- CyberCrime Center
April 9, 2014
OpenSSL researchers announced the release of a fix for the “glitch” discovered in the Open SSL cryptographic software library that two-thirds of web servers worldwide use to connect with end users and guard against digital eavesdropping. UNFORTUNATELY, the fix may be coming a couple of years too late — because that’s about as long as the flaw has been available to hackers.
In his piece on policymic.com, Tom McKay says that the bug that allows for easy untraceable breaches of secure systems, which control everything from banking to retail to email, was originally discovered by Google researcher Neel Mehta.
The OpenSSL team reports McKay described the difference between this software flaw and others. “Bugs in single software or library come and go and are fixed by new versions. However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously.”
Or putting it in language a farmer might use—Is this fix like closing the barn door after the cows have gotten out?
To demonstrate how the flaw could be used, the research team was able to breach Yahoo security and steal email logins and passwords without leaving evidence it was ever there.
In the OpenSSL team’s own words, “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
“Anyone who noticed and exploited the bug since it was introduced on March 14, 2012 could have easy access to an incomprehensible number of secure systems.”
TechCrunch noted that “even encrypted data illegally stolen from servers could eventually be forced open either with more stolen data or other methods, depending on server configuration.”
Until servers are updated worldwide, data remains at risk. So until the servers are updated does everybody just go fishing (and we mean fishing not phishing)?
Well, Tumblr sent out this alert to its users:
Urgent security update
Bad news. A major vulnerability, known as “Heartbleed,” has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr.
We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.
But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.
This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.
You’ll be hearing more in the news over the coming days.
Besides change your passwords, “take care” is always good advice. However, in this situation it may not be all that useful.
Something that is useful to know comes from the technology news and media network, The Verge, which says “Google, Apple, and Microsoft are all unaffected, as well as most major e-banking services.”
ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.
ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.
The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.
For more information, visit www.threatmetrix.com or call 1-408-200-5755.