Latest topics
Heartbleed bug found in OpenSSL software prompts tech companies to urge passwords reset
Page 1 of 1
Heartbleed bug found in OpenSSL software prompts tech companies to urge passwords reset
Several technology companies are urging people to change all of their passwords after the discovery of a major security flaw.
Computer security specialists says a bug dubbed Heartbleed has been discovered in online data-scrambling software and hackers can use it to their advantage.
The Yahoo blogging platform, Tumblr, has advised the public to "change passwords everywhere - especially on high-security services like email, file storage and banking".
Cyber-defence specialists at Fox-IT say the bug found in OpenSSL encryption software lets attackers illicitly retrieve passwords and other information from working memory on computer servers.
OpenSSL is used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.
"There is no limit on the number of attacks that can be performed," Fox-IT said in a blog post that listed steps business IT handlers can take to thwart incursions.
Information considered at risk includes source codes, credit card numbers, passwords and "keys" that could be used to impersonate websites or unlock encrypted data.
"These are the crown jewels, the encryption keys themselves," said a heartbleed.com website devoted to details of the vulnerability.
"Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will."
Josh Taylor from ZDNet Australia says changing passwords will not make any difference unless the server or companies who have been exploited have fixed the problem.
"A lot of the big companies have now patched the exploit, but others haven't. So changing your password is pointless if the hole is still there," he said.
"The problem is that lots of these companies don't know they have been exploited. It's best just to assume that you have been.
"This bug has been sitting on a whole bunch of servers for many years and has only now been discovered."
Websites take action
Security researchers have reported being able to dig out Yahoo password information by taking advantage of the bug.
'We are all vulnerable to software bugs
Yahoo has released a statement saying it has fixed the problem at its main online properties.
Facebook also says it has taken steps to mitigate any impact to users.
Some experts have called on internet firms to revoke the certificates and keys used to encrypt internet traffic with web browsers including Firefox, Internet Explorer and Google Chrome.
"There is nothing users can do to fix their computers," Mikko Hypponen, chief research officer with security software maker F-Secure of Helsinki, said.
"They have to rely on the administrators of the websites they use."
Fox-IT estimates the vulnerability has existed for about two years, since the version of OpenSSL at issue was released.
OpenSSL is used by more than half of all websites, but not all versions have the vulnerability, according to heartbleed.com.
The US Department of Homeland Security has advised businesses to review servers to see if they are using vulnerable versions of OpenSSL.
Computer security specialists says a bug dubbed Heartbleed has been discovered in online data-scrambling software and hackers can use it to their advantage.
The Yahoo blogging platform, Tumblr, has advised the public to "change passwords everywhere - especially on high-security services like email, file storage and banking".
Cyber-defence specialists at Fox-IT say the bug found in OpenSSL encryption software lets attackers illicitly retrieve passwords and other information from working memory on computer servers.
OpenSSL is used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.
"There is no limit on the number of attacks that can be performed," Fox-IT said in a blog post that listed steps business IT handlers can take to thwart incursions.
Information considered at risk includes source codes, credit card numbers, passwords and "keys" that could be used to impersonate websites or unlock encrypted data.
"These are the crown jewels, the encryption keys themselves," said a heartbleed.com website devoted to details of the vulnerability.
"Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will."
Josh Taylor from ZDNet Australia says changing passwords will not make any difference unless the server or companies who have been exploited have fixed the problem.
"A lot of the big companies have now patched the exploit, but others haven't. So changing your password is pointless if the hole is still there," he said.
"The problem is that lots of these companies don't know they have been exploited. It's best just to assume that you have been.
"This bug has been sitting on a whole bunch of servers for many years and has only now been discovered."
Websites take action
Security researchers have reported being able to dig out Yahoo password information by taking advantage of the bug.
'We are all vulnerable to software bugs
Yahoo has released a statement saying it has fixed the problem at its main online properties.
Facebook also says it has taken steps to mitigate any impact to users.
Some experts have called on internet firms to revoke the certificates and keys used to encrypt internet traffic with web browsers including Firefox, Internet Explorer and Google Chrome.
"There is nothing users can do to fix their computers," Mikko Hypponen, chief research officer with security software maker F-Secure of Helsinki, said.
"They have to rely on the administrators of the websites they use."
Fox-IT estimates the vulnerability has existed for about two years, since the version of OpenSSL at issue was released.
OpenSSL is used by more than half of all websites, but not all versions have the vulnerability, according to heartbleed.com.
The US Department of Homeland Security has advised businesses to review servers to see if they are using vulnerable versions of OpenSSL.
*****************
All we have to do is decide what to do with the time that is given to us.........~Gandalf~
Come visit me: www.alleysplace.net
Facebook: www.facebook.com/alleysplace1/
alleyrose- Super Moderator
- Posts : 2851
Join date : 2011-08-24
Location : Australia
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
Yesterday at 11:16 am by kenlej
» Phony Tony sez: Full Steam Ahead!
Sat Apr 13, 2024 11:51 am by Mission1st
» Dave Schmidt - Zim Notes for Purchase (NOT PHYSICAL NOTES)
Sat Apr 13, 2024 11:45 am by Mission1st
» Russia aren't taking any prisoners
Fri Apr 05, 2024 6:48 pm by kenlej
» Deadly stampede could affect Iraq’s World Cup hopes 1/19/23
Wed Mar 27, 2024 6:02 am by Ditartyn
» ZIGPLACE
Wed Mar 20, 2024 6:29 am by Zig
» CBD Vape Cartridges
Thu Mar 07, 2024 2:10 pm by Arendac
» Classic Tony is back
Tue Mar 05, 2024 2:53 pm by Mission1st
» THE MUSINGS OF A MADMAN
Mon Mar 04, 2024 11:40 am by Arendac
» Minister of Transport: We do not have authority over any airport in Iraq
Mon Mar 04, 2024 11:40 am by Verina
» Did Okie Die?
Mon Mar 04, 2024 11:34 am by Arendac
» Hello all, I’m new
Wed Jan 31, 2024 8:46 pm by Jonny_5
» The Renfrows: Prophets for Profits, Happy Anniversary!
Wed Jan 31, 2024 6:46 pm by Mission1st
» What Happens when Cancer is treated with Cannabis? VIDEO
Wed Jan 31, 2024 8:58 am by MadisonParrish
» An Awesome talk between Tucker and Russell Brand
Wed Jan 31, 2024 12:16 am by kenlej
» Trafficking in children
Mon Jan 29, 2024 7:43 pm by kenlej
» The second American Revolution has begun, God Bless Texas
Mon Jan 29, 2024 6:13 pm by kenlej
» The Global Currency Reset Evolution Event Will Begin With Gold, Zimbabwe ZWR Old Bank Notes
Sun Jan 28, 2024 3:28 pm by Mission1st
» Tucker talking Canada
Wed Jan 24, 2024 6:50 pm by kenlej
» Almost to the end The goodguys are winning
Mon Jan 22, 2024 9:03 pm by kenlej