Showing posts with label Heartbleed Bug. Show all posts
Showing posts with label Heartbleed Bug. Show all posts

Thursday, June 5, 2014

Within the Heartbleed Bug

Only a few months ago, the Hearbleed OpenSSL bug was discovered.


heartbleed-openssl-bug

We are still learning about the countless encrypted transactions that left your accounts vulnerable to theft.
When computers talk to each other, it is called a heartbeat.  Because of a coding mistake, the Heartbleed bug was born.

Lets say there is a banking transaction:  The client (you) sends its heartbeat to the server (your bank) and the server hands it back to you.  So if something goes wrong with the transaction, the other party will know because the heartbeats get out of sync.

It’s like a cassette tape breaking because one of the spindles stopped working correctly.

How it happened

The actual breach happened all because of the following code:
memcpy(bp, pl, payload);
To explain, the memcpy is a command that copies data, and it requires three pieces of information to do so. 
The first set of information is the destination of where the data needs to be copied.  The second is the exact location of the data that needs to be copied.  The third set is the amount of data the computer is going to find when it goes to make the copy.

OpenSSL Heartbleed

The bp is a place on the server computer, pl is where the actual data the client sent as a heartbeat is, and payload is the number that says how big pl is.

The bp, which is where the data is going to be copied, is full of the data sitting in the part of the computer before.  Although, the computer treats it as if it were empty because the data has been marked for deletion.

When memcpy takes the data from pl and puts it in bp, it covers up all the old data in bp.

Everything that used to be in bp is destroyed and filled up with the pl data.

If payload says that pl is 64 KB but it only has 0 KB,  memcpy creates a 64 KB sized open space at bp that’s full of garbage data.  None of the bp old data gets overwritten because there’s nothing to replace it since pl is actually empty.

Meaning whatever old data was sitting in bp prior to the heartbeat gets passed back to the client.  Sometimes the data is irrelevant and sometimes its your banking password.

The Heartbleed bug has been fixed but the vulnerability has existed for a decade.  Who knows how much data was exploited.

Do you have maximum protection on your PC?  Is your antivirus out-of-date?  Let us help you protect yourself from the many vulnerabilities that live on the net.  [P] 619-325-0990

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

References:

Aguilar, Mario
Internet Vulnerability Left Encrypted Data Exposed For 10 Years – GIZMODO
http://gizmodo.com/internet-vulnerability-left-encrypted-data-exposed…
Published: June 5, 2014

Limer, Eric
How Heartbleed Works: The Code Behind the Internet’s Security Nightmare – GIZMODO
http://gizmodo.com/how-heartbleed-works-the-code-behind-the-internets-se…
Posted by at No comments:
Labels: , , , ,

Friday, April 25, 2014

Cisco, Microsoft, VMware, and others unite!

heartbleed-wall


The OpenSSL Heartbleed Bug security issue is open-source’s biggest security breach ever!

Cisco, Microsoft, VMware and other tech giants are forming a new project to fund and support critical elements of the global technology: The Core Infrastructure Initiative (CII).

The purpose of CII is to empower technology companies to help out mission-critical open-source projects that need funding.

The project will receive funds for developers so they can continue work regarding open-source management.
OpenSSL will be the first project under consideration.  In 2013, OpenSSL, which is at the heart of Web security only had $9,000 in funding.

In the past years, OpenSSL received an average of $2,000 per year in donations.  That is definitely not enough to provide adequate research for security.

The multimillion dollar project will be administered by The Linux Foundation and a full-force group made of project backers along with open-source developers and industry stakeholders.

This project will help fund fellowships for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination along with other needed support.

Open-source development has always produced high quality and secure software.  Although, the Heartbleed Bug resulted in evidence that open source doesn’t guarantee that it won’t have flaws.

This project is to make sure that open-source development doesn’t have to operate on a shoe-string like system.
Colin Kincaid, Cisco’s VP of Product Management and Architecture, said, “Supporting dedicated open source collaborators and contributors is vital to the success and growth of innovation.”
Securing open source software is a critical issue.  It took a major security catastrophe, but now technology’s major company’s have realized that open-source software is a necessary part of global technology.

This is a base that must be supported and help funded.  The result will be a better quality and safer software for everyone.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

References:
Cisco, Microsoft, VMware, and other tech giants unite behind critical open-source projects – ZDNet
http://www.zdnet.com/cisco-microsoft-vmware-and-other-tech-giants-unite-behind-critical-open-source-projects-7000028743/?s_cid=e539&ttag=e539&ftag=TRE17cfd61
Posted by at No comments:
Labels: , , , , ,

Monday, April 21, 2014

19 year old uses Heartbleed Bug to attack Canadian taxpayers

heartbleed-openssl-bug


The Canada Revenue Agency reported that  900 taxpayers data was stolen by a 19 year old, using the Heartbleed Bug.

