Team-BHP - Heartbleed Bug / CVE-2014-0160

A major new vulnerability called Heartbleed could let attackers gain access to users' passwords and fool people into using bogus versions of Web sites A flaw in software that's widely used to secure Web communications means that passwords and other highly sensitive data could be exposed.

Internet users advised to change passwords due to 'Heartbleed' bug

http://www.latimes.com/business/tech...#axzz2yRefVfKm

An open-source software called OpenSSL that's widely used to encrypt Web communications. Heartbleed can reveal the contents of a server's memory, where the most sensitive of data is stored, including private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future.
Also one more thing those people who do or does online transaction or business , please don't do any online shopping or banking for a few days.
It will be highly risk not like a other vulnerabilities ,but this one is extremely serious.

The vulnerability is officially called CVE-2014-0160 but is known as Heartbleed.

Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

You can take the Heartbleedtest in the below link

http://filippo.io/Heartbleed/

There are quite a few operating system distributions that have shipped with potentially vulnerable OpenSSL version.

The affected versions are OpenSSL 1.0.1a to OpenSSL 1.0.1f and OpenSSL 1.0.2-beta. Should be a concern if you use these versions. Otherwise no worry.

Quote:

Originally Posted by foby.sebastian (Post 3410263)

Internet users advised to change passwords due to 'Heartbleed' bug

It is recommended to change password after the server is updated with the fixed package of OpenSSL. Fix is either using OpenSSL 1.0.1g or compiling existing package with OPENSSL_NO_HEARTBEATS flag.

Quote:

Originally Posted by foby.sebastian (Post 3410263)

You can take the Heartbleedtest in the below link
http://filippo.io/Heartbleed/

Got info that the filippo site was showing few false positives (either the results were interpreted wrongly or the site didn't scale for the traffic). Fortunately SSL Labs have updated to detect heartbleed bug. Along with this, they do other comprehensive SSL checking. Link: https://www.ssllabs.com/ssltest/

The predominantly affected applications are Apache & Nginx web servers (which has affected versions OpenSSL package). The reason is these form the bulk of web servers used on Internet. Some estimate around 18% of web-server are vulnerable. Note that applications which don't use OpenSSL (like Microsoft) are not affected.

The curious thing about this bug it almost impossible to detect whether there has been a breach or not. So if somebody is using affected versions of OpenSSL, you have to,
1) Upgrade to fixed version of OpenSSL ASAP
2) Revoke old certificates & get fresh certificates
3) Advice your users to change their passwords.

It is scary to imagine this bug existed for 2 years.