Categories

Monday, April 14, 2014

Cyber Security - Heartbleed Bug: What you need to know (FAQ) | CNET

Now is an Excellent Time to change your pass-codes and review Security protocol...



Heartbleed bug: What you need to know (FAQ)


The security vulnerability has implications for users across the Web. Here's what the bug means for you.


large-hero-heartbleed-2.jpg
The Heartbleed bug, a newly discovered security vulnerability that
puts users' passwords at many popular Web sites at risk, has upended
the Web since it was disclosed earlier this week.
It's an extremely serious issue, and as such, there's a lot of
confusion about the bug and its implications as you use the Internet. Codenomicon/CNET




CNET has compiled a list of Frequently Asked Questions to help users learn more about the bug and protect themselves. The Heartbleed situation is ongoing, and we'll update this FAQ as new issues arise. Check back for new information.

What is Heartbleed?

Heartbleed
is a security vulnerability in OpenSSL software that lets a hacker
access the memory of data servers. According to Netcraft, an Internet
research firm, 500,000 Web sites could be affected. That means a user's
sensitive personal data -- including usernames, passwords, and credit
card information -- is potentially at risk of being intercepted.



The vulnerability also means an attacker could steal a server's
digital keys that are used to encrypt communications and get access to a
company's secret internal documents.

What is OpenSSL?


Let's start with SSL. That stands for Secure Sockets Layer, but
it's also known by its new name, Transport Layer Security, or TLS. It's
the most basic means of encrypting information on the Web, and it
mitigates the potential of someone eavesdropping on you as you browse
the Internet. (Notice the "https" in the URL of SSL-enabled sites like
Gmail, instead of simply "http.")

OpenSSL
is open-source software for SSL implementation across the Web. The
versions with the vulnerability are 1.0.1 through 1.0.1f. OpenSSL also
is used as part of the Linux operating system, and as a component of
Apache and Nginx, two very widely used programs for running Web sites.
Bottom line: Its use across the Web is vast.

Who discovered the bug?


Credit is given to security firm Codenomicon and Google researcher
Neel Mehta, who both found the bug independently from each other, but
on the same day.

Mehta donated the $15,000 bounty he was
awarded for helping find the bug to the Freedom of the Press
Foundation's campaign for the development of encryption tools for
journalists to use when communicating with sources. Mehta is declining
press interviews, but asked for comment, Google said, "The security of
our users' information is a top priority. We proactively look for
vulnerabilities and encourage others to report them precisely so that
we are able to fix them before they are exploited."

Why is it called Heartbleed?

According to Vocativ,
the term "Heartbleed" was coined by Ossi Herrala, a systems
administrator at Codenomicon. It's got a nicer ring to it than its
technical name, CVE-2014-0160, named for the line of code that contained
the bug.

Heartbleed is a play on words referring to an
extension on OpenSSL called "heartbeat." The protocol is used to keep
connections open, even when data isn't being shared between those
connections. Herrala "thought it was fitting to call it Heartbleed
because it was bleeding out the important information from the memory,"
David Chartier, chief executive of Codenomicon, told Vocativ.


If the name sounds a bit too catchy for a security glitch, that's
exactly the point. The team at Codenomicon wanted something press
friendly that could spread quickly, to warn more people of the flaw.
Soon after they named the bug, they bought the domain Heartbleed.com to
educate the Web about the glitch.

Why are some sites not affected by Heartbleed?


Although OpenSSL is very popular, there are other SSL/TLS options.
In addition, some Web sites use an earlier, unaffected version, and
some didn't enable the "heartbeat" feature that was central to the
vulnerability.

While it doesn't solve the problem, what
mitigates the scope of the potential damage is the implementation of
perfect forward secrecy, or PFS, a practice that makes sure encryption
keys have a very short shelf life, and are not used forever. That means
that if an attacker did get an encryption key out of a server's memory,
the attacker wouldn't be able to decode all secure traffic from that
server because keys use is very limited. While some tech giants, like
Google and Facebook, have started to support PFS, not every company
does.

How does the bug work?

The vulnerability lets a hacker access up to 64 kilobytes of server memory,
but perform the attack over and over again to get lots of information.
That means an attacker could get not just usernames and passwords, but
also "cookie" data that Web servers and browsers use to track
individuals and ease log-in. According to the Electronic Frontier Foundation,
doing the attack repeatedly could yield more serious information, like a
site's private SSL key, used to encrypt traffic. With that key, someone
could run a fake version of a Web site and use it to steal all other
kinds of information, like credit card numbers or private messages.

