Heart Bleed....
According to .zdnet.com ,German programmer Dr. Robin Seggelmann added a new "feature" and forgot to validate a variable containing a length. The code reviewer, Dr Stephen Henson, "apparently also didn’t notice the missing validation," said Seggelmann, "so the error made its way from the development branch into the released version." And, then for about two years the defective code would be used, at one time or another, by almost ever Internet user in the world.
The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.
ColdFlare announced the challenge to hack the private keys from the server using the HeartBleed bug and after several hours hackers stole them.But the controversial part is that the server was rebooted during the challange. The two winners are Fedor Indutny and Illkka Mattila. Indutny, who succeeded first, made 2.5 million Heartbleed requests over the course of the day and Mattila made 100,000. CloudFlare rebooted the server at one point during the test which they say may have contributed to the successful attempt.
To be on safer side if you are having an account on a website using OpenSSL, change your password. and if a website is asking you to change your password-Do it!!
Check for more info about the challenge
If you have account on Yahoo,change your password NOW!! Even thought google is saying they have patched the vulnerability but you can't take risk so its better to change your google account passwords and the same applies to facebook.
Snapshot :-
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
On 8th April , when Microsoft stopped giving support to WinXP, the major vulnerability in the open source OpenSSL was found.The 1000s of websites using OpenSSL like Facebook,Google,Yahoo are affected due a simple OpenSSL programming mistake . A programming blunder enabled attackers to pull down 64k chunks of "secure" server memory. Of course, a hacker would then have to shift through this captured memory for social security numbers, credit-card numbers, and names, but that's trivial.
Half a million sites are vulnerable.Test websites' vulnerability here.
The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.
ColdFlare announced the challenge to hack the private keys from the server using the HeartBleed bug and after several hours hackers stole them.But the controversial part is that the server was rebooted during the challange. The two winners are Fedor Indutny and Illkka Mattila. Indutny, who succeeded first, made 2.5 million Heartbleed requests over the course of the day and Mattila made 100,000. CloudFlare rebooted the server at one point during the test which they say may have contributed to the successful attempt.
To be on safer side if you are having an account on a website using OpenSSL, change your password. and if a website is asking you to change your password-Do it!!
Check for more info about the challenge
If you have account on Yahoo,change your password NOW!! Even thought google is saying they have patched the vulnerability but you can't take risk so its better to change your google account passwords and the same applies to facebook.
Snapshot :-
nice post, thanks for sharing....
ReplyDelete