The Heartbleed bug is affecting routers, too
By Sean Buckley From engadget
Read our Heartbleed defense primer? Good, but the fight for your privacy isn’t over just yet: you might have to replace your router, too.
Cisco Systems and Juniper Networks have announced that the Heartbleed bug — a flaw in OpenSSL that lets attackers bypass common security protocols — has been found in their networking products.
This news isn’t too surprising, as any device using OpenSSL is potentially vulnerable, but checking these devices for the flaw is a laborious process. Naturally, devices that don’t use the affected versions of OpenSSL (like Linksys routers) are unaffected. Both firms are investigating their product libraries to compile lists of affected devices.
You can find those lists on the story link. If one of your devices is listed, sit tight and watch for updates; both companies say they’re working on patches.
For more on this story go to:
http://www.engadget.com/2014/04/10/the-heartbleed-bug-is-affecting-routers-too/?ncid=rss_truncated
Related story:
The programmer behind Heartbleed speaks out: It was an accident
By Pete Pachal From Mashable
The Internet bug known as Heartbleed was introduced to the world on New Year’s Eve in December 2011. Now, one of the people involved is sharing his side of the story.
Programmer Robin Seggelmann says he wrote the code for the part of OpenSSL that led to Heartbleed. But it was an accident. He submitted the code to the OpenSSL project and other members reviewed it. Seggelmann later added another piece of code for a new feature, which the members then added. It was this added feature that introduced the bug.
Seggelmann told the Sydney Morning Herald that the actual error was “trivial,” but that its impact was clearly severe. Since he and the reviewers missed the flaw, it eventually made its way to the official release, which went live on Dec. 31, 2011, according to logs.
Heartbleed is a vulnerability in the encryption that many sites use to ensure that your communications can’t be intercepted. Theoretically, up to two-thirds of the Internet traffic was exposed for more than two years. Engineers at security firm Codenomicon discovered the flaw last week, and it was publicly announced on April 7.
As the name suggests, OpenSSL is open-source, which makes it attractive to many services, big and small, as an easily implemented security tool. Although anyone can contribute to OpenSSL — either by contributing code or reviewing it to spot vulnerabilities like Heartbleed — few actually do. Although anyone can contribute to OpenSSL — either by contributing code or reviewing it to spot vulnerabilities like Heartbleed — few actually do.
“It would be better if more people helped improving it,” Seggelmann told Mashable via email. “It doesn’t really matter if companies benefitting from it provided some support, or if people do it in their spare time. However, if everybody just keeps using it and thinks somebody else will eventually take care of it, it won’t work. The more people look at it, the less likely errors like this occur.”
While standards exist for reviewing code, they are difficult to enforce for open-source software. To improve the process, Seggelman suggests having more peer review, although that would require more people contributing time.
“If more people participated in improving OpenSSL, it could be required to have multiple independent reviews for each submission or people could specialize in reviewing specific parts of the software,” he said.
For now, most sites affected have patched the bug. But the emergence of Heartbleed puts a spotlight on where certain responsibilities lie with open-source software. As tools like OpenSSL become widespread, it can lead to a disparity between the number of services that use them and the number that actually contribute. As Heartbleed confirms, nothing is truly free.
For more on this story go to:
Related story:
Apple Says iPhones, iPads, Macs and iCloud are not affected by the Heartbleed Bug
By Julie Bort From Business Insider
You do not have to worry about the scary Heartbleed security flaw when using Apple’s cloud, iCloud.
Apple has confirmed that all of its devices and web services are safe from the bug and that its devices never used the problematic software at all, a spokesperson told Re/Code’s Mike Isaac:
“Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key Web-based services were not affected.”
It was unlikely that Apple’s devices, iOS and Mac, would be affected by the bug in the first place. The problem mostly affects security software used by many websites, known as OpenSSL, as opposed to the operating system software used by a Mac or iOS.
UPDATED: However, Google has admitted that one popular version of Android is affected. Android 4.1.1, known as Jelly Bean. It says it is working with phone makers now to patch devices using Jelly Bean.
The safely of iCloud.com has also been verified by others. This page on Github is the best public list of sites that have been tested and iCloud.com was found to be ok.
