WARNING: Massive breach of security on the internet

Advances in the investigation of the physical universe we live in.
Post Reply
User avatar
Doc
Posts: 12562
Joined: Sat Nov 24, 2012 6:10 pm

WARNING: Massive breach of security on the internet

Post by Doc »

This is a very big deal


http://arstechnica.com/security/2014/04 ... sdropping/
Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
Exploits allow attackers to obtain private keys used to decrypt sensitive data.

by Dan Goodin - Apr 7 2014, 8:10pm EST

Hacking
Open Source

183
Aurich Lawson / Thinkstock

For a more detailed analysis of this catastrophic bug, see this update, which went live about 18 hours after Ars published this initial post.

Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.

The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.

"Bugs in single software or library come and go and are fixed by new versions," the researchers who discovered the vulnerability wrote in a blog post published Monday. "However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously."

The researchers, who work at Google and software security firm Codenomicon, said even after vulnerable websites install the OpenSSL patch, they may still remain vulnerable to attacks. The risk stems from the possibility that attackers already exploited the vulnerability to recover the private key of the digital certificate, passwords used to administer the sites, or authentication cookies and similar credentials used to validate users to restricted parts of a website. Fully recovering from the two-year-long vulnerability may also require revoking any exposed keys, reissuing new keys, and invalidating all session keys and session cookies. Members of the Tor anonymity project have a brief write-up of the bug here, and a this analysis provides useful technical details.

OpenSSL is by far the Internet's most popular open-source cryptographic library and TLS implementation. It is the default encryption engine for Apache, nginx, which according to Netcraft runs 66 percent of websites. OpenSSL also ships in a wide variety of operating systems and applications, including the Debian Wheezy, Ubuntu, CENTOS, Fedora, OpenBSD, FreeBSD, and OpenSUSE distributions of Linux. The missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension affects OpenSSL 1.0.1 through 1.0.1f.

The bug, which is officially referenced as CVE-2014-0160, makes it possible for attackers to recover up to 64 kilobytes of memory from the server or client computer running a vulnerable OpenSSL version. Nick Sullivan, a systems engineer at CloudFlare, a content delivery network that patched the OpenSSL vulnerability last week, said his company is still evaluating the likelihood that private keys appeared in memory and were recovered by attackers who knew how to exploit the flaw before the disclosure. Based on the results of the assessment, the company may decide to replace its underlying TLS certificate or take other actions, he said.
Attacking from the outside

The researchers who discovered the vulnerability, however, were less optimistic about the risks, saying the bug makes it possible for attackers to surreptitiously bypass virtually all TLS protections and to retrieve sensitive data residing in the memory of computers or servers running OpenSSL-powered software.

"We attacked ourselves from outside, without leaving a trace," they wrote. "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

They called on white-hat hackers to set up "honeypots" of vulnerable TLS servers designed to entrap attackers in an attempt to see if the bug is being actively exploited in the wild. The researchers have dubbed the vulnerability Heartbleed because the underlying bug resides in the OpenSSL implementation of the TLS heartbeat extension as described in RFC 6520 of the Internet Engineering Task Force.

The OpenSSL vulnerability is the latest to threaten the HTTPS scheme that's the default and often only method for cryptographically protecting websites, e-mail, an other Internet communications from attacks that allow hackers to eavesdrop on end users or impersonate trusted websites. Last month, developers of the GnuTLS library disclosed an equally catastrophic bug that left hundreds of open-source applications open to similar attacks. And in February, Apple fixed an extremely critical vulnerability in the iOS and OS X operating systems that also made it possible for hackers to bypass HTTPS protections.
"I fancied myself as some kind of god....It is a sort of disease when you consider yourself some kind of god, the creator of everything, but I feel comfortable about it now since I began to live it out.” -- George Soros
User avatar
Heracleum Persicum
Posts: 11574
Joined: Sat Dec 22, 2012 7:38 pm

Re: WARNING: Massive breach of security on the internet

Post by Heracleum Persicum »

.

There was never any security in the internet traffic, in that sense, no real breach
User avatar
Doc
Posts: 12562
Joined: Sat Nov 24, 2012 6:10 pm

Re: WARNING: Massive breach of security on the internet

Post by Doc »

Heracleum Persicum wrote:.

There was never any security in the internet traffic, in that sense, no real breach
Actually it is a breach. A very major one. Even if the internet is inherently insecure.

