Entries with tag heartbleed.

Google Responds to Heartbleed Flaw with BoringSSL

Problems associated with the Heartbleed Internet-security vulnerability discovered earlier this year continue with hundreds of thousands of servers still operating with unpatched problems in the open-source OpenSSL cryptographic library. To address these concerns, Google announced it is developing BoringSSL, based on OpenSSL, which is an open source implementation of the Secure Sockets Layer and Transport Layer Security protocols. Researchers discovered a flaw in OpenSSL that attackers could exploit to access an application’s memory, including sensitive data and private encryption keys. Google is developing BoringSSL, rather than just patching OpenSSL, because it can no longer keep up with all the patches. “As Android, Chrome, and other products have started to need some subset of these patches, things have grown very complex,” said Google software engineer Adam Langley, “The effort involved in keeping all these patches straight across multiple code bases is getting to be too much.” The company is now importing changes from OpenSSL into BoringSSL .Google plans to contribute its BoringSSL code to the OpenSSL open-source project. The new SSL fork should appear in Google’s Chromium repository soon and in the Android OS after that. (eWeek)(PC World)(Naked Security)(BoringSSL)

Consortium Addresses Heartbleed Flaw and Other Open Source Software Issues

In the wake of the discovery of a serious flaw in the popular OpenSSL Internet-security protocol, a consortium of large technology companies—including Amazon, Cisco Systems, Dell, Facebook, Fujitsu, Google, IBM, Intel, and Microsoft—is pledging funding and support for improving open source software projects. Linux Foundation executive director Jim Zemlin founded the Core Infrastructure Initiative in response to the Heartbleed vulnerability in OpenSSL, a critical open source protocol that many websites use. Each founding partner will donate $300,000 to the group during the next three years three years. The consortium will support underfunded open source software projects and design a framework for developing such software. The initial efforts will focus on OpenSSL. (Reuters)(CNET)(Core Infrastructure Initiative @ Linux Foundation)

Canadian Man First Arrested for Using Heartbleed Exploit

A Canadian man arrested 15 April 2014 is the first person known to have been arrested for using Heartbleed – a vulnerability in Open SSL encryption – in a data breach. Stephen Arthuro Solis-Reyes, 19, of London, Ontario, is being charged with one count of Unauthorized Use of a Computer and one count of Mischief in Relation to Data after he allegedly stole 900 social insurance numbers and other data from the Canada Revenue Agency, according to the Royal Canadian Mounted Police. Computer equipment in the suspect’s home was seized. No other information was released. Those affected by the theft will be contacted by registered mail, according to the agency, which will also offer free credit protection services and additional security on their accounts. Solis-Reyes, a computer science student attending Western University, is scheduled to appear in an Ottawa court 17 July 2014. (Reuters)(The Associated Press)(PC Mag)

Serious Web Encryption Vulnerability Affects Internet Users Worldwide

A newly discovered problem in a ubiquitous Web encryption technology leaves Internet users worldwide vulnerable to hacking and is being called one of the most serious security flaws uncovered in recent years. Researchers from Google and Codenomicon, a vendor of robustness testing tools, found Heartbleed, a vulnerability in OpenSSL, an open-source implementation of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols that has existed for at least two years. An attacker could exploit the vulnerability, bypassing SSL and TLS encryption to access sensitive data, including passwords, that Internet users transmit. Security experts say network administrators should change their online passwords and must patch their Web and email servers to prevent these problems. Codenomicon CEO David Chartier said, “I don't think anyone that had been using [OpenSSL] is in a position to definitively say they weren't compromised.” (Reuters)(The Associated Press)

Showing 4 results.