The Github page also lists dozens of other websites that were impacted. If you use any of them, you should …
1. Check and see if the site has been fixed either by installing the Chromebleed add-on for the Chrome browser, or by visiting the Heartbleed test website and typing in the URL.
2. If the site is fixed, change your password.
3. If the site isn’t fixed yet, avoid making any financial transactions with it, like sending your credit card number.
For more on this story go to: http://www.businessinsider.com/icloud-mac-ios-not-hurt-by-heartbleed-2014-4#ixzz2ygVCdiKb
Related story:
Cloudflare Challenge proves ‘worst case scenario’ for Heartbleed is actually possible
By Richard Lawler From engadget
Many already thought that the “Heartbleed” security flaw in OpenSSL could be used to steal SSL keys from a server, but now there’s proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he’d done it earlier this evening, which the Cloudflare team later verified, crediting Indutny and another participant Illkka Mattila. Indutny has promised not to publish his method for a week so affected servers can still implement fixes, but according to Cloudflare his Node.js script generated more than 2.5 million requests for data over the span of the challenge.
Confused by all the programming and security terms and just need to know how this affects you? It means that while you definitely need to change your passwords, but wait until affected services announce they’ve not only fixed their OpenSSL, but also swapped out (potentially compromised) security certificates for new ones.
Image credit: snoopsmaus/Flickr
For more on this story go to: http://www.engadget.com/2014/04/11/heartbleed-openssl-cloudflare-challenge/?ncid=rss_truncated
NSA denies report it exploited Heartbleed for years
By Brett Molina, USA TODAY
The Heartbleed security flaw that exposes a vulnerability in encryption has reportedly extended its reach well beyond Web services.
According to Bloomberg, citing “two people familiar with the matter,” the National Security Agency knew about Heartbleed for at least two years and used the hole in encryption technology to gather intelligence.
However, the agency strongly denied the substance of Bloomberg’s report.
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” the agency said in a statement. “Reports that say otherwise are wrong.”
This follows a separate Bloomberg report the security flaw impacts Android smartphones and tablets that run the 4.1.1 version of the Google operating system.
In a statement on Google’s online security blog, the company says patching information has been submitted to partners.
Meanwhile, The Wall Street Journal reports some network products created by Cisco and Juniper contain the flaw. The vulnerability affects products such as routers and firewalls.
In an update published Thursday, Cisco says multiple products incorporate OpenSSL, a variation of the Secure Sockets Layer (SSL) protocol used to encrypt sensitive data.
A spokesperson for Juniper tells the Journal updating equipment to patch up the security hole could take some time.
Heartbleed is a flaw that would allow anyone to read the memory of servers running OpenSSL, which leaves information such as usernames, passwords and credit card data exposed.
“This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users,” says Codenomicon, a security firm that helped uncover Heartbleed and established a website to inform others.
Web services have scrambled since the revelation of Heartbleed to fix the bug. Several companies including Facebook, Google and Yahoo have confirmed they are clear. Most recently, Apple confirmed to Re/code its services like iOS and Mac OS X were not impacted.
The Department of Homeland Security has joined the chorus of impacted services urging consumers to change their passwords on updated sites. In a statement, the agency notes no attacks or incidents tied to Heartbleed have been confirmed.
“We have been and continue to work closely with federal, state, local and private sector partners to determine any potential impacts and help implement mitigation strategies as necessary,” says the department in a statement.
Tech site Mashable has compiled a list of sites and services to determine whether passwords should be updated immediately at: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
For more on this story go to: http://www.usatoday.com/story/tech/2014/04/11/heartbleed-cisco-juniper/7589759/
See also iNews Cayman story published April 10 2014 “Here’s how to protect yourself from the massive security flaw that’s taken over the Internet” at: http://www.ieyenews.com/wordpress/heres-how-to-protect-yourself-from-the-massive-security-flaw-thats-taken-over-the-internet/
EDITOR: iNews Cayman was informed by our webhost Rackspace Cloud that we had been vulnerable to the HJeartbleed bug attack and we have taken appropriate action to patch the hole in the security flaw.
