The big story in security news right now is Heartbleed — a serious bug in the software responsible for encrypting traffic on the Internet, called OpenSSL.
- Openssl Heartbleed Fix
- Openssl Heartbleed Patch
- Heartbleed Vulnerability
- Openssl Heartbleed Exploit
- Openssl Heartbleed Information Disclosure 5
OpenSSL is open source software used by websites, including Google, Gmail, Facebook, Yahoo and many thousands more, to encrypt all of our data. But the Heartbleed bug, just recently discovered by two researchers, left the door wide open to data attacks on vulnerable web servers.
We also found out that the Heartbleed bug is in a version of the OpenSSL software that’s two years old — so this vulnerability could have been attacked for a very long time by someone with the resources to exploit it.
The internet has been plastered with news about the OpenSSL heartbeat or “Heartbleed” vulnerability (CVE-2014-0160) that some have said could affect up to 2/3 of the internet. Everything from servers to routers to smart phones could be tricked into giving up encrypted data in plain text.
- “Heartbleed is a flaw in OpenSSL, an open-source encryption technology that is used by an estimated two-thirds of Web servers. It is behind many HTTPS sites that collect personal or financial.
- Apr 09, 2014 OpenSSL's implementation of TLS heartbeats was committed to the project's source code 61 minutes to midnight on Saturday, 31 December, 2011. What we're experiencing now is the mother of all delayed hangovers.
- The RFC 6520 standard explicitly restricts the maxium size of a heartbeat request to 2 14 bytes (16KBytes), but OpenSSL itself generates far shorter requests. Don’t worry if you don’t understand C; but if you do, the OpenSSL heartbeat request code looks like this: 1 2.
- Apr 11, 2014 Heartbleed is a security vulnerability in OpenSSL software that lets a hacker access the memory of data servers. According to Netcraft, an Internet research firm, 500,000 Web sites could be.
Sophos security experts helped us to understand Heartbleed and what it means, how to protect yourself, and why we should all be thankful for open source software, even if it’s not perfect.
Note to Sophos Customers: To get the most current information on how this bug affects our products, please see the knowledgebase article in the Support section of our website.
Internet skips a Heartbeat
Openssl Heartbleed Fix
Chester Wisniewski, Sophos senior security advisor, let us in on what Heartbleed is and why it’s so important for security on the Internet.
Chet explained that OpenSSL sends a small packet of data back and forth between web servers to make sure the connection is still working, what’s called a TLS Heartbeat.
Only now it turns out that servers could be tricked into sending system-stored data in response to a Heartbeat ping — data which could include passwords and encryption keys.
In an opinion column published on CNN.com, Chet described how two-thirds of all websites were vulnerable to Heartbleed.
Openssl Heartbleed Patch
Fortunately, most major Web services have already applied fixes to the affected Web servers and services. The bad news is that smaller websites as well as many companies' products that rely on OpenSSL may linger for many more years without a fix.
Chet told BuzzFeed that an even bigger concern is who might have known about the Heartbleed bug before the rest of us caught on — and the most likely organization to know would be the U.S. National Security Agency (NSA), which has the means and an interest in finding such vulnerabilities.
“That’s exactly what the leaked NSA programs are supposed to do: Find the flaws, exploit them and never tell anyone,” Chet said.
According to Chet, the “open” part of OpenSSL means this vital security software is maintained by volunteer researchers, not commercial interests.
And that means we should be focusing our attention on supporting the open parts of the Internet that we rely on for freedom of communication.
All of us have come to rely on the Internet socially, politically and economically. The billions of dollars a year being made by the tech giants would not be possible without the millions of donated hours that maintain free and open software like OpenSSL, Linux, Apache Web server, and Postfix mail server.
Sophos Security Chet Chat #142: Heartbleed explained, Patches assessed, Apple chastised
In this episode of the weekly Chet Chat podcast, Sophos experts Chester Wisniewski and Paul Ducklin dive into the Heartbleed bug and tell us what it all means.
Plus, they share their expertise on all the other big stories of the week, including the end of XP support, Apple’s patching issues, and a whole lot more.
Learn more about OpenSSL Heartbleed
Paul Ducklin, Sophos senior security analyst and writer for Naked Security, proved his chops as an encryption expert this week with his excellent coverage of the OpenSSL Heartbleed bug.
Openssl Heartbleed Exploit
Read his articles to get all the information you need to understand and counter this bug.
Openssl Heartbleed Information Disclosure 5
60 Second Security: Heartbleed, Google Play, and XP
Paul Ducklin runs down the news of the week in just about a minute, including quick summaries of Heartbleed, a Google Play scam, and XP’s last security patch.
- Google takes down fake anti-virus app that duped 10,000 users on Play Store
- Patch Tuesday April 2014 – XP’s last breath
- Patch Tuesday for April 2014 – it’s Goodbye, Farewell and Amen for Windows XP
Zapgrab for windows 8 activator. Keep up with Sophos news
You can get all the latest Sophos related news right here. Sign up for our Sophos Blog newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.