Saturday, April 12, 2014

Massive OpenSSL Bug 'Heartbleed' Threatens Sensitive Data:

An encryption tool used by a large chunk of the Internet is flawed, potentially exposing reams of data meant to be hidden from prying eyes. The bug, nicknamed Heartbleed by researchers at Google Inc. and cybersecurity firm Codenomicon, could have affected two-thirds of active websites when it was disclosed Monday, they said. On Tuesday, website operators, including Yahoo Inc., raced to fix the problem. Several researchers said earlier that they had been able to capture Yahoo usernames and passwords. Many other major websites, such as Google, Amazon.com Inc. and eBay Inc., appeared to be safe, based on a test created by a researcher for cybersecurity company Qualys Inc.

The bug exploits a problem in certain versions of OpenSSL, a free set of encryption tools used by much of the Internet. OpenSSL is managed by four core European programmers, only one of whom counts it as his full-time job. The limited resources behind the encryption code highlight a challenge for Web developers amid increased concern about hackers and government snoops. Websites increasingly use encryption to mask data such as usernames, passwords and credit-card numbers. That prevents a hacker lurking at a coffee shop from grabbing personal information out of the air as it travels to a wireless router. This type of encryption is called SSL, or secure sockets layer, or TLS, or transport layer security. Web servers that use the affected versions of the code store some data unprotected in memory.

Hackers can grab that data, and reconstruct information about users or keys that would allow them to monitor past or future encrypted traffic.

http://online.wsj.com/news/articles/SB10001424052702304819004579489813056799076


The National CyberThreat Level has been raised to HIGH. I can’t remember the last time that happened. 
WHAT TO DO:
·         Check to see if any websites you have accounts on are vulnerable:

"Heartbleed Hit List" (http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/) a listing of some popular websites and their vulnerability status 

"Heartbleed Test" (http://filippo.io/Heartbleed/a tool for checking status of individual websites 
·         Change passwords for all online accounts and e-mail, giving first priority to critical accounts.

·         Be alert for phishing scams. CIS received reports of phishing campaigns related to this vulnerability, attempting to lure victims to credential-stealing sites. If you need to change your password, type the URL of the organization in a browser and do not click on links in emails that ask you to reset your passwords



CAPT. Lloyd Bumanglag CAP