(Newswire.net — April 10, 2014) Orlando, FL. — This serious OpenSSL cryptographic software library security attack that is now being referred to as HeartBleed, was discovered by Neel Mehta of Google Security. Once this malicious security breech bug was discovered, Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> worked diligently preparing the fix.
Users are advised to upgrade their OpenSSL software to the 1.0.1g version that contains the fix. If users of this software are unable to upgrade immediately they are advised to recompile their OpenSSL with -DOPENSSL_NO_HEARTBEATS. This security issue in OpenSSL 1.0.2 will be fixed in the OpenSSL version 1.0.2 -beta2.
The security advisory for TLS heartbeat read overrun warned that, “A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.” Read the original alert here:
https://www.openssl.org/news/secadv_20140407.txt
In laymans terms, the HeartBleed Bug allows hackers to easily steal protected sensitive information right through the SSL/TLS encrytpion that is used by most companies to collect consumers payment information. All areas of the web were under attack including, webpages, email accounts, IM (instant messaging), along with (VPM’s) virtual private networks. When taking advantage of this security breech hackers would have the ability to actually eavesdrop on communications, and steal information like names, passwords, payment information, and other personal content plus impersonate any of these services and users.
HeartBleed.com showed how dangerous this breech was by explaining that, “We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”
The only way this HeartBleed Bug can be stopped is to upgrade to an OpenSSL version that has been fixed. This explains why services like Yahoo keep asking for your password over and over again. I personally have noticed since Monday that PayPal makes me use a captcha after logging in, then after successfully answering the captcha, PayPal makes me login again.
For many of us we are at the mercy of our system vendors (hosting companies) or whoever we obtained our SSL certificates from. These vendors must adopt the fix then notify their users. Contact your supplier now to verify that they have upgraded their OpenSSL software to the new protected version!
A Yahoo statement update on April 8th, 3:54PM EST, “Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the fix across the rest of our sites right now.”
###