INVESTIGATORS & SECURITY CONSULTANTS

‘Heartbleed’ Bug Bypasses Web Encryption

‘Heartbleed’ Bug Bypasses Web Encryption

A major new vulnerability called Heartbleed could let attackers gain access to users’ passwords and fool people into using bogus versions of Web sites. Some already say they’ve found Yahoo passwords as a result.

The problem, disclosed on 8th April, is in open-source software called OpenSSL that’s widely used to encrypt Web communications. Heartbleed can reveal the contents of a server’s memory, where the most sensitive of data is stored. That includes private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.

Security vulnerabilities come and go, but this one is extremely serious.  Not only does it require significant change at Web sites, it could  require anybody who’s used them to change passwords too, because they  could have been intercepted. That’s a big problem as more and more of  people’s lives move online, with passwords recycled from one site to the  next and people not always going through the hassles of changing them.

Yahoo said just after noon PT that it fixed the primary vulnerability on its main sites: “As soon as we  became aware of the issue, we began working to fix it. Our team has  successfully made the appropriate corrections across  the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail,  Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr)  and we are working to implement the fix across the rest of our sites  right now. We’re focused on providing the most  secure experience possible for our users worldwide and are continuously  working to protect our users’ data.”

OpenSSL is one implementation of the encryption technology variously called SSL (Secure Sockets Layer) or TLS (Transport Layer Security). It’s what keeps prying eyes out of communications between a Web browser and Web server, but it’s also used in other online services such as email and instant messaging, Codenomicon said.  The bug afflicts version 1.0.1 and 1.0.2-beta releases of OpenSSL, server software that ships with many versions of Linux and is used in popular Web servers,  according to the OpenSSL project’s advisory on Monday night. OpenSSL has released version 1.0.1g to fix the bug, but many Web site operators will have to scramble to update the software. In addition, they’ll have to revoke security certificates that now might be compromised.

Developer and cryptography consultant Filippo Valsorda published a tool that lets people check websites for Heartbleed vulnerability.  That tool showed Google, Microsoft, Twitter, Facebook, Dropbox, and several other major Web sites to be unaffected — but not Yahoo. Valsorda’s test uses Heartbleed to detect the words “yellow submarine” in a Web server’s memory after an interaction using those words.

Should I Change My Password?

Some security experts are saying that it would be prudent to do so although there is a degree of confusion as to when and if this needs to be done.

Many of the large technology firms including Facebook and Google have patched the vulnerability.  Confusingly though Google spokeswoman Dorothy Chou specifically said: “Google users do not need to change their passwords.” A source at the firm told the BBC that it patched the vulnerability ahead of the exploit being made public and did not believe that it had been widely used by hackers.

Some point out that there will be plenty of smaller sites that haven’t yet dealt with the issue and with these a password reset could do more harm than good, revealing both old and new passwords to any would-be attacker.  But now the bug is widely known even smaller sites will issue patches soon so most people should probably start thinking about resetting their passwords.

“Some time over the next 48 hours would seem like sensible timing,” the University of Surrey’s computer scientist Prof Alan Woodward told the BBC.  Mikko Hypponen of security firm F-Secure issued similar advice: “Take care of the passwords that are very important to you. Maybe change them now, maybe change them in a week.  And if you are worried about your credit cards, check your credit card bills very closely.”

See full articles at:

http://www.cnet.com/uk/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

http://www.bbc.co.uk/news/technology-26969629

Test websites for Heartbleed vulnerability at:

http://filippo.io/Heartbleed/