Hazem's Hydra Hub حازم عنزاوي

Hazim Anzawi | Ananza | عنانزة الإعلامية

April 16, 2014 5:09 pm 5:05 pm 4:55 pm
andreaaustoni:

Lionel Messi.

andreaaustoni:

Lionel Messi.

4:54 pm
omoiess:

amal-bj:

cute

يالله مااجمل صفاء البحر 😍

omoiess:

amal-bj:

cute

يالله مااجمل صفاء البحر 😍

2:52 pm April 15, 2014 1:33 pm

heartbleed-locked-down-9c5683e0.jpg

We live in a world where technical vulnerabilities can sometimes be a dime a dozen. Let’s face it, what with Microsoft’s Patch Tuesday, the latest stream of Adobe threats, and the problems with Java and Javascript, it can be overwhelming to keep up on the latest big risks in IT and whether they really apply to your environment. This is compounded by the fact that many well-publicized vulnerabilities may not always have a visible impact, making us a bit lackadaisical or blasé.

heartbleed-1.png

However, if you work in technology, your job is to not be lackadaisical; it’s your responsibility to take each risk seriously and give it your utmost attention since security is everyone’s problem. Critical Internet Explorer flaws might not mean much if your users are all on Firefox, but what about the home machines they use to connect to the company? We’re all in the same swimming pool when it comes to security.

With that in mind, a vulnerability known as Heartbleed (or CVE-2014-0160) was recently discovered in the OpenSSL 1.01 and 1.02 beta product. This is used on web servers, email servers, virtual private network (VPN) systems and some client applications, proving how widespread this threat can be.

Heartbleed hysteria went violently viral in a span of literal hours, kicking off on Monday, April 7. Just a few days later it grew bigger than the Super Bowl. As a system administrator I can state that I have rarely – if ever – seen a threat like this gain so much press so quickly. CNET has posted several articles on the topic, including Heartbleed bug also affects Cisco and Juniper equipment, while ZDNet covered How to protect yourself in Heartbleed’s aftershocks andHeartbleed’s engineer: It was an ‘accident’.

What is Heartbleed?

The technical description states that “The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.”

Essentially, it’s a flaw in a product called OpenSSL which, ironically enough, is supposed to secure web traffic through encryption. This flaw is based on a “keep-alive” setting which can provide malicious attackers the ability to obtain up to 64 KB of unencrypted sensitive data from the memory space of a vulnerable OpenSSL server or client. It can expose passwords, emails and financial information or get private keys used for encryption – any of which could produce devastating results. The full technical details are here.

The technology-oriented comic strip XKCD summed it up nicely:

heartbleed-2.png

Anything running OpenSSL 1.0.1 through 1.0.1f is vulnerable to the Heartbleed threat. An advisory site called heartbleed.com designates these operating systems as being “potentially vulnerable”:

On the same note, the site says these operating systems are not vulnerable:

  • Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
  • SUSE Linux Enterprise Server
  • FreeBSD 8.4 – OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD 9.2 – OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD Ports – OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

Don’t conclude only Linux servers are at risk; Windows servers may also susceptible to this condition if they happen to be using IIS with the wrong kind of OpenSSL.

This threat is not theoretical; this is really happening. It has impacted Yahoo, for instance (and they have scrambled to correct it). Google, Amazon and Facebook have also addressed the subject; Google claims they “fixed this bug early” and Amazon stated the same, claiming that their sites are no longer affected by it. However, Netcraft.com states that ” Half a million widely trusted websites vulnerable to the Heartbleed bug. ” To put it another way, Kelly Jackson Higgins of Darkreading.com wrote that ” 17 percent of SSL-secured websites [are affected].”

Many websites your users connect to might be vulnerable – and worse, your systems might be compromised as well. Cue the scary horror movie bass.

Why is this suddenly a big deal?

The crazy thing about this one is that the vulnerability has existed since the end of 2011 and has been escalating for two years. The term “security through obscurity” may have applied before now since it wasn’t well-known but, simply put, now it’s a big deal since the bad guys have hopped on the train and are scanning servers looking for an opportunity to exploit them.

Furthermore, it’s a special kind of threat because it consists of a double-whammy: both your clients and servers may be at risk. Last but not least, there is no way to tell whether your data or credentials have been affected, until they are misused by someone else.

More

April 14, 2014 5:28 pm

Liverpool vs Manchester City 3-2

Liverpool’s Philippe Courtinho (C) celebrates scoring with Jon Flanagan (R) and Steven Gerrard against Manchester City during their English Premier Leaguesoccer match at Anfield in Liverpool, northern England April 13, 2014. REUTERS

2:17 pm 1:53 pm 1:40 pm