Heartbleed

now browsing by tag

 
 

NSA denies Report that Agency knew and exploited Heartbleed Vulnerability

The Bloomberg claimed that the U.S. National Security Agency (NSA) knew about the most critical Heartbleed flaw and has been using it on a regular basis to gather “critical intelligence” and sensitive information for at least past two years and decided to keep the bug secret, citing two sources ‘familiar with the matter’.In response to the above report, NSA has issued a ’94 character’ statement today denying the claims that it has known about the Heartbleed bug since two years and that it has been using it silently for the purpose of surveillance.”NSA was not aware of the recently identified Heartbleed vulnerability until it was made public,” the U.S. intelligence agency said on its Twitter feed.Heartbleed is one of the biggest Internet vulnerabilities in recent history that left large number of cryptographic keys and private data such as usernames, passwords, and credit card numbers, from the most important sites and services on the Internet open for hackers. The bug resides in the “Heartbeat” feature of the most secured open source encryption protocol, OpenSSL, which is used by several social networks, search engines, banks and other websites to enable secure connections while transmitting data.A team of researchers from Codenomicon and Google Security researcher revealed the vulnerability this week that is in the wild since the new version 1.0.1f was released in March 2012. And just after the revelation, OpenSSL released the security Fix for the bug in its version 1.0.1g, but until then the Heartbleed bug made websites, email, instant messaging (IM), including some virtual private networks, on about half a million of the world’s widely trusted web servers, open to hackers.The birth of the most critical bug Heartbleed was due to a mistake done by a German programmer Robin Seggelmann over two years ago while working on a new Heartbeat feature in the OpenSSL.He submitted the code of OpenSSL with the heartbeat feature in an update on New Year’s Eve, 2011, and an “oversight” led to an error that unintentionally created the “Heartbleed” vulnerability.Yesterday he said it could be entirely possible that the government intelligence agencies had been making use of this critical flaw over the past two years.The fix was released just after, but the users’ data are vulnerable until the vulnerable websites didn’t implement it. You can only change your password immediately for those websites that are not affected, assuming that it was vulnerable before, just to make sure that you are now safe.Follow me on Google+, Twitter or LinkedIn or Contact via Email.

Source: http://whogothack.blogspot.co.uk/2014/04/nsa-denies-report-that-agency-knew-and.html#.VkpDTVUrLIU

The post NSA denies Report that Agency knew and exploited Heartbleed Vulnerability appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

How to Protect yourself from the ‘Heartbleed’ Bug

Millions of websites, users’ passwords, credit card numbers and other personal information may be at risk as a result of the Heartbleed security flaw, a vulnerability in widely used cryptographic library ‘OpenSSL‘. [READ DETAILS HERE]

Netcraft survey says that about half a million widely trusted active websites on the internet are vulnerable to the heartbleed bug, which means the information transmitting through hundreds of thousands of websites could be vulnerable, despite the protection offered by encryption techniques.

According to Netcraft, “the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities. These certificates are consequently vulnerable to being spoofed (through private key disclosure), allowing an attacker to impersonate the affected websites without raising any browser warnings.”Among the trusted names running OpenSSL is Yahoo!, which has been affected by this critical flaw. Yes, Yahoo Inc., which boasts more than 800 million users worldwide, is among the Internet services that could be potentially hurt by Heartbleed.The bug leaks the below given information, although Yahoo! has since patched its systems.How to Protect yourself from the 'Heartbleed' BugThe Popular sites which exhibit support for the TLS heartbeat extension also include Twitter, Facebook, GitHub, Bank of America, DropBox are not currently vulnerable, but it is unclear that they were vulnerable few days ago.Including Yahoo!, Flickr, Tumbler, Google, OKCupid and even the anonymous search engine DuckDuckGo was vulnerable, which has now been fixed.Yahoo Inc. said that it has “successfully made appropriate corrections” to the main Yahoo properties, including Yahoo Homepage, Search, Mail, Finance, Sports, Food, Tech, Flickr and Tumblr.You can see the Heartbleed mass-test when performed around 8th April from here. In the list, the websites shown vulnerable may not be vulnerable right now.
HOW TO CHECK IF YOUR FAVORITE WEBSITES ARE VULNERABLE1.) First of all check if the sites you use every day on an individual basis are vulnerable to Heartbleed bug or not using http://filippo.io/Heartbleed/, and if you’re given a red flag, avoid the site for now.

2.) LastPass also created a Web app that will tell you what kind of encryption a site uses, and when the encryption was last updated.

