Entries with tag heartbleed.

Security Researchers: Don’t Compare Every Vulnerability to Heartbleed, Shellshock

Some security researchers are berating the media and others in the security field for using Heartbleed or Shellshock as a source of comparison when a new software flaw is discovered. In early November, Microsoft patched a serious bug in SChannel (Secure Channel) that was found in each version of the Windows operating system since Windows 95. An IBM researcher reported the bug to Microsoft in May, and it was recently fixed. According to a recent article on securitywatch.pcmag.com, a security researcher from Tripwire referenced Heartbleed and Shellshock when discussing the Microsoft patch. The article states that the need for sensationalism to gain attention for information security to be taken seriously indicates “a problem, and it’s not the bug itself.” Each vulnerability issue should be taken on its own. Josh Feinblum, vice president of information security at Rapid7, noted that the SChannel vulnerability wasn’t like Heartbleed. “This vulnerability poses serious theoretical risk to organizations and should be patched as soon as possible, but it does not have the same release-time impact as many of the other recently highly-publicized vulnerabilities,” he wrote. “Microsoft customers can take a deep breath before they dive head first into patching, but should make sure patching is treated at the highest priority given the potential risk if/when an exploit is successfully developed.” (PC Mag)(Rapid7 Blog)

Google Responds to Heartbleed Flaw with BoringSSL

Problems associated with the Heartbleed Internet-security vulnerability discovered earlier this year continue with hundreds of thousands of servers still operating with unpatched problems in the open-source OpenSSL cryptographic library. To address these concerns, Google announced it is developing BoringSSL, based on OpenSSL, which is an open source implementation of the Secure Sockets Layer and Transport Layer Security protocols. Researchers discovered a flaw in OpenSSL that attackers could exploit to access an application’s memory, including sensitive data and private encryption keys. Google is developing BoringSSL, rather than just patching OpenSSL, because it can no longer keep up with all the patches. “As Android, Chrome, and other products have started to need some subset of these patches, things have grown very complex,” said Google software engineer Adam Langley, “The effort involved in keeping all these patches straight across multiple code bases is getting to be too much.” The company is now importing changes from OpenSSL into BoringSSL .Google plans to contribute its BoringSSL code to the OpenSSL open-source project. The new SSL fork should appear in Google’s Chromium repository soon and in the Android OS after that. (eWeek)(PC World)(Naked Security)(BoringSSL)

Consortium Addresses Heartbleed Flaw and Other Open Source Software Issues

In the wake of the discovery of a serious flaw in the popular OpenSSL Internet-security protocol, a consortium of large technology companies—including Amazon, Cisco Systems, Dell, Facebook, Fujitsu, Google, IBM, Intel, and Microsoft—is pledging funding and support for improving open source software projects. Linux Foundation executive director Jim Zemlin founded the Core Infrastructure Initiative in response to the Heartbleed vulnerability in OpenSSL, a critical open source protocol that many websites use. Each founding partner will donate $300,000 to the group during the next three years three years. The consortium will support underfunded open source software projects and design a framework for developing such software. The initial efforts will focus on OpenSSL. (Reuters)(CNET)(Core Infrastructure Initiative @ Linux Foundation)

Canadian Man First Arrested for Using Heartbleed Exploit

A Canadian man arrested 15 April 2014 is the first person known to have been arrested for using Heartbleed – a vulnerability in Open SSL encryption – in a data breach. Stephen Arthuro Solis-Reyes, 19, of London, Ontario, is being charged with one count of Unauthorized Use of a Computer and one count of Mischief in Relation to Data after he allegedly stole 900 social insurance numbers and other data from the Canada Revenue Agency, according to the Royal Canadian Mounted Police. Computer equipment in the suspect’s home was seized. No other information was released. Those affected by the theft will be contacted by registered mail, according to the agency, which will also offer free credit protection services and additional security on their accounts. Solis-Reyes, a computer science student attending Western University, is scheduled to appear in an Ottawa court 17 July 2014. (Reuters)(The Associated Press)(PC Mag)

Serious Web Encryption Vulnerability Affects Internet Users Worldwide

A newly discovered problem in a ubiquitous Web encryption technology leaves Internet users worldwide vulnerable to hacking and is being called one of the most serious security flaws uncovered in recent years. Researchers from Google and Codenomicon, a vendor of robustness testing tools, found Heartbleed, a vulnerability in OpenSSL, an open-source implementation of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols that has existed for at least two years. An attacker could exploit the vulnerability, bypassing SSL and TLS encryption to access sensitive data, including passwords, that Internet users transmit. Security experts say network administrators should change their online passwords and must patch their Web and email servers to prevent these problems. Codenomicon CEO David Chartier said, “I don't think anyone that had been using [OpenSSL] is in a position to definitively say they weren't compromised.” (Reuters)(The Associated Press)

Showing 5 results.