heartbleed
Latest
Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible
Many already thought that the "Heartbleed" security flaw in OpenSSL could be used to steal SSL keys from a server, but now there's proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he'd done it earlier this evening, which the Cloudflare team later verified, crediting Indutny and another participant Illkka Mattila. Indutny has promised not to publish his method for a week so affected servers can still implement fixes, but according to Cloudflare his Node.js script generated more than 2.5 million requests for data over the span of the challenge. Confused by all the programming and security terms and just need to know how this affects you? It means that while you definitely need to change your passwords, but wait until affected services announce they've not only fixed their OpenSSL, but also swapped out (potentially compromised) security certificates for new ones. Update: If you're wondering how he did it, Indutny has posted more details and the script on his blog. Image credit: snoopsmaus/Flickr
Bloomberg: NSA used Heartbleed exploit for 'years' without alerting affected websites, the public (update: NSA response)
The United States National Security Security Agency reportedly used the recently uncovered "Heartbleed" security exploit to access information, Bloomberg reports. According to two unnamed sources, the NSA exploited the flawed security standard for the past two years without alerting affected companies and the public at large. It's unclear what the exploit was used to access, but the flaw affects a huge portion of the web: something like two-thirds. Major services like Google are already acting, updating services and patching the issue. For those services, we suggest updating your passwords ASAP. For the still affected sites? Sadly, your best option is to wait it out. Update: The NSA insists that it only became aware of Heartbleed at the same time as everyone else. This answer isn't going to satisfy everyone given the many contradictory claims about the agency's activities, but hey -- at least it's on top of the situation.
The Heartbleed bug is affecting routers, too
Read our Heartbleed defense primer? Good, but the fight for your privacy isn't over just yet: you might have to replace your router, too. Cisco Systems and Juniper Networks have announced that the Heartbleed bug -- a flaw in OpenSSL that lets attackers bypass common security protocols -- has been found in their networking products. This news isn't too surprising, as any device using OpenSSL is potentially vulnerable, but checking these devices for the flaw is a laborious process. Naturally, devices that don't use the affected versions of OpenSSL (like Linksys routers) are unaffected. Both firms are investigating their product libraries to compile lists of affected devices. You can find those lists here, here (for Juniper Networks) and here (for Cisco Systems). If one of your devices is listed, sit tight and watch for updates; both companies say they're working on patches.
The Heartbleed bug and its effect (or lack thereof) on Battle.net
The Heartbleed bug, as it's been dubbed, is certainly hot news lately, with various sites being impacted and password reset advice abounding. But Blizzard has some good news: Battle.net was unaffected. However, the advice is to change your password if you used the same one elsewhere. This is especially true if you're using the same email and password combination as you use for your Battle.net account on other sites. A big way that players get hacked, especially those without authenticators, is that their guild forums get hacked, or their email gets hacked, or their Facebook. Once those username and password combinations are known, it's possible for hackers to try them in various different places, one of which might be your Battle.net account. So be careful, mix up your passwords, and in light of these recent security issues, consider changing your passwords. It's also a good idea, again as a general rule, to get into the habit of changing your passwords fairly regularly, for everything. So now might be a great time to start, even though Battle.net is unaffected by the recent issues. Hit the break for Blizzard's full post.