 

3.) Provensec also created a scanner at http://provensec.com/heartbleed/

 

4.) GlobalSign SSL Configuration Checker.

 

5.) The easiest way to keep you safe is to use a new add-on to the Chrome browser, Chromebleed, created by security researcher, Jamie Hoyle.

HOW TO PROTECT YOURSELF FROM HEARTBLEED
If the site you use is not affected by the vulnerability, its good idea that you change your password immediately, assuming that it was vulnerable before, just to make sure that you are now safe. But changing the password before the bug is fixed could compromise your new password as well.

You are advised to don’t reuse the same passwords on different websites and try to use a separate password for each website.

 

If you are using a public Wi-Fi at MacDonald or any other public places, then you should limit your Internet behavior and avoid sign in into websites that are especially sensitive.

 

OpenSSL version 1.0.1 through 1.0.1f and 1.0.2-beta1 are Vulnerable and flaw is fixed in OpenSSL 1.0.1g. If you haven’t yet, please update your system that use OpenSSL for TLS encrypted communications.

And last but not the least; keep an eye on every financial transaction, and it is good practice to use two-factor authentication, which means with the password, the account requires a freshly generated pass code that shows up only on your personal smartphone, before getting into certain sites.

Source: http://whogothack.blogspot.co.uk/2014/04/how-to-protect-yourself-from-bug.html#.VkfBllUrLIU

The post How to Protect yourself from the ‘Heartbleed’ Bug appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

Billions of Smartphone Users affected by Heartbleed Vulnerability

Heartbleed has left a worst impression worldwide affecting millions of websites and is also supposed to put millions of Smartphones and tablets users at a great risk.Heartbleed is a critical bug (CVE-2014-0160) in the popular OpenSSL cryptographic software library, that actually resides in the OpenSSL’s implementation of the TLS/DTLS heartbeat extension, which allows attackers to read portions of the affected server’s memory, potentially revealing users data such as usernames, passwords, and credit card numbers, that the server did not intend to reveal.OpenSSL is a widely-used cryptographic library which implements the SSL and TLS protocol and protects communications on the Internet, and mostly every websites use either SSL or TLS, even the Apache web server that powers almost half of the websites over internet utilizes OpenSSL.But to assume that the users using desktop browsers to visit websites are vulnerable to the Heartbleed bug, will be wrong. Despite 40-60 billion active Smartphone applications may be sharing some of those same servers or connect to their own group of servers that may also be compromised.Google wrote in an update on its Online Security blog on Wednesday, emphasizing that Android was not vulnerable to the Heartbleed bug, except for a very specific version and can you guess that so called specific version??Android 4.1.1 Jelly Bean, the one which makes up the majority of Android devices around the world, and which relies on the vulnerable version of OpenSSL.Google didn’t reveal the actual figure that are vulnerable to the bug, but according to the latest dashboard released by Google, it is estimated that around 34.4% of the Android devices in use today are running the Android 4.1.x version. Even last September Google announced that it had activated one billion devices. This means that the minimal number is likely to be in the millions. So, one can imagine how many Smartphones and tablets were at risk.Well, Google has released the patches for Android 4.1.1 which is being distributed among the Android partners.Apple users can be relaxed knowing that their devices running iOS and OS X are not affected by the most critical security flaw, Heartbleed.”Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key web-based services were not affected,” Apple told Re/code.Instead using OpenSSL, Apple relies on different SSL/TLS libraries called Secure Transport, which was hit by its own very serious bug in February outcropping the possibility for man-in-the-middle (MitM) attacks — though it wasn’t as dangerous as the recent OpenSSL Heartbleed security Flaw.But still Apple users were not exempted completely, as the users using BBM for private messages on iOS might have been vulnerable to this flaw.Blackberry confirmed that some of its products, including Secure Work Space for iOS and Android, and BlackBerry Link for Windows and Mac OS and even BBM for iOS and Android were vulnerable to the Heartbleed security flaw. The figure of affected users is not least, as about 80 million people use BBM service.They have also assured that BlackBerry Smartphones and tablets, BlackBerry Enterprise Server 5, BlackBerry Enterprise Service 10, and the BlackBerry Infrastructure are not affected by the flaw and are fully protected.

