Heartbleed bug a critical internet illness

2014-04-11 18:22
(Duncan Alfreds, News24)

(Duncan Alfreds, News24)

Multimedia   ·   User Galleries   ·   News in Pictures Send us your pictures  ·  Send us your stories

kalahari.com

San Francisco - The "Heartbleed" flaw in internet security is as critical as the name implies and wider spread than first believed.

Warnings about the danger exposed early this week reached widening circles on Thursday, with everyone from website operators and bank officials to internet surfers and workers who telecommute being told their data could be in danger.

"Heartbleed is a catastrophic bug in OpenSSL," well-known computer security specialist Bruce Schneier said.

OpenSSL is a commonly used software platform for encrypted transactions at "https" websites that internet users have been taught to trust.

The Heartbleed flaw lets hackers snatch packets of data from working memory in computers, creating the potential for them to steal passwords, encryption keys, or other valuable information.

"This is going to be a pretty devastating bug," Trustwave security research manager John Miller told AFP.

"Even after the majority of it is fixed on the internet, there will be internal services vulnerable."

Threat widens

The Heartbleed flaw can be found in virtual private network (VPN) software commonly used by workers on the go to securely link with company computer networks.

Computer networking titans Cisco and Juniper put out advisories on Thursday that some of their data-handling gear is susceptible to the bug.

"An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server," California-based Cisco said in an advisory note.

"The disclosed portions of memory could contain sensitive information."

Canada's tax agency shuttered its website on Wednesday after warning that encrypted taxpayer data could be vulnerable.

OpenSSL is commonly used to protect passwords, credit card numbers and other data sent via the internet.

Web masters have been scrambling to update to safe versions of OpenSSL. The vulnerability has existed for about two years, since the version of OpenSSL at issue was released.

The Tor Project devoted to letting people use the internet anonymously advised those in need of privacy to stay offline until the Heartbleed threat is ameliorated.

Crown jewels at risk

Information considered at risk includes source codes, passwords, and "keys" that could be used to impersonate websites or unlock encrypted data.

"These are the crown jewels, the encryption keys themselves," said a website devoted to details of the vulnerability.

"Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will."

The flaw in OpenSSL allows a hacker to read the memory of a machine working the software, but no more than 64 kilobytes of data at a time, according to security specialists.

However, hackers could repeatedly grab packets of memory to ramp up the odds of stealing valuable data.

"We don't know how actively Heartbleed was exploited before publication of the vulnerability," Trustwave's Miller told AFP.

"Since Monday, when they published, it has been used a lot. People have been executing the attack all over the internet."

OpenSSL is used by more than half of websites, but not all versions have the vulnerability, according to heartbleed.com.

The group behind open-source OpenSSL is urging users to upgrade to an improved version of the software and gave credit for finding the bug to Neel Mehta of Google Security.

Major websites and services were given advanced word of the Heartbleed flaw to allow time for patches to be put in place before the flaw was made public.

Miller and other security specialists said Heartbleed appeared to be the result of a mistake in writing the OpenSSL code.

Software patches and updates were being rushed out, but it was expected to take time for websites, businesses, router makers and others on the growing list of those at risk to replace software keys used to prevent impersonation or safeguard encrypted data.

Websites need to change credentials used to verify authenticity in order to prevent hackers who may have looted the data from impersonating legitimate online venues and tricking visitors to enter valuable personal information.

Internet users were advised to change passwords to online accounts or services, but only after checking to make sure the Heartbleed flaw has been fixed and new certificates of online identity installed.

While Heartbleed has shaken trust in the internet, it may well wind up providing insight into which websites or services deserve to be trusted.

"I don't think its a matter of losing faith," Miller said.

"It is really going to be an individual measure of how organizations respond; and we can start to judge their security postures."

Read more on:    technology  |  security  |  privacy
NEXT ON NEWS24X

SHARE:

Read News24’s Comments Policy

24.com publishes all comments posted on articles provided that they adhere to our Comments Policy. Should you wish to report a comment for editorial review, please do so by clicking the 'Report Comment' button to the right of each comment.

Comment on this story
12 comments
Add your comment
Comment 0 characters remaining
 

Inside News24

 
/News
 
Traffic
Lottery
 
  • Thursday Cape Town - 14:01 PM
    Road name: Wet Weather
    RAIN across the greater Cape Town area - drive with care and use headlights
  • Thursday Kuils River - 09:13 AM
    Road name: Polkadraai Road Eastbound
    ROADWORKS between the R102 Van Riebeeck Road and the R310 Baden Powell Drive exit - DELAYS
 
More traffic reports...
 

Jobs in Cape Town [change area]

Property [change area]

Travel - Look, Book, Go!

Magical Massinga

Spend 5 nights at the gorgeous Massinga Beach Lodge in Mozambique and only pay for 4 from R13 220 per person sharing. Includes return flights, accommodation, transfers and romantic turndown. Book now!

Kalahari.com - shop online today

2 TV Series for R250

Get 2 TV Series box sets for R250 and save up to R148! Offer valid while stocks last. Shop now!

Pre-order the Xbox One

Get this all-in-one entertainment system with live TV, movies, social networking and gaming. Pre-order now!

Up to 50% off hair care products!

Save up to 50% on professional hair care products at kalahari.com. Offer valid while stocks last. Shop now!

30% off academic books

Score a mind blowing 30% off academic books! Offer valid while stocks last. Shop now!

Mind blowing deals on electronics!

Save up to 35% on electronics. Offer valid while stocks last. Shop now!

OLX Free Classifieds [change area]

Samsung Galaxy s4

Mobile, Cell Phones in South Africa, Western Cape, Cape Town. Date October 24

Best bargain in big bay

Real Estate, Houses - Apartments for Sale in South Africa, Western Cape, Cape Town. Date October 25

VW Golf 6, 1.6 Trendline (Excellent condition)

Vehicles, Cars in South Africa, Western Cape, Cape Town. Date October 25

Samsung Galaxy S III 16GB

There are no straight lines in nature. The Samsung  GALAXY...

From R3795.00

I'm shopping for:

Horoscopes
Aquarius
Aquarius

You may be putting too much effort into someone or something. You are doing it out of love and compassion but there is a chance...read more

There are new stories on the homepage. Click here to see them.
 
English
Afrikaans
isiZulu

Hello 

Create Profile

Creating your profile will enable you to submit photos and stories to get published on News24.


Please provide a username for your profile page:

This username must be unique, cannot be edited and will be used in the URL to your profile page across the entire 24.com network.

Settings

Location Settings

News24 allows you to edit the display of certain components based on a location. If you wish to personalise the page based on your preferences, please select a location for each component and click "Submit" in order for the changes to take affect.








Facebook Sign-In

Hi News addict,

Join the News24 Community to be involved in breaking the news.

Log in with Facebook to comment and personalise news, weather and listings.