Saturday, April 12, 2014

WHAT IS HEARTBLEED BUG AND HOW CAN YOU PROTECT YOURSELF?








The Heartbleed Bug is a serious
vulnerability in the popular OpenSSL cryptographic software library. This
weakness allows stealing the information protected, under normal conditions, by
the SSL/TLS (Secure Socket Layer/transport layer
security) encryption used to secure the
Internet. SSL/TLS provides communication security and privacy over the Internet
for applications such as web, email, instant messaging (IM) and some virtual
private networks (VPNs).


The Heartbleed bug allows anyone on the Internet to read the
memory of the systems protected by the vulnerable versions of the OpenSSL
software. This compromises the secret keys used to identify the service
providers and to encrypt the traffic, the names and passwords of the users and
the actual content. This allows attackers to eavesdrop on communications, steal
data directly from the services and users and to impersonate services and
users. 


What leaks in practice?


“We have tested some of our own services from attacker's
perspective. We attacked ourselves from outside, without leaving a trace.
Without using any privileged information or credentials we were able to steal
from ourselves the secret keys used for our X.509 certificates, user names and
passwords, instant messages, emails and business critical documents and
communication.” – Codenomicon


What can
you do?


Though users don’t have much power over the Heart Bleed
virus — website administrators and creators have to update their OpenSSL
software — there are ways to defend important passwords on Gmail, Facebook,
Yahoo! and other sites


However, if a major website is still vulnerable to the Heart
Bleed bug, changing a password won’t matter; the website would have to update
their software first. To defend against this, an
online tool called the Heartbleed test was created to
test if a website has been compromised by the virus. Simply type the web
address of the website into the box, and it will let you know whether it is
safe. Sites like Facebook, Gmail, Amazon, Yahoo!, Twitter and others have
already updated their software.


The flaw was discovered by security firm Codenomicon and Neel Mehta, a Google
security researcher. They said that even if you don’t frequently use the
internet, you are most likely affected by the bug.




at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How to configure a custom URL to access Azure WebApp

By default, all users access Azure web applications via their HTML5 compactible browser using Microsoft URL which is the same for all custom...