Source: http://whogothack.blogspot.co.uk/2014/04/billions-of-smartphone-users-affected.html#.VkZdNlUrLIU

The post Billions of Smartphone Users affected by Heartbleed Vulnerability appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

Heartbleed – OpenSSL Zero-day Bug leaves Millions of websites Vulnerable

It is advised to those who are running their web server with OpenSSL 1.0.1 through 1.0, then it is significantly important that you update to OpenSSL 1.0.1g immediately or as soon as possible. As this afternoon, an extremely critical programming flaw in the OpenSSL has been discovered that apparently exposed the cryptographic keys and private data from some of the most important sites and services on the Internet.The bug was independently discovered by security firm Codenomicon along with a Google Security engineer. The flaw is in the popular OpenSSL cryptographic software library and its weakness allows cyber criminals to steal the information protected, under normal conditions, by the SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption used to secure the Internet.OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions that enable SSL and TLS encryption. Mostly every websites use either SSL or TLS, even the Apache web server that powers almost half of the websites over internet utilizes OpenSSL.The discoverer of the vulnerability dubbed the bug as ‘Heartbleed bug’, as the exploit rests on a bug in the implementation of OpenSSL’s TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).This critical bug with code ID CVE-2014-0160, could allows an attacker to expose up to 64kB of memory from the server or a connected client computer running a vulnerable version of OpenSSL software. Specifically, this means that an attacker can steal keys, passwords and other private information remotely.“We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails and business critical documents and communication.”The vulnerability in the OpenSSL’s transport layer security (TSL) protocols’ heartbeat section has been in the wild since March 2012 and is supposed to be even more dangerous than Apple’s recent SSL bug, which outcropped the possibility for man-in-the-middle (MitM) attacks.As the Heartbleed bug reveals encryption keys that could lead to other compromises, affects past traffic and may affect as much as 66 percent of Internet websites over the internet. 10 out of top 1000 sites are vulnerable to this flaw, including Yahoo Mail, Lastpass and the FBI site. There also is a proof-of-concept exploit for the flaw posted on Github. On this website, you can check if your web server is vulnerable or not.”Bugs in single software or library come and go and are fixed by new versions,” the researchers who discovered the vulnerability wrote in a blog post published Monday. “However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously.”Fixes for the bug have been released by the researchers. So, who are running the OpenSSL 1.0.1f version may update to OpenSSL 1.0.1g. The users running older version of OpenSSL are safe.

Source: http://whogothack.blogspot.co.uk/2014/04/heartbleed-openssl-zero-day-bug-leaves.html#.VkUR5Pmqqko

The post Heartbleed – OpenSSL Zero-day Bug leaves Millions of websites Vulnerable appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

How Heartbleed Bug Exposes Your Passwords to Hackers

Are you safe from the critical bug Heartbleed?? OpenSSL- the encryption technology used by millions of websites to encrypt the communication and is also used to protect our sensitive data such as e-mails, passwords or banking information. But a tiny, but most critical flaw called “Heartbleed” in the widely used OpenSSL opened doors for the cyber criminals to extract sensitive data from the system memory.SSL and TLS are known to provide communication security and privacy over the Internet for applications such as websites, email, instant messaging (IM), including some virtual private networks (VPNs).Heartbleed is a critical bug (CVE-2014-0160) is in the popular OpenSSL cryptographic software library, that actually resides in the OpenSSL’s implementation of the TLS (transport layer security protocols) and DTLS (Datagram TLS) heartbeat extension (RFC6520).This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon, while improving the SafeGuard feature in Codenomicon’s Defensics security testing tools, and Neel Mehta of Google Security, who first reported it to the OpenSSL team.Software vulnerabilities may come and go, but this bug is more critical as it has left the large number of private keys and other secrets exposed to the Internet. The heartbleed bug can reveal the contents of a server’s memory, where the most sensitive data is stored, including the private data such as usernames, passwords, and credit card numbers. This could allow attackers to retrieve private keys and ultimately decrypt the server’s encrypted traffic or even impersonate the server.

OpenSSL is most widely used cryptographic library for Apache and nginx Web servers, which handles a service of Transport Layer Security (TLS) called Heartbeat, an extension added to TLS in 2012. The combined market share of just those two, Apache and nginx, out of the active sites on the Internet is over 66% according to Netcraft’s April 2014 Web Server Survey.Moreover, OpenSSL is used to protect email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Many large consumer sites are also saved by their conservative choice of SSL/TLS termination equipment and software. OpenSSL is also very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.

Security researcher ‘Robert Graham’ scanned the Internet and found that more than 600,000 servers are vulnerable to heartbleed flaw, including Yahoo.com, imgur.com, flickr.com, hidemyass.com. [List]

Because of Heartbleed bug, the Canada Revenue Agency was forced to shut down its electronic tax collection service yesterday and apparently, World’s biggest audio platform SoundCloud also logged out its users for fixing this flaw.