Manage your passwords and protect yourself from Heartbleed
You've probably seen the news about Heartbleed, the nickname for an OpenSSL bug that exposes random chunks of memory on web servers to snooping by almost anyone, even from transactions supposedly protected in the https:// security mode. In principle, this vulnerability -- which was quietly present in the OpenSSL library for a couple of years prior to discovery/announcement -- could let malicious parties capture passwords, usernames or even the private keys that big sites use to encrypt all their conversations. While this is a very serious issue (security guru Bruce Schneier describes it thusly: "on a scale of 1 to 10, this is an 11"), not all Apache sites are affected by Heartbleed -- only those that use the 1.0.x version of OpenSSL without the patch are vulnerable. As pointed out by a former TUAWer Damien Barrett, sites that run OS X server have a more recent version version of OpenSSL and SSL/TLS encryption that's older (the 0.9 branch); they are are not affected by this flaw. Though Heartbleed is a gaping security hole in SSL that's been open for several years, it is unlikely that you have been targeted by hackers; in fact, the nature of the bug means that data can only be collected at random, without much targeting short of picking a particular site to harvest. Still, you need to be aware of the flaw so you can protect your data going forward. Website managers have been aware of the issue for several days now and are in the process of updating their software and security certificates so they are no longer affected by this flaw. Here are some suggestions to help you keep your data safe as the Internet deals with this Heartbleed vulnerability. Be Careful Where You Login Avoid logging into websites that contain sensitive information for a few days or at least until the website has been updated with a new security certificate. Services worth their salt will have an alert telling you that their servers are now secure. You can use a couple of online tools to see if a service is still vulnerable: LastPass's screener and the original Heartbleed tester. Mashable also has a list of major sites and their Heartbleed status. Change Your Passwords As a precaution, you should change the passwords that you use to login into secure websites that were affected by this bug. It's a daunting task, but one you shouldn't start right away. Wait for websites to update their security status first and then choose strong and unique passwords for all your important sites. You also may consider changing all of your passwords just to be safe -- you should be changing them routinely anyways, so now is as good a time as any. Use a Password Manager Use a password manager if you don't already have one. If you have to change passwords, you might as well take the extra time to setup a password manager and store all your logins in a single, secure location. Many Apple owners use 1Password (review), while I personally use LastPass, which has the added benefit of scanning your stored services for the Heartbleed vulnerability. If a site is vulnerable, the tool will let you know whether you should update your passwords for those accounts at this time. LastPass users with the browser extension installed can click the LastPass icon in the browser toolbar, click the "Tools" menu, and select "Security Check". Users also can login to their vault in their web browser and click "Security Check" in the left-hand column. If you want to know more about Heartbleed itself, TechCrunch posted this great technical video and here's a little background on why there is a logo and website to spread info about this security issue. Post updated 1pm ET 4/10.
How to avoid heartburn, er, Heartbleed
Don't change your password. It's strange advice to hear when the so-called Heartbleed bug is leaving databases all over the web open and exposed, but it's applicable. Yes, security has been compromised for many of your favorite websites and services (including Google, Flickr and Steam, at least initially) but protecting yourself isn't quite as easy as changing your password. Unlike past exploits, Heartbleed isn't a database leak or a list of plaintext logins; it's a flaw in one of the web's most prevalent security protocols -- and until its fixed, updating your login information won't do a darn thing to protect you. What, then, can you do to protect yourself? Wait, watch and verify.
Google has patched most of its major services from the 'Heartbleed' security bug
Now that we know about the Heartbleed bug that allows access to sensitive internet data usually locked down by OpenSSL encryption, Google is of course one of the internet services hard at work applying fixes. The folks in Mountain View announced today that main services like Apps, App Engine, Gmail, Play, Search, Wallet and YouTube are already patched. There's no need to worry about Chrome or Chrome OS, as those two bits of software aren't affected by the vulnerability. Android is almost there, as all versions of the mobile operating system are immune to the security flaw save for 4.1.1. For that lone exception, Google says patching details are being sent to its partners for distribution. While the key bits have been secured, there's ongoing work to update other services like Cloud SQL, Google Compute Engine and others.
Why the OpenSSL Heartbleed bug doesn't affect OS X or OS X Server
There's been a lot of concern about the OpenSSL Heartbleed bug, which is a vulnerability that allows theft of information that's normally protected by the SSL/TLS encryption used to secure many Internet sites and services. Well, thanks to a tip from former TUAW-er Damien Barrett, those of us who run OS X and OS X Server can breathe a bit easier: "PSA: No versions of OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version of shipped by Apple in an OS was 0.9.8y, which is a branch not affected by this bug. So unless you've installed OpenSSL via MacPorts or Homebrew, your public-facing OS X servers/services should be immune to this bug." While OS X and OS X server are "immune", we still recommend that you stay safe out there. Remember to keep your eyes open for news of other security vulnerabilities, change your passwords on a regular basis, and be sure to back up your data constantly. If you want to know more about Heartbleed itself, TechCrunch posted this great video and here's a little background on why there's a logo and website to spread info about this security issue.
Internet security key flaw exposes a whole load of private data
Most internet security holes, even the bigger ones, tend to be fairly limited in scope -- there are only so many people using the wrong software or visiting the wrong sites. Unfortunately, that's not true of the newly revealed Heartbleed Bug. The flaw, which affects some older versions of common internet encryption software, lets attackers grab both a site's secure content and the encryption keys that protect that content. As such, a successful intruder could both obtain your private information from a given site and impersonate that site until its operators catch on. Since the vulnerable code is both popular and has been in the wild for as long as two years, there's a real possibility that some of your online data is at risk.