When it is open to anyone with the know how for three years then all bets are off. IE Bricks and mortar vs online house of cards. Cash vs credit cards


BTW Presumably enough of the web severs have been fixed by now that it is time to change your important passwords.


http://filippo.io/Heartbleed/#onthenatureofthings.net
"I fancied myself as some kind of god....It is a sort of disease when you consider yourself some kind of god, the creator of everything, but I feel comfortable about it now since I began to live it out.” -- George Soros
User avatar
Doc
Posts: 12562
Joined: Sat Nov 24, 2012 6:10 pm

Re: WARNING: Massive breach of security on the internet

Post by Doc »

Just keeps getting bigger. Forget what I said about changing your important passwords. IF you have info online you don't want to share with anyone including personal info DO NOT ACCESS the accounts containing it for now. Wait until later maybe weeks to months to give a chance for the affected hardware to be changed for new fixed hardware. IF you have a router from either of the two router manufactures best to wait until they have been fixed and you can throw out the one you have as well.

http://online.wsj.com/news/articles/SB1 ... 51346.html
Heartbleed Bug Found in Cisco Routers, Juniper Gear
Encryption Bug Affects Equipment That Connects to the Web


By
Danny Yadron
connect
Updated April 10, 2014 6:10 p.m. ET

Cisco Systems and Juniper Networks said that some of their products contain the "Heartbleed" bug. Reuters

The encryption bug that has the Internet on high alert also affects the equipment that connects the Web.

Cisco Systems Inc. CSCO +0.15% and Juniper Networks Inc., JNPR -0.12% two of the largest manufacturers of network equipment, said Thursday that some of their products contain the "Heartbleed" bug. That means hackers might be able to capture usernames, passwords and other sensitive information as they move across corporate networks, home networks and the Internet.

Many websites—including those run by Yahoo Inc., YHOO -0.18% Amazon.com Inc. and Netflix Inc.—quickly fixed the hole after it was disclosed Monday. But Cisco and Juniper said the security flaw affects routers, switches and firewalls often used by businesses.


A new flaw in encryption tools used across the Web may have been exploited to leak your login names and passwords. Don't panic though. Before you change your password, just check if the site's security is up to date. WSJ Personal Technology Columnist Joanna Stern has tips for protecting yourself.


These devices likely will be more difficult to fix. The process involves more steps and businesses are less likely to check the status of network equipment, security experts said.

Bruce Schneier, a cybersecurity researcher and cryptographer, said, "The upgrade path is going to involve a trash can, a credit card, and a trip to Best Buy."

However, products available at retail stores now likely were shipped before the bug was revealed on Monday. That means they may also contain the defective software, from an encryption code known as OpenSSL.

Companies often use firewalls and virtual private networks to protect their computer systems. But if the machines that run the firewalls and virtual private networks are affected by the Heartbleed bug, attackers could use them to infiltrate a network, said Matthew Green, an encryption expert at Johns Hopkins University.

WSJD is the Journal's home for tech news, analysis and product reviews.

Apple Star Jony Ive to Expand Empire
After Heartbleed Bug, a Race to Plug Internet Hole
H-P Case Includes Bags of Cash, Watches, Grand Canyon Tours

"It's pretty bad," Mr. Green said. "Lots and lots of people connect to these things."

Mr. Green and others said the bug likely affects some home-networking equipment, such as wireless routers.

Cisco, in a customer bulletin updated Thursday, told clients that dozens of products are "affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve" potentially sensitive information. In the bulletin, it said 65 products were under investigation and another 16 had been confirmed vulnerable.

Cisco said it would update customers when it has software patches. Meanwhile, its security researchers offered users software that it said would detect hackers exploiting the bug. A Cisco spokesman referred a query to the bulletin on its website.

Juniper said the process of updating its equipment might be lengthy. "It doesn't sound like a flip the switch sort of thing," said Corey Olfert, a Juniper spokesman. "I don't know how quickly they can be resolved."

The company said it issued patches for some versions of its virtual private network software Tuesday. It added it is working on patches for other "affected products" but didn't elaborate.

To keep prying eyes out, websites and network equipment use encryption to turn sensitive information into a jumble or unreadable text. Since writing encryption code is complex, developers often use a free, open-source version called OpenSSL. It's a bare-bones project managed by four European coders.

The Heartbleed bug—first introduced into OpenSSL two years ago—allows hackers to grab bits of data from servers and equipment after it has been decrypted.
"I fancied myself as some kind of god....It is a sort of disease when you consider yourself some kind of god, the creator of everything, but I feel comfortable about it now since I began to live it out.” -- George Soros
Post Reply