Source: http://whogothack.blogspot.co.uk/2014/04/how-heartbleed-bug-exposes-your.html#.VkPBe_mqqko

The post How Heartbleed Bug Exposes Your Passwords to Hackers appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

German Developer responsible for HeartBleed Bug in OpenSSL

We have already read so many articles on Heartbleed, one of the biggest iNternet threat that recently came across by a team of security engineers at Codenomicon, while improving the SafeGuard feature in Codenomicon’s Defensics security testing tools. The story has taken every media attention across the World, as the bug opened doors for the cyber criminals to extract sensitive data from the server’s memory and almost every major site have been affected by it.UNINTENTIONAL BIRTH OF HEARTBLEEDMore than two years ago, German programmer Robin Seggelmann introduced a new feature called “Heartbeat” in the most secured open source encryption protocol, OpenSSL, which is used by several social networks, search engines, banks and other websites to enable secure connections while transmitting data. But introducing heartbeat feature cost him dearly, as here the most critical bug resides.Dr. Seggelmann allegedly was just trying to improve OpenSSL and working on an update and while submitting the updates enabling heartbeat feature, an “oversight” led to an error that unintentionally created the “Heartbleed” vulnerability, according to The Guardian.Heartbleed is the encryption flaw that left large number of cryptographic keys and private data such as usernames, passwords, and credit card numbers, from the most important sites and services on the Internet open for hackers, forcing some security researchers to warn internet users against using even their everyday sites for the next few days until the problem is fully solved. The developer is responsible for what may be the biggest Internet vulnerability in recent history, but it was just a single programming error in the new feature as he didn’t notice the missing validation and unfortunately the same skipped by the code reviewer as well before introducing it in the new released version.”I am responsible for the error,” Robin Seggelmann told Guardian, “because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.”Robin Seggelmann submitted the code of OpenSSL with the heartbeat feature in an update on New Year’s Eve, 2011. This means the most critical threat has been around for more than two years unnoticed.Dr Seggelmann said it was obvious to assume that the bug was intentionally inserted, especially after various revelations by Edward Snowden of the surveillance activities carried out by the US National Security Agency (NSA) and other countries intelligence agencies.”But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”Despite denying the code he put intentionally, he said it could be entirely possible that the government intelligence agencies had been making use of this critical flaw over the past two years.”It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know [about] the bug until it was released and [I am] not affiliated with any agency, I can only speculate,” he told The Sydney Morning Herald.

Source: http://whogothack.blogspot.co.uk/2014/04/german-developer-responsible-for.html#.VkPBfvmqqko

The post German Developer responsible for HeartBleed Bug in OpenSSL appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

Hacker arrested by Canadan Police for exploiting HeartBleed Bug

A 19-year-old man is arrested and charged by Canadian police a who allegedly exploited the Heartbleed bug to steal personal data from the Canadian Revenue Agency’s website.

Stephen Arthuro Solis-Reyes, who allegedly grabbed 900 social insurance numbers (SINs) over a period of six hours, marks the first time that authorities have apprehended someone in relation to the bug in OpenSSL.

Solis-Reyes of London, Ontario is a student at Western University, was detained by the London Police Service and the Royal Canadian Mounted Police National Division Integrated Technological Crime Unit.

In a statement, Assistant Commissioner Gilles Michaud of the RCMP, said:
The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible. Investigators from National Division, along with our counterparts in “O” Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.

He is scheduled to appear in court in Ottowa on 17 July 2014.

Canada’s tax agency was one of the first major organizations to be impacted by the Heartbleed flaw and subsequently had to remove public access to its online services for four days in order to protect taxpayer information.

It’s unclear what Solis-Reyes’s motivations were. But it’s important to remember that while security researchers and other interested parties may like to think that testing for Heartbleed or other vulnerabilities may be ethical and useful in purpose, the law may not agree.

Such activity may not be regulated in every nation, but some countries certainly do prohibit the testing of security on third-party websites without permission.

Furthermore, it should be obvious that actually exploiting any discovered vulnerabilities in order to gain unauthorized access to networks and data is a bad idea at all times. More so if the organization in question is your national tax office.

If you do have legitimate concerns about a website’s security, the correct course of action would be to notify the owners and engage in responsible disclosure in a manner that doesn’t place other people’s data at jeopardy.

Source: http://whogothack.blogspot.co.uk/2014/04/hacker-arrested-by-canadan-police-for.html#.VjacTfmqqko

The post Hacker arrested by Canadan Police for exploiting HeartBleed Bug appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

VPN is Still Vulnerable to Heartbleed

Researchers earlier this month guessed heartbleed had infected two-thirds of all Web servers, and researchers at Sucuri reported Friday that just 2 percent of the top 1 million websites on the Internet remain infected and all of the top 1,000 sites have been patched against the OpenSSL vulnerability but Mandiant tracks a scary new attack vector–VPN user sessions.

