PDA

View Full Version : Heartbleed virus



tankie
10 Apr 14,, 14:56
Be careful guys


Heartbleed Bug



Virus: Heartbleed


REAL VIRUS


Example: [Collected via e-mail, April 2014]

WARNING! READ: "The biggest network security vulnerability in history was revealed in the last 24 hours. It's called "heartbleed." Everything you do for the next 24-48 hours will be viewable by random 3rd parties. Encrypted connections are not secure until this vulnerability is fixed. Billions will be affected. DO NOT LOG in to anything. DO NOT change any passwords. DO NOT say or do anything online that you would not want anonymous 3rd parties observing or copying. (This came from a reliable source in my family; he said it was okay to write on fb... or to read email from known sources as long as you observe the above "do nots.") Don't buy anything online today! Don't log into your bank account, etc.


Origins: In April 2014, a bug in software used by millions of web servers may have exposed anyone visiting sites they hosted to spying and eavesdropping. The bug, dubbed "heartbleed," resides in a software library called OpenSSL that is used in servers, operating systems, and email and instant messaging systems. Ironically, this software is supposed to protect sensitive data as it travels back and forth.

"Heartbleed" allows hackers to easily trick servers running OpenSSL into revealing decryption keys stored on their memory. With those keys, the ill-intentioned can eavesdrop on encrypted communications, directly steal sensitive information, and impersonate users and services.

OpenSSL is employed in the widely used Apache and Nginx server software.


Statistics from net monitoring firm Netcraft suggest that about 500,000 of the web's secure servers are running versions of the vulnerable software.

The bug gained its "heartbleed" moniker due to its occurring in the heartbeat extension for OpenSSL.

It was discovered by researchers working for Google and security firm Codenomicon. In a blog entry about their findings, the researchers said the "serious vulnerability" allowed anyone to read chunks of memory in servers supposedly protected with the flawed version of OpenSSL. Via this route, attackers could get at the secret keys used to scramble data as it passes between a server and its users.

The bug has been present in versions of OpenSSL that have been available for over two years. The latest version of OpenSSL released on 7 April 2014 is no longer vulnerable to the bug. However, protecting one's computer from this vulnerability may not be merely a matter of installing the updated version of OpenSSL because if attackers have already exploited the weakness at an earlier date, they could have stolen encryption keys, passwords, or other credentials required to access a server.

Full protection might require updating to the safer version of OpenSSL as well as getting new security certificates and generating new encryption keys. To help people check their systems some security researchers have produced tools that help people work out if they are running vulnerable versions of OpenSSL.

Unfortunately, as security experts have noted, there is not much that individual Internet users can do to protect themselves against the Heartbleed vulnerability, as resolution of the issue depends upon the operators of web sites making changes to their systems:
Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until exploitable websites upgrade their software.

"There is nothing users can do to fix their computers," said Mikko Hypponen, chief research officer with security software maker F-Secure.

Hypponen said computer users could immediately change passwords on accounts, but they would have to do so again if their operators notify them that they are vulnerable.

"Take care of the passwords that are very important to you," he said. "Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely."

Bruce Schneier, a well-known cryptologist and chief technology officer of Co3 Systems, called on Internet firms to issue new certificates and keys for encrypting Internet traffic, which would render stolen keys useless.

That will be time-consuming, said Barrett Lyon, chief technology officer of cybersecurity firm Defense.Net Inc. "There's going to be lots of chaotic mess," he said.

Mark Maxey, a director with cybersecurity firm Accuvant, said it is no easy task for large organizations to implement the multiple steps to clean up the bug, which means it will take some a long time to do so.

Read more at snopes.com: Heartbleed (http://www.snopes.com/computer/virus/heartbleed.asp#zAGSkHhKB0uve8If.99)

:mad::mad::mad:

kato
10 Apr 14,, 18:04
It's not a virus, it's a vulnerability.

We switched all server certificates at the place i work at today for new ones. *shrug*

tankie
11 Apr 14,, 13:19
It's not a virus, it's a vulnerability.

We switched all server certificates at the place i work at today for new ones. *shrug*

Whatever it is mate its causing big problems , I dont use banking online anymore until the bugger is swatted , sooooooooooooooooooo to all those who want money , tuff . :tongue:

Oracle
11 Apr 14,, 15:14
Bug in OpenSSL, AFAIK it's a memory handling issue. Been there for 15+ years until detected. All crackers will be busy. Switch off internet until the issue is fixed.

Oracle
11 Apr 14,, 15:15
It's not a virus, it's a vulnerability.

We switched all server certificates at the place i work at today for new ones. *shrug*

All in all 17 million more needs to be switched.

Doktor
15 Apr 14,, 14:00
The Heartbleed Hit List: The Passwords You Need to Change Right Now (http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/)

Test any site with this... not perfect, but, hey.
https://filippo.io/Heartbleed/#www.worldaffairsboard.com

tankie
15 Apr 14,, 14:20
Good one Dok

tankie
17 Apr 14,, 20:42
A man accused of exploiting the Heartbleed bug to steal information on hundreds of people will appear in court later.
Stephen Arthuro Solis-Reyes, 19, is the first person to be charged in connection with the major internet security flaw.
Federal police in Canada say they arrested Solis-Reyes at his home in London, Ontario.
He has been charged with mischief and the unauthorised use of a computer to steal data from the Canada Revenue Agency's (CRA) website.
Police said Solis-Reyes "extracted private information held by the CRA" by exploiting the security vulnerability.
The CRA said 900 social insurance numbers - similar to National Insurance numbers - were stolen last week.
Its website was closed for several days as a result.
Police said it took four days to track down the alleged culprit, adding that his computer equipment has been seized and the investigation is ongoing.
The so-called Heartbleed flaw in online encryption software OpenSSL allows hackers to eavesdrop on online communications, steal data, impersonate websites and unlock encrypted data.
OpenSSL is commonly used to protect passwords, credit card numbers and other data sent via the internet.
The flaw is understood to have existed for two years, but was only discovered in the past week.
More than half of websites use the software, but not all versions have the same vulnerability.