The Heartbleed bug is a serious vulnerability in the
popular OpenSSL cryptographic software library. This weakness allows stealing
the information protected. It allows anyone on the internet to read the memory
of the systems protected by the vulnerable versions of the OpenSSL software. [heartbleed]
This compromises the secret keys used to identify the
service providers and to encrypt the traffic, the names and passwords of the
users and the actual content. This allows attackers to eavedrop on
communicatioins, steal data directly from the services and the users and to
impersonate services and users. [heartbleed]
It is a software flaw in OpenSSL which is an open
source implementation of the Secure Socket Layer / Transport Layer Security (SSL
/ TLS) encryption protocol. It was found in early April 2014, and it affects
major websites, such as Dropbox, Yahoo, Google and other sites that could store
privacy data like bankng, credit account, email addresses and so on. [dummies]
Neel Mehta of Google’s security team reported Heartbleed
on April 1, 2014 [wikipedia]
Heartbleed bug is not a virus. It allows attackers to send
a heartbeat request to a vulnerable server. It is classified as a buffer
over-read, a situation where software allows more data to be read than should
be allowed. [wikipedia]
A buffer over-read – a computer program, while reading
data from a buffer, overruns the buffer’s boundary and reads adjacent memory.
This is a special case of violation of memory safety. [wikipedia]
Buffer over-read situation may happens in computer
programming languages C and C++, because they do not provide built-in
protection against accessing data in any part of virtual memory. But there is a
solution to prevent it by bounds checking. [wikipedia]
Heartbleed affects much more than web servers,
basically any website that requires you to login with a username and password,
are all potentially vulnerable. These websites typically have an address that
begins with HTTPS – the ‘S’ stands for ‘Secure’. [dummies]
Android Jelly Bean [4.1.1] is vulnerable to the Heartbleed
bug. This means sensitive data on Android smartphones and tablets may be at
risk. Google is releaseing a fix, but not all devices are compatible with the
fix. [dummies]
What do we need to protect ourselves?
- stay informed
- update your mobile devices
- change your passwords after
the fix is installed
- watch for suspicious
activity
- look out for scams and
copycats
Now it’s a good time to start using a password manager
especially if you’re going to change some user logins. A password manager makes
it easy to generate randomized passwords using a combination of letters,
numbers, and special characters. It also relieves you of having to memorize
every one of those overly complex codes. There are many options out there for
password managers, but some of our favorites include LastPass, Dashlane, and
KeePass. [pcworld]
No comments:
Post a Comment