…deploying quality ICT infrastructure and services
08030945000,  08086783266

Heart bleed signA widespread “catastrophic” software flaw that could expose website user details to hackers has been discovered.

The flaw, dubbed “Heartbleed”, could reveal anything which is currently being processed by a web server – including usernames, passwords and cryptographic keys being used inside the site. Those at risk include Deutsche Bank, Yahoo and its subsidiary sites Flickr and Tumblr, photo-sharing site Imgur, and the FBI.

About half a million sites worldwide are reckoned to be insecure. “Catastrophic is the right word,” commented Bruce Schneier, an independent security expert. “On the scale of 1 to 10, this is an 11.”

But suggestions by Yahoo and the BBC that people should change their passwords at once – the typical reaction to a security breach – could make the problem worse if the web server hasn’t been updated to fix the flaw, says Mark Schloesser, a security researcher with Rapid7, based in Atlanta, Georgia.

Doing so “could even increase the chance of somebody getting the new password through the vulnerability,” Schloesser said, because logging in to an insecure server to change a password could reveal both the old and new passwords to an attacker.

The bug exists in a piece of open source software called OpenSSL, which is meant to encrypt communications between a user’s computer and a web server. But security researchers have no way to prove whether or not the flaw, which has existed since at least March 2012, has been exploited.

The bug’s age, and its presence in software which anyone can update, has led to speculation that it could have been inserted and then exploited by government spy agencies such as the US’s National Security Agency, which is known to have programs aiming to collect user data. “My guess is accident, but I have no proof,” Schneier commented.

Tumblr, which is affected, issued a warning to its users on Tuesday night. Although the firm said it had “no evidence of any breach”, and has now fixed the issue on its servers, it recommends users take action.

Users can check whether a specific site remains vulnerable to Heartbleed with a tool put together by developer Filippo Valsorda.

The Heartbleed vulnerability is only found in a few recent releases of OpenSSL, a software library that lets web servers initiate secure conversations.

In affected versions, it lets attackers potentially read content out from the active memory of a web server.

“Risk to users exist until organisations have updated OpenSSL, acquired a new certificate, generated and deployed new SSL keys, and revoked old keys and certs,” says Trey Ford, global security strategist at Rapid7. “Until this is done, attacks may still be able to steal cookies, sessions, passwords, and the key material required to masquerade as the website.”

Yahoo was one of the sites worst affected by Heartbleed, but the firm has now fixed its main properties, including subsidiaries Flickr and Tumblr, and says it is “working to implement the fix across the rest of our sites”.

“We’re focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users’ data,” a Yahoo spokesperson added.

In summary, if the affected website has updated, then change your passwords, else wait till the update.

-Culled from the Guardian

Please encourage us by commenting

Our Endorsements
Prisec School Manager

Prisec School Manager is a comprehensive school management application that you can use to automate your school's administration.

Learn more ...

Subscribe to our blog

Enter your email:

Newsletter Subscribtion

How to setup junk email filter