Hazem's Hydra Hub حازم عنزاوي

Hazim Anzawi | Ananza | عنانزة الإعلامية

April 15, 2014 1:33 pm

heartbleed-locked-down-9c5683e0.jpg

We live in a world where technical vulnerabilities can sometimes be a dime a dozen. Let’s face it, what with Microsoft’s Patch Tuesday, the latest stream of Adobe threats, and the problems with Java and Javascript, it can be overwhelming to keep up on the latest big risks in IT and whether they really apply to your environment. This is compounded by the fact that many well-publicized vulnerabilities may not always have a visible impact, making us a bit lackadaisical or blasé.

heartbleed-1.png

However, if you work in technology, your job is to not be lackadaisical; it’s your responsibility to take each risk seriously and give it your utmost attention since security is everyone’s problem. Critical Internet Explorer flaws might not mean much if your users are all on Firefox, but what about the home machines they use to connect to the company? We’re all in the same swimming pool when it comes to security.

With that in mind, a vulnerability known as Heartbleed (or CVE-2014-0160) was recently discovered in the OpenSSL 1.01 and 1.02 beta product. This is used on web servers, email servers, virtual private network (VPN) systems and some client applications, proving how widespread this threat can be.

Heartbleed hysteria went violently viral in a span of literal hours, kicking off on Monday, April 7. Just a few days later it grew bigger than the Super Bowl. As a system administrator I can state that I have rarely – if ever – seen a threat like this gain so much press so quickly. CNET has posted several articles on the topic, including Heartbleed bug also affects Cisco and Juniper equipment, while ZDNet covered How to protect yourself in Heartbleed’s aftershocks andHeartbleed’s engineer: It was an ‘accident’.

What is Heartbleed?

The technical description states that “The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.”

Essentially, it’s a flaw in a product called OpenSSL which, ironically enough, is supposed to secure web traffic through encryption. This flaw is based on a “keep-alive” setting which can provide malicious attackers the ability to obtain up to 64 KB of unencrypted sensitive data from the memory space of a vulnerable OpenSSL server or client. It can expose passwords, emails and financial information or get private keys used for encryption – any of which could produce devastating results. The full technical details are here.

The technology-oriented comic strip XKCD summed it up nicely:

heartbleed-2.png

Anything running OpenSSL 1.0.1 through 1.0.1f is vulnerable to the Heartbleed threat. An advisory site called heartbleed.com designates these operating systems as being “potentially vulnerable”:

On the same note, the site says these operating systems are not vulnerable:

  • Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
  • SUSE Linux Enterprise Server
  • FreeBSD 8.4 – OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD 9.2 – OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD Ports – OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

Don’t conclude only Linux servers are at risk; Windows servers may also susceptible to this condition if they happen to be using IIS with the wrong kind of OpenSSL.

This threat is not theoretical; this is really happening. It has impacted Yahoo, for instance (and they have scrambled to correct it). Google, Amazon and Facebook have also addressed the subject; Google claims they “fixed this bug early” and Amazon stated the same, claiming that their sites are no longer affected by it. However, Netcraft.com states that ” Half a million widely trusted websites vulnerable to the Heartbleed bug. ” To put it another way, Kelly Jackson Higgins of Darkreading.com wrote that ” 17 percent of SSL-secured websites [are affected].”

Many websites your users connect to might be vulnerable – and worse, your systems might be compromised as well. Cue the scary horror movie bass.

Why is this suddenly a big deal?

The crazy thing about this one is that the vulnerability has existed since the end of 2011 and has been escalating for two years. The term “security through obscurity” may have applied before now since it wasn’t well-known but, simply put, now it’s a big deal since the bad guys have hopped on the train and are scanning servers looking for an opportunity to exploit them.

Furthermore, it’s a special kind of threat because it consists of a double-whammy: both your clients and servers may be at risk. Last but not least, there is no way to tell whether your data or credentials have been affected, until they are misused by someone else.

More

April 14, 2014 5:28 pm

Liverpool vs Manchester City 3-2

Liverpool’s Philippe Courtinho (C) celebrates scoring with Jon Flanagan (R) and Steven Gerrard against Manchester City during their English Premier Leaguesoccer match at Anfield in Liverpool, northern England April 13, 2014. REUTERS

2:17 pm 1:53 pm 1:40 pm April 12, 2014 5:02 pm April 11, 2014 9:04 pm

البرازيل وإيطاليا مباراة أبكت الملايين

في تاريخ كرة القدم العديد من المباريات الجميلة التي صنعت المتعة والإثارة وعاشت طويلا في ذاكرة اللعبة والجماهير وبعض هذه المباريات لم يشاهدها الكثير منا حيث أقيمت قبل وصول اختراع التليفزيون إلى عالمنا العربي مثل ريال مدريد وانتراخت فرانكفورت في نهائي أوروبا 1960 ومباراة القرن بين المجر وانجلترا عام ··1953 والبعض الآخر مر عليه سنوات طويلة ونحتاج للتوقف أمام تفاصيله في محاولة لاكتشاف أسرار عبقرية…

View On WordPress

6:52 am April 10, 2014 5:32 pm

More Than A Half-Million Servers Exposed To Heartbleed Flaw

More Than A Half-Million Servers Exposed To Heartbleed Flaw

The newly exposed Heartbleed bug plaguing some 17 percent of SSL-secured websites as well as various VPN products has caused a massive case of Internet heartburn over the past 48 hours as companies rushed to confirm their exposure and lock down their SSL/TLS software. But just how bad is it?

Errata Security CEO Robert Graham scanned the Net for machines vulnerable to the implementation flaw in…

View On WordPress

5:06 pm