HOME     MENU     SEARCH     NEWSLETTER    
NEWS & INFORMATION FOR TECHNOLOGY PURCHASERS. UPDATED 4 MINUTES AGO.
You are here: Home / Hardware / Heartbleed Bug Breaks Web Security
Build Apps 5x Faster
For Half the Cost Enterprise Cloud Computing
On Force.com
Heartbleed Bug Breaks Internet Encryption, Steals Yahoo Passwords
Heartbleed Bug Breaks Internet Encryption, Steals Yahoo Passwords
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
APRIL
08
2014



Are you ready for the next massive vulnerability? It’s called Heartbleed and it could give hackers access to user passwords and even trick people into using fake versions of popular Web sites. Some are even reporting Yahoo passwords are being revealed.

According to the security engineers at Codenomicon who found the bug, the vulnerability is in the OpenSSL cryptographic software library. The weakness, they said, steals information typically protected by the SSL/TLS encryption used to secure the Internet.

Computer science student Mustafa Al-Bassam (formerly of the LulzSec hacker collective) has compiled a list of Web sites affected by the bug, which include Yahoo, Flickr, OKCupid, US Magazine, and Squidoo.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” according to the Web site dedicated to providing information about the bug. “This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

Blind Spot Revealed

We caught up with Dwayne Melancon, chief technology officer at Tripwire, to get his take on the Heartbleed bug. He told us one of the challenges with third-party source code is that there is often the assumption that it is secure because it is “open” and easily reviewed by developers at large.

“This isn’t always the case, as Heartbleed illustrates. The issue isn’t because OpenSSL is open source,” Melancon said. “Just recently, we saw another long-present security flaw in Apple’s source code that had been there for a very long time, and it was commercially developed and tested.”

Fundamentally, he explained, security is not a simple proposition and any conventional approach to testing security can have blind spots due to flawed assumptions, insufficient expertise, or issues that arise once one piece of technology is integrated with another. He said, “This is why security teams often turn to ‘white hat’ hackers to help them test their technology for weaknesses.”

Far-and-Wide Impacts

We also turned to Ken Westin, a security researcher at Tripwire, to get his thoughts on the latest security headline. He told us OpenSSL runs on top of two of the most widely used Web servers: Apache and nginx. He pointed out that it also runs on e-mail servers and chat services, VPN and other software that use the code library.

“Many devices that use embedded Linux including routers and other devices may also be susceptible,” Westin said. “Attackers who exploit the vulnerability can monitor all data passing between a service and client, or decrypt historical encrypted data that has been collected.”

He left us with a warning: Many modern operating systems use vulnerable versions of Open SSL including Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
ISACA® offers a global community of more than 115,000 IS/IT constituents in over 180 countries. We develop and deliver industry-leading certifications, education, research and business frameworks. We equip individuals to be leaders in the fast-changing world of information systems and IT - Learn More>
MORE IN HARDWARE
Product Information and Resources for Technology You Can Use To Boost Your Business

NETWORK SECURITY SPOTLIGHT
Sony is no stranger to breaches. Sony’s PlayStation Network was hacked in 2011 and attackers obtained 77 million user accounts. The latest attack comes against Sony Pictures Entertainment.

© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.