Tech News WARNING! 'Stay Off The Internet' To Avoid Major Web Bug

Napster

Napster

Global Moderator
Staff member
Moderator
Joined
Aug 12, 2003
Messages
18,835
Reaction score
6,890
Location
Black Country
LINK



Hackers may have been intercepting web passwords and browsing history for the past two years because of a bug in widely used web encryption technology.

Analysts say the Heartbleed bug is one of the most serious discovered in recent years because the compromised technology - OpenSSL - is so popular.

The popular web encryption technology is used by websites to protect sensitive data such as passwords.

Jonathan Sander, from cyber security firm Stealthbits Technologies, said: "It's like finding a faulty car part used in nearly every make and model."


Yahoo is one of the websites hit by the bug
The Tor Project, which develops online anonymity software, warned people to stay off the internet entirely for the next few days to remain safe.

A message on its website read: "If you need strong anonymity or privacy on the internet, you might want to stay away from the Internet entirely for the next few days while things settle."

Yahoo passwords were among those compromised, and the company says it has since fixed the vulnerability on its services.

A spokesman said: "As soon as we became aware of the issue, we began working to fix it."

Other websites known to have been compromised by the flaw included image-hosting site Imgur, dating service OKCupid and the FBI's website.

The bug was introduced in the 1.01 version of OpenSSL in 2012.

This means that attackers may have been exploiting the bug for two years; revealing emails, instant messages and browsing data.

Because hacking attacks using the bug leave no trace, it is difficult to calculate how many people have been affected.

Google, Microsoft, Twitter, Facebook and Dropbox are understood to be unaffected.
__________________
 

Attachments

  • 176217552-1-522x293.jpg
    176217552-1-522x293.jpg
    44.4 KB · Views: 12
Last edited:
Looks like the horse has well and truly bolted?

For most people the following is probably all they need to do:

Check out the article at
Which Websites are Affected by the Heartbleed OpenSSL Encryption Bug? | Digital Trends
Click to expand...
and look for the reference to "a list compiled by a user of Github" and follow the link to see the allegedly affected sites.

There's a link to a test tool which enables you to test whether a particular site has implemented the required fix.

Delete all your cookies and browser cache.

Change passwords today then again next week (unless you don't use any affected sites).

If you intend to use an affected site use the test tool first or simply avoid buying online for a few days.

Take advantage of any extra security offered by sites you use i.e. Yahoo Mail can be set up with an extra layer so if you think your account has been compromised they'll send some authentication information by text message.

Until the next time...
 
A little bit more info...

Technology vendors have moved to allay customers' concerns about the newly discovered Heartbleed flaw in the OpenSSL implementation of the transport layer security (TLS) protocol.

The security vulnerability was discovered by researchers with a Finnish company called Codenomicon and is believed to affect millions of web servers around the world

Though the US Computer Emergency Response Team (CERT) has published a list of all known affected companies, the full scale of the flaw remains unknown. Its potential for harm is significant as OpenSSL encryption is used by open-source web servers such as Apache and Nginx, which host 66 percent of all sites.

V3 has collected statements and guidance from key companies to help ascertain the full impact of the Heartbleed flaw.

Facebook

"We added protections for Facebook's implementations of OpenSSL before this issue was publicly disclosed, and we haven't detected any signs of suspicious activity on people's accounts. We're continuing to monitor the situation closely."

Microsoft

"Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows' implementation of SSL/TLS was also not impacted."

Google

"We've assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine."

Google also confirmed the vulnerability affects its Cloud SQL, Compute Engine, Search Appliance and Android services, but promised patches will arrive for them in the very near future.

The Android vulnerability oddly only affects the 4.1.1 Jelly Bean version. The Cloud SQL and Google Compute Engine fixes will be slightly more complex to fix and require separate actions from users.

As explained by Google: “We are currently patching Cloud SQL, with the patch rolling out to all instances today and tomorrow. In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances.

“[Google Compute Engine] customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL. Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library.”

Amazon

Amazon has warned customers that the vulnerability affects its Elastic Load Balancing, Amazon Elastic Compute Cloud (EC2), AWS OpsWorks, AWS Elastic Beanstalk and Amazon CloudFront services.

The Elastic Load Balancing components affected by the flaw have been updated, though Amazon recommended: “As an added precaution, we recommend that you rotate your SSL certificates using the information provided in the Elastic Load Balancing documentation.”

The firm also recommended: “Amazon EC2 customers using OpenSSL on their own Linux images should update their images in order to protect themselves from the Heartbleed bug.”

An update is available for AWS OpsWorks and it has already successfully mitigated the issue affecting its CloudFront service.

The company’s AWS Elastic Beanstalk is the only service that remains unfixed, though Amazon confirmed: “We are working with a small number of customers to assist them in updating their SSL-enabled single-instance environments that are affected by this bug.”

Twitter

"On 7 April 2014 we were made aware of a critical vulnerability in OpenSSL (CVE-2014-0160), the security library that is widely used across the internet and at Twitter. We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability. We are continuing to monitor the situation."

Cisco

The firm said: "The Cisco Product Security Incident Response Team (PSIRT) is currently investigating which Cisco products are affected by this vulnerability. Cisco Advisory OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products was just published and already includes information on vulnerable products and others confirmed not vulnerable.

"The advisory will be updated as additional information about other products becomes available. Cisco will release free software updates that address these vulnerabilities. Any updates specifically related to Cisco will be communicated according to the Cisco Security Vulnerability Policy."

Tumblr

"We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue. But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr said.

"This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."

PayPal

"Following a comprehensive review of all our services, our security teams did identify a handful of businesses that we recommend upgrade their Payflow Gateway integrations to eliminate the risk of vulnerability. The Payflow Gateway is a payment gateway for online merchants that links your website to your processing network or merchant account," said PayPal.

"We have already been in touch with the merchants who could potentially be affected and are working with them to upgrade their integrations."

Source: IT news, reviews and analysis for UK IT professionals - V3.co.uk
 
Anyone using password managers? Any good free and x-cross platform?
 
Back to the OP - must be getting fixed, getting loads of certificate updates coming through!
 
You must log in or register to reply here.

Similar threads

alimac
    • Like
AVG AntiVirus & Security Scanner v6.49.2
Replies
2
Views
299
alimac
alimac
alimac
    • Like
Avast One - Antivirus, VPN, Privacy, Identity v2.3.1
Replies
5
Views
579
alimac
alimac
alimac
    • Like
VPNhub: Unlimited & Secure v3.16.12
Replies
4
Views
677
TEE
T
G
Sensible Topic Cyber Threats from Dave
Replies
0
Views
650
goalseeker
G
alimac
    • Like
UR Browser 80.1.3987.11 Beta
Replies
2
Views
433
trevortron
trevortron
Back
Top