Sunday, 06 April 2014 00:00

The Heartbleed Bug is a very serious vulnerability in the OpenSSL cryptographic software library. Its bad enough that OpenSSL is constantly under threat but this particular weakness is really a huge risk. It enables an attacker to steal much more than just the information its supposed to protect. Under the hood under normal conditions the SSL/TLS encryption is whats used to secure all our communications across the Internet. SSL/TLS is what provides the security and privacy over the Internet for applications such as webservers, email servers, instant messaging (IM) and all our communication over the internet even WiFi Access Points, Networking Hardware and the virtual private networks (VPNs) Corporations depend upon.

The Heartbleed bug undoes all that security and allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This goes much farther than just compromising the secret keys that are used to identify all our service providers and to encrypt their traffic. It also exposes the names and passwords of the users, the actual content and can even expose the sourcecode of the applications themselves. This allows attackers to do much more than just eavesdrop on our communications or steal data directly out of these services and their users it can also be used to impersonate services and users. Its not yet been stated anywhere else but its quite likely one of the tricks the NSA has been using to decrypt our communications that we believed to be secure and even worse, it leaves no trace so regardless of how your logging was setup, nobody would ever know.

The only good news in all of this so far has been that, as of now, older systems are not affected, so older hardware, applications and servers this time get a pass. That means many large consumer sites have been saved by their more conservative choice of running older SSL/TLS termination equipment, software across their services. Sadly the smaller and more progressive companies, services or those who have upgraded to latest and greatest hoping for the best encryption will be affected the most. So those running OpenSSL 0.9.8 up through OpenSSL 1.0.0 branch are NOT vulnerable. However the whole OpenSSL 1.0.1 Branch up to 1.0.1f are vulnerable, only those running 1.0.1g are NOT vulnerable and if you have been running 1.0.1 at all you should error on the safe side and assume your OpenSSL secret keys are no longer secret so its time to revoke your certificates and get new ones reissued, After you've upgraded OpenSSL, there is no safe way around it cause if your hoping to find evidence in your logs you won't.

Want or need to find out more. Check these out then.
CVE-2014-0160
NCSC-FI case# 788210
http://www.openssl.org/news/secadv_20140407.txt (published 7th of April 2014, ~17:30 UTC)
http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities (published 7th of April 2014, ~18:00 UTC)
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
http://heartbleed.com (published 7th of April 2014, ~19:00 UTC)
http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html
https://rhn.redhat.com/errata/RHSA-2014-0376.html
https://www.cert.at/warnings/all/20140408.html
http://www.cert.ssi.gouv.fr/site/CERTFR-2014-ALE-003/index.html
https://www.cert.fi/en/reports/2014/vulnerability788210.html
http://www.circl.lu/pub/tr-21/
http://www.freshports.org/security/openssl/
http://www.kb.cert.org/vuls/id/720951

In fact, my computer was crashed completely.

In fact, my computer was crashed completely. I went to so many computer repair shops but they told me that they could not do it without formatting and losing all of my information and media on it. And what makes it more complicated for them is that the system was installed in another language ( Arabic). Because I did not like to lose everything on my computer, I have gone to a lot of computer engineer but they all could not fixed it Except Mr Tim. Although it is another language, he have fixed it perfectly without losing any file from my computer and that was amazing for me. yes, he is expensive to some extent, but it is worth that. Thank you Mr Geniouse. I honestly recommend him strongly because he did a great job with my laptop while others could not

More Like This

I especially loved the fact that he offers remote support

Tim is such an awesome computer wiz!! He is very thorough with his work and gets the job done... I wouldn't want anyone else working on my computer but Tim!! I especially loved the fact that he offers remote support !! That option fit right into my busy schedule...

More Like This

AEST Inc.

Subject: Thanks for Your Help Tim: As always, thank you for your willingness to give your generous help, unselfishly. You are truly the "Technocrat" of all technocrats. Best regards, Bailey Partridge, CIO/CDO SVP, Chief Information & Development Officer Alternative Energy Sources Technologies, Inc. AEST-Powering the Future of Sustainability and Securing the Gateways of World...One Step at a Time.

More Like This