Stephen Arthuro Solis-Reyes, of London, Ontario, used the Heartbleed Bug to steal information from the Canada Revenue Agency’s website.  Solis-Reyes was arrested on Tuesday, facing one count of unauthorized use of a computer and one count of “mischief in relation to data.”

The CRA (Canadian Revenue Agency), is one of the first victims to report a Heartbleed attack.

The vulnerability had been used to steal the Social Insurance Numbers of nearly 900 people.

When the attack was discovered, the agency halted online filing of tax returns.

Social Insurance Numbers are required to work or get government benefits in Canada.

Heartbleed lets attacks capture data from server memory 64KB at a time.  This puts passwords, encryption keys and other data at risk.

The Heartbleed Bug lived in the Web encryption tool OpenSSL (Secure Sockets Layer) for about two years before it was exposed last week.

The RCMP arrested Solis-Reyes after a few days of investigation.  The residence of Solis-Reyes was searched and his computer equipment was seized.

The investigation continues and the agency said in a press release, Solis-Reyes is scheduled to appear in court in Ottawa on July 17.



heartbleed-bug-letter



Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

References:

Teen arrested in Heartbleed attack against Canadian tax site – Info World Security Central
http://www.infoworld.com/d/security/teen-arrested-in-heartbleed-attack-against-canadian-tax-site…
Posted by at No comments:
Labels: , , , ,

Friday, April 11, 2014

What is Heartbleed and what you can do about it.


mac-security-openssl-heartbleed

The Heartbleed Bug is a vulnerability in the OpenSSL cryptographic software library.

This allows stealing from protected information by the SSL/TLS encryption used to secure the Internet.
SSL/TLS provides communication security and privacy for email, instant messaging (IM), web, and virtual private networks (VPNs).

The Heartbleed bug gives access to anyone that intends to read the memory over the Internet of systems protected by the vulnerable versions of the OpenSSL software.

Secret keys are compromised that are used to verify encrypted traffic, including names, passwords, and private information of the users content.

 

What to do about the leak

Affected sites include: Google, Gmail, YouTube, Facebook, Tumblr, Yahoo and Dropbox.  If you use any of these sites, it if strongly recommended for you to change your passwords immediately.

If you are running a vulnerable version of OpenSSL, you are at risk.  Fixed OpenSSL has been released and is deploy-able.

If you use password protection sites that hold all your passwords in a single place like LastPass, please update your passwords there as well.

Attackers are able to eavesdrop on communications and easily steal data.  User-ids, passwords, credit-card numbers, and everything you place online is open for hackers to access.

Google told MailOnline: “The security of our users’ information is a top priority.  We fixed this bug early and Google users do not need to change their passwords.’

While some experts are advising users to change all their passwords across every site they have an account for.



heartbleed-checklist

CNet has an updated list, Heartbleed bug: Check which sites have been patched, for the 100 most popular Web sites.

When creating passwords, always use the two-factor authentication.  The extra step is tremendously safe and worth it.

You can also follow these steps to clear your browsers’ cache, cookies, and history:
Chrome:
  • In the browser bar, enter: chrome://settings/clearBrowserData
  • Select the items you want to clear. For example, Clear browsing history, Clear download history, Empty the cache, Delete cookies and other site and plug-in data.
Firefox:
  • From the Tools or History menu, select Clear Recent History.
  • From the Time range to clear: On the drop-down menu, select the desired range; to clear your entire cache, select Everything.
  • Click the down arrow next to “Details” to choose which elements of the history to clear. Click Clear Now.
Internet Explorer 9 and higher:
  • Go to Tools (via the Gear Icon) > Safety > Delete browsing history….
  • Once there, choose to delete Preserve Favorites website data, temporary Internet files, and cookies.
There is no quick fix for Heartbleed, take time and change your passwords.  That is the best preventative measure you can take.

You can check a website here to see if they’ve patched the hole.

If you are still unsure on what to do, give us a call today! Don’t go through the weekend not knowing if your are secure or not, call 619-325-0990.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

References:
How to protect yourself in Heartbleed’s aftershocks – ZDNet
http://www.zdnet.com/how-to-protect-yourself-in-heartbleeds-aftershocks…
How to recover from Heartbleed – ZDNet
http://www.zdnet.com/how-to-recover-from-heartbleed…
The Heartbleed Bug – Heartbleed
http://heartbleed.com/
Heartbleed was an accident: Developer confesses to causing coding error and admits its effect is ‘clearly severe’ – Mail Online
http://www.dailymail.co.uk/sciencetech/article-2602277/Heartbleed-accident-Developer-confesses-coding-error…
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)