Wednesday, April 9, 2014

Internet Data Security at Risk because of a bug called "Heartbleed"

Heartbleed, bug, SSL Codenomicon, Internet Data Security

A major security bug has been recently discovered that put millions of usernames, passwords and credit card numbers at risk from hackers. The bug has been exploited by hackers and NSA who snoop at everyone for more than two years. The bug is called "CVE-2014-0160" or "Heartbleed."

This is a different kind of breach, it is not like a web site getting hacked. It is a major bug, the code that suppose to keep servers secure has a flaw. Servers that keep data for thousands of sites. Experts say that this is the worst bug yet and everyone who uses the internet, do business using the internet should be worried.

It is like forgetting to unlock your car or your home, you may never know if a burglar will help themself stealing your stuff.

A Finnish security firm Codenomicon conducted a test exploiting the "Heartbleed" bug to try and steal data here how it goes:

"We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

"Heartbleed" bug was discovered in a type of software called OpenSSL. OpenSSL is used on servers to encrypt sensitive information to protect people’s privacy. More than 500,000 servers were reportedly vulnerable.

Last March, another open-source encryption library "GnuTLS" discovered a bug that fails to correctly validate certificates. Now it's OpenSSL turn.

Administrators and vendors are scrambling to patch this bug since OpenSSL is used by millions of websites and it has affected almost everyone. The only way you website is not affected by this bug is if your website is not using SSL or you have an outdated versions of OpenSSL which are also equally risky.

As for Amazon, they are working to patch "Heartbleed" memory-leak vulnerablities in their Amazon Web Services hosting infrastructure.



Here are Online Tests that you can use:
http://possible.lv/tools/hb/
https://www.ssllabs.com/ssltest/
http://filippo.io/Heartbleed/


No comments:

Post a Comment