Heart bleed bug
What is heart bleed attack?
Heartbleed is a flaw in Open SSL, the open-source encryption standard used by majority of sites on the web that need to transmit data users want to keep secure. It basically gives you a "secure line" for data transfer. Encryption works by making it so that data being sent looks like nonsense to third parties.
Occasionally,
one computer might want to check that there's still a computer at the
end of its secure connection, so it will send out what's known as a
"heartbeat" a small packet of data that asks for a response.
Due
to a programming error in the implementation of Open SSL, the
researchers found that it was possible to send a well-disguised packet
of data that looked like one of these heartbeats to trick the computer
at the other end of a connection into sending over data stored in its
memory.
How was it detected?
The flaw was first reported to the team behind Open SSL by Google Security researcher Neel Mehta, and independently found by security firm Codenomicon.
According to the researchers who discovered the flaw, the code has been in Open SSL for approximately two years, and utilizing it doesn't leave a trace.
How is it harmful?
With encryption keys, hackers can intercept encrypted data moving to and from a site's servers and read it without establishing a secure connection. This means that unless the companies running vulnerable servers change their keys, even future traffic will be susceptible.
Web servers can keep a lot of information in their active memory,
including user names, passwords, and even the content that user have
uploaded to a service. According to Vox.com's Timothy Lee, even credit card numbers could be pulled out of the data in memory on the servers that power some services.
But
worse even than that, the flaw has made it possible for hackers to
steal encryption keys, the codes used to turn gibberish encrypted data
into readable information.
With encryption keys, hackers can intercept encrypted data moving to and from a site's servers and read it without establishing a secure connection. This means that unless the companies running vulnerable servers change their keys, even future traffic will be susceptible.
What should I do now to protect myself?
You should change passwords immediately, especially for services where privacy or security are major concerns. Log out of all websites.
Which website passwords I have to change?
Which websites I don't need to worry about?
What steps are taken to fix it?
Undoing the damage that has potentially already been done won't be easy. Websites are patching the hole, but the job won't be complete until all websites purge all the old keys they've been using to encrypt data.
That means hackers and and potential government spies who were secretly aware of this flaw would have got access to special keys they can use repeatedly until a website revokes them. And there's where it gets complicated.
Thus web service providers are working over securing the channel and rectifying flaws occurred earlier.
So, yet another security issue has been found to show the threat of growing internet services over security of users. " How much ever secure a system is developed, a system to break that security is developed ... "
No comments:
Post a Comment