Should I change my passwords?


For many Web sites, yes. BUT wait until you get confirmation from
the Web site operator that the bug has been patched. It's a natural
reaction to want to change all of your passwords immediately, but if the
Web site's bug has not been fixed yet, making the change could be
useless -- you're just potentially giving an attacker your new password.

How do I check if a Web site has been affected -- or fixed?


A few companies and developers have created testing sites to check
which Web sites are vulnerable or safe. Two good ones are by LastPass,
a company that makes password management software, and Qualys,
a security firm. While these test sites are a good preliminary check,
continue to proceed with caution, even if the site gives you an
all-clear indication. If you're given a red flag, however, avoid the
site.

CNET is keeping a running list on the status of the top 100 Web sites,
according to Alexa.com. Check back here for updates. Here's a list of
sites that were still vulnerable as of Thursday afternoon,
according to researchers at Zmap.


But the most prudent thing to do is to get confirmation from the
site through one of its official channels. Lots of companies have been
putting up blog posts and issuing statements about the health of their
sites. Or you can email a site operator or customer service person
directly.

Who was behind the bug?

According to the Guardian,
the programmer who wrote the glitchy code was Robin Seggelmann, who
worked for the OpenSSL project while getting his Ph.D. studies from 2008
to 2012. Adding to the drama of the situation, he submitted the code at
11:59 p.m. on New Year's Eve 2011, though he claims the timing has
nothing to do with the bug. "I am responsible for the error," Seggelmann
said. "Because I wrote the code and missed the necessary validation by
an oversight."


Still, as an open-source project, it's hard to place the blame squarely on one
person. As Zulfikar Ramzan, chief technology officer of cloud security
startup Elastica, explained to The New York Times,
there's so much complex code that people had been writing, and the
particular protocol Heartbeat did not get enough scrutiny. "Heartbeat is
not the main part of SSL. It's just one additional feature within SSL,"
he said. "So it's conceivable that nobody looked at that code as
carefully because it was not part of the main line."

Should I be worried about my bank account?


Most banks don't use OpenSSL, but instead use proprietary
encryption software. But if you're unsure, contact your bank directly
for confirmation that the Web site is secure. Still, John Miller,
security research manager for security and compliance firm TrustWave,
suggests keeping a close eye on financial statements for the next few
days to make sure there are no unfamiliar charges.

How do I know if anyone has used the Heartbleed vulnerability to steal my information?


Unfortunately, exploiting the bug "leaves no traces of anything
abnormal happening to the logs" of Web sites, according to Codenomicon.


What password managers can I try?


One thing the Heartbleed situation highlights is the value of a
good password. In the aftermath of changing your old passwords, you
might be wondering if there are other ways to make sure your accounts
are secure. Password managers try to solve that problem by helping you
generate random passwords for each account. You then control everything
through one strong master password. Having all of your accounts under
one manager may be too close for comfort for some users, but LastPass,
one of those vendors, insists it's secure, and that users don't have to
change their master passwords due to Heartbleed. It's even added a
feature that automatically checks your saved sites for Heartbleed vulnerabilities.
Other password manager options are Dashlane or 1Password.


Another suggestion is enabling dual-factor authentication when it
is offered. (Gmail is one service that does so.) That means that in
addition to a password, the service asks for another piece of
identifying information, like a code that's been texted to you. That
way, even if someone steals your password, it makes it harder for
someone to falsely log in as you.

Heartbleed bug: What you need to know (FAQ) - CNET

 
WEIN ViraMask N99 w/ViraSeal - 5pk - NebShip Shop
SOL Origin Survival MultiKit - eBay


Check Out Education Podcasts at Blog Talk Radio with USA Emergency Broadcasting Network on BlogTalkRadio



 
MP Off Grid Living/EV Page
fb: Madtown Preppers Page +Madtown Preppers @MadtownPreppers
 


Madtown Preppers Alerts are for informational use only. These alerts purpose is to inform you of news events in order for you to adjust your family preparedness programs. We believe that knowledge is power and in order for you to make informed decisions, we try and bring you verified information, not to increase fear but to inform you. We do not endorse any of the sources we link to in any article.  

NebShip Shop Survival/Bushcraft/Off Grid Living

NebShip Shop
Survival/Preparedness and Off Grid Living

No comments:

Post a Comment