But also on Friday, Mandiant researchers reported an attack they tracked beginning on April 8 in which an attacker “leveraged the Heartbleed vulnerability in a SSL VPN concentrator to remotely access our client’s environment,” culminating in the hijacking of “multiple active user sessions.”
Mandiant said the attackers exploited the security vulnerability in OpenSSL running in the client’s SSL VPN concentrator to remotely access active sessions.

This is just the latest in an escalating series of attacks leveraging Heartbleed, which is a problem in OpenSSL’s heartbeat functionality, which if enabled, returns 64KB of memory in plaintext to any client or server requesting a connection. Already, there have been reports of attackers using Heartbleed to steal user names, session IDs, credentials and other data in plaintext. Late last week came the first reports of researchers piecing together enough information to successfully reproduce a private SSL key.

Mandiant said the attacker was able to steal active user session tokens in order to bypass the organization’s multifactor authentication and VPN client software used to validate the authenticity of systems connecting to network resources.

The Mandiant researchers recommended that all organizations running remote access software and appliances determined to be vulnerable to the Heartbleed exploit both upgrade with available patches immediately and review their VPN logs to see if an attack had occurred in the past.

Source: http://whogothack.blogspot.co.uk/2014/04/vpn-is-still-vulnerable-to-heartbleed.html#.VjPpg_mqqko

The post VPN is Still Vulnerable to Heartbleed appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

‘Oversight’ causes an error HeartBleed; says it’s Developer

Robin Seggelmann, a programmer based in Germany, submitted the code in an update submitted at 11:59pm on New Year’s Eve, 2011. It was supposed to enable a function called “Heartbeat” in OpenSSL, the software package used by nearly half of all web servers to enable secure connections.
He says the “Heartbleed” vulnerability to the open-source code used by thousands of websites says it was an “oversight” – but that its discovery validates the methods used.

His update did enable Heartbeat, but an “oversight” led to an error with major ramifications. But it accidentally created the “Heartbleed” vulnerability, which has been described as a “catastrophic” flaw which laid the contents of thousands of web servers open to hackers.
Seggelmann worked on the OpenSSL project during his PhD studies, from 2008 to 2012, but isn’t involved with the project any more.

It has also been discovered in Cisco and Juniper routing gear, which could mean that hackers could capture sensitive data such as passwords passing over the internet.

He said that the mistake has nothing to do with its festive datestamp. “The code… was the work of several weeks. It’s only a coincidence that it was submitted during the holiday season.

“I am responsible for the error,” he continued, “because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.”

Source: http://whogothack.blogspot.co.uk/2014/04/oversight-causes-error-heartbleed-says.html#.VjKYL_mqqko

The post ‘Oversight’ causes an error HeartBleed; says it’s Developer appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

Google kept the Heartbleed Bug hidden from Government

As the Heartbleed bug has been over-rated as thousands of websites were vulnerable to the exploit. Heartbleed might be one of the most famous bugs which have been over-rated  and the most famous exploit ever discovered till now but the researchers which found this exploit didn’t revealed it to the world.

In the days of discovery of the bug , Different companies are working on its patch as its a serious bug which should be patched before the site is exploited , Oracle is working on Heartbleed bug fixes as we have heard.

Including big companies websites and other hundreds of website are vulnerable to Heartbleed bug and the companies have warned its customers about the bug exploitation and Oracle is working on its patches.

According to the report published by Sydney Morning Herald , NSA was blamed that NSA knew about the Heartbleed bug from a long time but they didn’t leaked it.

After Bloomberg article was published last week, the agency spokesman Vanee told the Time Magzine that,  “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong.”

The Google security researcher Neel Mehta discovered the Heartbleed bug on March 21 or before as SMH reported and by the evening the company created a patch for the vulnerability, The NSA too discovered the vulnerability.

“Eliminating the vulnerabilities — ‘patching’ them — strengthens the security of US government, critical infrastructure, and other computer systems,” the group urged President Barack Obama.

The mos interesting thing is that when Google discovered the Heartbleed vulnerability on March 21 so they even patched this vulnerability till the evening.

Source: http://whogothack.blogspot.co.uk/2014/04/google-kept-heartbleed-bug-hidden-from.html#.ViqI-_mqqko

The post Google kept the Heartbleed Bug hidden from Government appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof