Heartbleed Bug – Critical Security Vulnerability Alert for OpenSSL
ALERT from http://www.codenomicon.com/: The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
What leaks in practice?
From Codenomicon: We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
How to stop the leak?
As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.
READ THE ENTIRE ALERT FROM CODENOMICON – http://heartbleed.com/
The problem, disclosed Monday night, is in open-source software called OpenSSL that’s widely used to encrypt Web communications. Heartbleed can reveal the contents of a server’s memory, where the most sensitive of data is stored. That includes private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.
Security vulnerabilities come and go, but this one is extremely serious. Not only does it require significant change at Web sites, it could require anybody who’s used them to change passwords too, because they could have been intercepted. That’s a big problem as more and more of people’s lives move online, with passwords recycled from one site to the next and people not always going through the hassles of changing them….
….The vulnerability is officially called CVE-2014-0160 but is known informally as Heartbleed, a more glamorous name supplied by security firm Codenomicon, which along with Google researcher Neel Mehta discovered the problem.
“This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users, and the actual content,” Codenomicon said. “This allows attackers to eavesdrop communications, steal data directly from the services and users, and to impersonate services and users.”
To test the vulnerability, Codenomicon used Heartbleed on its own servers. “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails and business critical documents and communication,” the company said.
What to do?
“There is an important reason why you might not want to rush out and change all your passwords on all your services right this minute, and it’s a sort-of Catch-22.
If you need to change your password on a server that is at risk due to heartbleed, then the new password you choose may be at risk due to heartbleed.
And it’s fair to say that there are a lot more people ready to heartbleed your new password right now than there were a week, a month or a year ago when you set the old password up.
We suggest you wait until you know that a site is not vulnerable, for example because it makes a clear statement to that effect, or use a public testing service that connects to a website to estimate whether it’s safe or not first.
→ Note that remotely testing a website for “heartbleed” (or testing an email server, or any application than accepts TLS or HTTPS connections) can’t give a complete answer. The servers operated by a company that uses Microsoft IIS, for example, won’t be vulnerable. But if the company also outsources the operation of mirror servers to a third party, those mirrors might be affected. So you could be at risk some of the time, but not all of it, depending on which server is chosen each time you visit.
In short: by all means get ready to change all your passwords.
But avoid changing them until you have a good reason to think that the services protected by those passwords do not have the heartbleed vulnerability.
Also, consider adopting Two Factor Authentication (2FA) wherever you can.”