More Bugs Found in OpenSSL Security Tool

There have been six more bugs found in the widely used OpenSSL security tool.

OpenSSL is a security tool that houses computer programs to enable security over the public Internet.

OpenSSL is used in shared consumer applications, like software in Google’s Android smartphones.

With the Heartbleed vulnerability in OpenSSL,  the new publicity had system administrators rushing to update their systems to protect against it.

Computer administrators everywhere have frowned upon six new security issues that were recently found in the OpenSSL security library.

For example: if you see “https://” in your URL bar, it  indicates that the connection is secure.

The server computer at the other end of the connection is using OpenSSL to provide security.
The two main forms of security are:

1. It scrambles information so it is unreadable to anyone other than the intended recipient
2. It authenticates the source of information, ensuring the sender is who they say they are

 

How to protect yourself

Most won’t have to take any kind of action in response to the OpenSSL attack.

Non-browser client applications such as music players and chat programs will need to be immediately updated.

Distributors of Linux, which uses OpenSSL more openly, have already received issued updates.

If you haven’t already reset all your passwords due to the Heartbleed bug, it is the perfect time to do so.

Major service providers will inform you if it is necessary to reset your password.

Websites that are affected, may be unavailable for a short period of time.  This allows the fixed versions of OpenSSL to be installed by their system administrators.

There will most likely be more flaws discovered in OpenSSL.  Password resets, and software updates are becoming more of a habit with increased internet usage.

Delay no more, secure yourself and reset all your passwords.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

References:

Merkel, Robert
Six more bugs found in popular OpenSSL security tool – Homeland Security News Wire
http://www.homelandsecuritynewswire.com/dr20140609-six-more-bugs-found…
Published: June 9, 2014

Cisco, Microsoft, VMware, and others unite!

The OpenSSL Heartbleed Bug security issue is open-source’s biggest security breach ever!

Cisco, Microsoft, VMware and other tech giants are forming a new project to fund and support critical elements of the global technology: The Core Infrastructure Initiative (CII).

The purpose of CII is to empower technology companies to help out mission-critical open-source projects that need funding.

The project will receive funds for developers so they can continue work regarding open-source management.
OpenSSL will be the first project under consideration.  In 2013, OpenSSL, which is at the heart of Web security only had $9,000 in funding.

In the past years, OpenSSL received an average of $2,000 per year in donations.  That is definitely not enough to provide adequate research for security.

The multimillion dollar project will be administered by The Linux Foundation and a full-force group made of project backers along with open-source developers and industry stakeholders.

This project will help fund fellowships for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination along with other needed support.

Open-source development has always produced high quality and secure software.  Although, the Heartbleed Bug resulted in evidence that open source doesn’t guarantee that it won’t have flaws.

This project is to make sure that open-source development doesn’t have to operate on a shoe-string like system.

Colin Kincaid, Cisco’s VP of Product Management and Architecture, said, “Supporting dedicated open source collaborators and contributors is vital to the success and growth of innovation.”

Securing open source software is a critical issue.  It took a major security catastrophe, but now technology’s major company’s have realized that open-source software is a necessary part of global technology.

This is a base that must be supported and help funded.  The result will be a better quality and safer software for everyone.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

References:
Cisco, Microsoft, VMware, and other tech giants unite behind critical open-source projects – ZDNet
http://www.zdnet.com/cisco-microsoft-vmware-and-other-tech-giants-unite-behind-critical-open-source-projects-7000028743/?s_cid=e539&ttag=e539&ftag=TRE17cfd61

What is Heartbleed and what you can do about it.

The Heartbleed Bug is a vulnerability in the OpenSSL cryptographic software library.

This allows stealing from protected information by the SSL/TLS encryption used to secure the Internet.
SSL/TLS provides communication security and privacy for email, instant messaging (IM), web, and virtual private networks (VPNs).

The Heartbleed bug gives access to anyone that intends to read the memory over the Internet of systems protected by the vulnerable versions of the OpenSSL software.

Secret keys are compromised that are used to verify encrypted traffic, including names, passwords, and private information of the users content.

 

What to do about the leak

Affected sites include: Google, Gmail, YouTube, Facebook, Tumblr, Yahoo and Dropbox.  If you use any of these sites, it if strongly recommended for you to change your passwords immediately.

If you are running a vulnerable version of OpenSSL, you are at risk.  Fixed OpenSSL has been released and is deploy-able.

If you use password protection sites that hold all your passwords in a single place like LastPass, please update your passwords there as well.

Attackers are able to eavesdrop on communications and easily steal data.  User-ids, passwords, credit-card numbers, and everything you place online is open for hackers to access.

Google told MailOnline: “The security of our users’ information is a top priority.  We fixed this bug early and Google users do not need to change their passwords.’

While some experts are advising users to change all their passwords across every site they have an account for.

CNet has an updated list, Heartbleed bug: Check which sites have been patched, for the 100 most popular Web sites.

When creating passwords, always use the two-factor authentication.  The extra step is tremendously safe and worth it.

You can also follow these steps to clear your browsers’ cache, cookies, and history:
Chrome:

• In the browser bar, enter: chrome://settings/clearBrowserData
• Select the items you want to clear. For example, Clear browsing history, Clear download history, Empty the cache, Delete cookies and other site and plug-in data.

Firefox:

• From the Tools or History menu, select Clear Recent History.
• From the Time range to clear: On the drop-down menu, select the desired range; to clear your entire cache, select Everything.
• Click the down arrow next to “Details” to choose which elements of the history to clear. Click Clear Now.

Internet Explorer 9 and higher:

• Go to Tools (via the Gear Icon) > Safety > Delete browsing history….
• Once there, choose to delete Preserve Favorites website data, temporary Internet files, and cookies.

There is no quick fix for Heartbleed, take time and change your passwords.  That is the best preventative measure you can take.

You can check a website here to see if they’ve patched the hole.

If you are still unsure on what to do, give us a call today! Don’t go through the weekend not knowing if your are secure or not, call 619-325-0990.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

References:
How to protect yourself in Heartbleed’s aftershocks – ZDNet
http://www.zdnet.com/how-to-protect-yourself-in-heartbleeds-aftershocks…
How to recover from Heartbleed – ZDNet
http://www.zdnet.com/how-to-recover-from-heartbleed…
The Heartbleed Bug – Heartbleed
http://heartbleed.com/
Heartbleed was an accident: Developer confesses to causing coding error and admits its effect is ‘clearly severe’ – Mail Online
http://www.dailymail.co.uk/sciencetech/article-2602277/Heartbleed-accident-Developer-confesses-coding-error…