-source is (it's complex, but mostly involves freedom to redistribute, and access to the code it's built on), and the fact that all this can be caused by a few lines of edited text, the integrity of open-source software has understandably come under scrutiny. We spoke with a representative from the OSI, and they gave us the positive spin we'd all been looking for.
Tor's anonymity network may have to shrink to fight the Heartbleed bug
Bad news if you're relying on the Tor network to evade surveillance or otherwise remain anonymous: you're not immune from the Heartbleed bug, either. Key developer Roger Dingledine warns that some Tor nodes are running encryption software that's vulnerable to the flaw, and that they may have to be kicked off the network to safeguard its privacy-minded users. If all the service's directory operators decide to boot compromised nodes, roughly an eighth of Tor's capacity could go away -- you may well notice the difference.
The NSA issues its own suggestions for avoiding lost Heartbleed data
The United States National Security Agency may or may not have known about the security vulnerability known as "Heartbleed," but now that it's a widely publicized issue, the agency has some safety suggestions. Sure, you've probably heard all this before, but bear with us. First and foremost, websites/web services using the affected software (OpenSSL versions 1.0.1 through 1.0.1f) are told to update, or turn off the function which enables the security flaw. Second, a variety of OSes and client/server software use the affected service, so the NSA suggests you get in touch with your software's creator directly (Google's already taken care of it in one version of Android, for instance). Finally, after you're back up on a safe version of the website/service/OS you use, it's time to dump your current password in place of a fancy new one. Like we said, nothing you haven't heard before, but here's the NSA confirming as much. Head below for the full document in all its acronym-laden glory.
What is Heartbleed, anyway?
If you're an IT professional, gadget blogger or token geek in your circle of friends, chances are, you've been hounded relentlessly over the past couple of days about "this Heartbleed thing." "Do I need to update my antivirus?" "Can I login to my bank account now?" "Google already fixed it, right?" We've heard them all, but the answers aren't all that clear or simple. In an attempt to take the pressure off -- it is the weekend after all -- we've put together a primer that should answer all of those questions and a few more. Next time someone asks you about that "Heartbleed thing," just shoot them in our direction.
Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible
Many already thought that the "Heartbleed" security flaw in OpenSSL could be used to steal SSL keys from a server, but now there's proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he'd done it earlier this evening, which the Cloudflare team later verified, crediting Indutny and another participant Illkka Mattila. Indutny has promised not to publish his method for a week so affected servers can still implement fixes, but according to Cloudflare his Node.js script generated more than 2.5 million requests for data over the span of the challenge. Confused by all the programming and security terms and just need to know how this affects you? It means that while you definitely need to change your passwords, but wait until affected services announce they've not only fixed their OpenSSL, but also swapped out (potentially compromised) security certificates for new ones. Update: If you're wondering how he did it, Indutny has posted more details and the script on his blog. Image credit: snoopsmaus/Flickr
Bloomberg: NSA used Heartbleed exploit for 'years' without alerting affected websites, the public (update: NSA response)
The United States National Security Security Agency reportedly used the recently uncovered "Heartbleed" security exploit to access information, Bloomberg reports. According to two unnamed sources, the NSA exploited the flawed security standard for the past two years without alerting affected companies and the public at large. It's unclear what the exploit was used to access, but the flaw affects a huge portion of the web: something like two-thirds. Major services like Google are already acting, updating services and patching the issue. For those services, we suggest updating your passwords ASAP. For the still affected sites? Sadly, your best option is to wait it out. Update: The NSA insists that it only became aware of Heartbleed at the same time as everyone else. This answer isn't going to satisfy everyone given the many contradictory claims about the agency's activities, but hey -- at least it's on top of the situation.
The Heartbleed bug is affecting routers, too
Read our Heartbleed defense primer? Good, but the fight for your privacy isn't over just yet: you might have to replace your router, too. Cisco Systems and Juniper Networks have announced that the Heartbleed bug -- a flaw in OpenSSL that lets attackers bypass common security protocols -- has been found in their networking products. This news isn't too surprising, as any device using OpenSSL is potentially vulnerable, but checking these devices for the flaw is a laborious process. Naturally, devices that don't use the affected versions of OpenSSL (like Linksys routers) are unaffected. Both firms are investigating their product libraries to compile lists of affected devices. You can find those lists here, here (for Juniper Networks) and here (for Cisco Systems). If one of your devices is listed, sit tight and watch for updates; both companies say they're working on patches.
How to avoid heartburn, er, Heartbleed
Don't change your password. It's strange advice to hear when the so-called Heartbleed bug is leaving databases all over the web open and exposed, but it's applicable. Yes, security has been compromised for many of your favorite websites and services (including Google, Flickr and Steam, at least initially) but protecting yourself isn't quite as easy as changing your password. Unlike past exploits, Heartbleed isn't a database leak or a list of plaintext logins; it's a flaw in one of the web's most prevalent security protocols -- and until its fixed, updating your login information won't do a darn thing to protect you. What, then, can you do to protect yourself? Wait, watch and verify.
