Finding
a faulty car part used in nearly every make and model, but you can't
recall the Internet and all the data you put out on is more simple version of the HeartBleed Bug. More improved version or more details version, a
flaw in the OpenSSL open source encryption toolkit that potentially
allows for the unrestricted access to server memory, is an incredibly
big deal. For the past two years, much of our private online data --
including passwords, credit card information, billing addresses and
user names -- stored on some of the biggest Web sites out there could
have been accessed by strangers with a little Web know-how.
The
problem is that we don't know if the bad guys have found the faults
first (the safe money is on "yes"). Due to the nature of
the vulnerability, an attacker could have constantly leveraged the
vulnerability millions of times over in the last two years on a
single server, and we would have no clue. As is standard with any
information breach, monitoring your online accounts, including
financial statements, for any suspicious activity is the only way to
be sure whether or not you're an online victim.
How Industry reacted :
While
it's easy to advise users to keep an eye out on their online accounts
and data, the Heartbleed bug is present in millions of major Web
sites and Web services due OpenSSL being the default secure-socket
layer/Transport Layer Security (SSL/TLS) for the Apache and NGINX Web
servers. Those affected include the heavy hitters like Google, Yahoo,
Netflix, Facebook, Instagram, Twitter and PayPal. The
security industry was quick to react and shortly after Monday night's
disclosure of the bug, patches for the vulnerable versions of OpenSSL
started to roll out. While this doesn't reverse the two years of
potential access to our online data and the information that might
have been swiped, it does stop the bleeding. It's now up to online
Web sites and service providers to patch their Web servers.
As
expected, many of the big names were quick to get their systems
patched and get the word out that it's safe to use their services. As
of midday on Wednesday, Google announced that it had updated many of
its services. "We've assessed this vulnerability and applied
patches to key Google services such as Search, Gmail, YouTube,
Wallet, Play, Apps, and App Engine," said Matthew O'Connor,
Google product manager.
"Google Chrome and Chrome OS are not affected. We are
still working to patch some other Google services."
Many others have already followed suit, including Instagram, Facebook and Yahoo. Online users can also check to see if sites are safe before visiting through this online Heartbleed test site.
End
User Actions :
"This
is probably the worst bug discovered this year. We believed in the
security of SSL/TLS, and now discover that it comes with a hole that
allows anyone to read our personal information such as passwords,
cookies or even server's private keys," said Jiri Sejtko,
Director of the AVAST Virus Lab.
"We, as end users, simply can't do anything, but make sure we
are as secure as possible."
And
that means it's time to change all your online passwords. Many sites
have already take Symantec's last bit of advice and have instigated
password resets for their sites and services. For those that haven't,
you may be inclined to go ahead and reset your password on your own.
Don't.
The
issue is that there still are many who are running the unpatched
OpenSSL encryption tool. Changing your password or information on
them will change nothing, as your newly changed info is still
vulnerable. Security experts recommend completely avoiding sites
using the unpatched OpenSSL until the patch has been applied and,
once patched, then go ahead and change your password.
For
those who may still potentially be running vulnerable versions of the
encryption tool, Symantec's Dick O'Brien recommends businesses follow
these steps:
-
Remember
that the flaw lies in the OpenSSL library "and not a flaw with
SSL/TLS nor certificates issued by Symantec [or other security
firms]."
-
Those
running OpenSSL 1.0.1 through 1.0 will need to update to version
1.0.1g of the software or recompile OpenSSL without the heartbleed
extension.
-
If
there's concern that Web server certificates have been compromised,
contact the firm that issued the certificates for replacements.
-
"Finally,
and as a best practice, businesses should also consider resetting
end-user passwords that may have been visible in a compromised
server memory."
"This is probably the worst bug discovered this year. We believed in the security of SSL/TLS, and now discover that it comes with a hole that allows anyone to read our personal information such as passwords, cookies or even server's private keys," said Jiri Sejtko, Director of the AVAST Virus Lab. "We, as end users, simply can't do anything, but make sure we are as secure as possible."
Remember
that the flaw lies in the OpenSSL library "and not a flaw with
SSL/TLS nor certificates issued by Symantec [or other security
firms]."
Those
running OpenSSL 1.0.1 through 1.0 will need to update to version
1.0.1g of the software or recompile OpenSSL without the heartbleed
extension.
If
there's concern that Web server certificates have been compromised,
contact the firm that issued the certificates for replacements.
"Finally,
and as a best practice, businesses should also consider resetting
end-user passwords that may have been visible in a compromised
server memory."
0 comments
Post a Comment