The TUAW Daily Update Podcast for April 9, 2014
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get some the top Apple stories of the day in three to five minutes for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the player at the top of the page. The Daily Update has been moved to a new podcast host in the past few days. Current listeners should delete the old podcast subscription and subscribe to the new feed in the iTunes Store here.
Google has patched most of its major services from the 'Heartbleed' security bug
Now that we know about the Heartbleed bug that allows access to sensitive internet data usually locked down by OpenSSL encryption, Google is of course one of the internet services hard at work applying fixes. The folks in Mountain View announced today that main services like Apps, App Engine, Gmail, Play, Search, Wallet and YouTube are already patched. There's no need to worry about Chrome or Chrome OS, as those two bits of software aren't affected by the vulnerability. Android is almost there, as all versions of the mobile operating system are immune to the security flaw save for 4.1.1. For that lone exception, Google says patching details are being sent to its partners for distribution. While the key bits have been secured, there's ongoing work to update other services like Cloud SQL, Google Compute Engine and others.
Why the OpenSSL Heartbleed bug doesn't affect OS X or OS X Server
There's been a lot of concern about the OpenSSL Heartbleed bug, which is a vulnerability that allows theft of information that's normally protected by the SSL/TLS encryption used to secure many Internet sites and services. Well, thanks to a tip from former TUAW-er Damien Barrett, those of us who run OS X and OS X Server can breathe a bit easier: "PSA: No versions of OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version of shipped by Apple in an OS was 0.9.8y, which is a branch not affected by this bug. So unless you've installed OpenSSL via MacPorts or Homebrew, your public-facing OS X servers/services should be immune to this bug." While OS X and OS X server are "immune", we still recommend that you stay safe out there. Remember to keep your eyes open for news of other security vulnerabilities, change your passwords on a regular basis, and be sure to back up your data constantly. If you want to know more about Heartbleed itself, TechCrunch posted this great video and here's a little background on why there's a logo and website to spread info about this security issue.
Internet security key flaw exposes a whole load of private data
Most internet security holes, even the bigger ones, tend to be fairly limited in scope -- there are only so many people using the wrong software or visiting the wrong sites. Unfortunately, that's not true of the newly revealed Heartbleed Bug. The flaw, which affects some older versions of common internet encryption software, lets attackers grab both a site's secure content and the encryption keys that protect that content. As such, a successful intruder could both obtain your private information from a given site and impersonate that site until its operators catch on. Since the vulnerable code is both popular and has been in the wild for as long as two years, there's a real possibility that some of your online data is at risk.
Use mailsend to send email from the Terminal
Update: After this article was written I learned of mstmp which I highly recommend instead of mailsend. There are times that I want my iMac to be able to email me: when certain scripts run via cron or launchd, when certain events happen (a backup has been completed), etc. I've found that none of the included command-line programs work. The good news is that, with a UNIX foundation, it was fairly easy to find a free program which would do just that. A little searching turned up a free program called mailsend, which will work. For this example I will be using a Gmail account, which requires OpenSSL. Your mail server may not require OpenSSL support, but if it's possible, I encourage you to use it. The short version of the instructions are as follows: 1) Download and install OpenSSL to /usr/local/ssl/ 2) Download and install mailsend to somewhere in your path such as /usr/local/bin/ 3) Use mailsend -h to learn how to use it on the commandline 4) (Optional) Use TextExpander 3 to fill in some of the variable fields, such as To, Subject, and Message. Read on for more of a step by step walk-through.
1024-bit RSA encryption cracked by carefully starving CPU of electricity
Since 1977, RSA public-key encryption has protected privacy and verified authenticity when using computers, gadgets and web browsers around the globe, with only the most brutish of brute force efforts (and 1,500 years of processing time) felling its 768-bit variety earlier this year. Now, three eggheads (or Wolverines, as it were) at the University of Michigan claim they can break it simply by tweaking a device's power supply. By fluctuating the voltage to the CPU such that it generated a single hardware error per clock cycle, they found that they could cause the server to flip single bits of the private key at a time, allowing them to slowly piece together the password. With a small cluster of 81 Pentium 4 chips and 104 hours of processing time, they were able to successfully hack 1024-bit encryption in OpenSSL on a SPARC-based system, without damaging the computer, leaving a single trace or ending human life as we know it. That's why they're presenting a paper at the Design, Automation and Test conference this week in Europe, and that's why -- until RSA hopefully fixes the flaw -- you should keep a close eye on your server room's power supply.
