Heartbleed Bug: Tech firms urge password reset
9 April 2014 Last updated at 14:34By Leo Kelion
Technology desk editor, BBC
Several tech firms are urging people to change all their passwords after the discovery of a major security flaw.
The Yahoo blogging platform Tumblr has advised the public to "change your passwords everywhere - especially your high-security services like email, file storage and banking".
http://news.bbcimg.co.uk/media/images/74129000/png/_74129634_blee.png
Security advisers have given similar warnings about the Heartbleed Bug.
It follows news that a product used to safeguard data could be compromised to allow eavesdropping.
OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.
If an organisation employs OpenSSL, users see a padlock icon in their web browser - although this can also be triggered by rival products.
Those affected include Canada's tax collecting agency, which halted online services "to safeguard the integrity of the information we hold".
However, experts stress that they have no evidence of cybercriminals having harvested the passwords and that users should check which services have fixed the flaw before changing their login.
Copied keys
Google Security and Codenomicon - a Finnish security company - revealed on Monday that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code.
They said that if attackers made copies of these keys they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.
It is not known whether the exploit had been used before the revelation, since doing so would not leave a trail - unless the hackers published their haul online.
"If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested," said Ari Takanen, Codenomicon's chief technology officer.
"In that sense it's a good idea to change the passwords on all the updated web portals."
Other security experts have been shocked by the revelation
"Catastrophic is the right word. On the scale of one to 10, this is an 11," blogged Bruce Schneier.
The BBC understands that Google warned a select number of organisations about the issue before making it public, so they could update their equipment to a new version of OpenSSL released at the start of the week.
However, it appears that Yahoo was not included on this list and tech site Cnet has reported that some people were able to obtain usernames and passwords from the company before it was able to apply the fix.
"Our team has successfully made the appropriate corrections across the main Yahoo properties - Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr - and we are working to implement the fix across the rest of our sites right now," said a spokeswoman for the company.
New passwords
NCC Group - a cybersecurity company that advises many members of the FTSE 250 - described the situation as "grave".
"The level of knowledge now needed to exploit this vulnerability is substantially less than it was 36 hours ago," the company's associate director Ollie Whitehouse told the BBC.
"Someone with a moderate level of technical skills running their own scripts - the Raspberry Pi generation - would probably be able to launch attacks successfully and gain sensitive information.
"As long as service providers have patched their software it would now be a prudent step for the public to update their passwords."
Several security firms and independent developers have published online tests to help the public discover if the services are still exposed.
However, there is no simple way to find out if they were vulnerable before.
Organisations that used Microsoft's Internet Information Services (IIS) web server software would not have been affected.
But Codenomicon has noted that more than 66% of the net's active sites rely on the open source alternatives Apache and Nginx, which do use OpenSSL.
Even so, some of these sites would have also employed a feature called "perfect forward secrecy" that would have limited the number of their communications that could have been hacked.
'No rush'
A researcher at the University of Cambridge Computer Laboratory said it would be an overreaction to say everyone should drop what they are doing to reset all their passwords, but that those concerned should still act.
"I think there is a low to medium risk that any given password has been compromised," said Dr Steven Murdoch.
"It's not the same as previous breaches where there's been confirmed password lists posted to the internet. It's not as urgent as that.
"But changing your password is very easy. So it's not a bad idea but it's not something people have to rush out to do unless the service recommends you do so."
Heartbleed bug creates confusion on internet
10 April 2014 Last updated at 15:04By Mark Ward
Technology correspondent, BBC News
http://news.bbcimg.co.uk/media/images/74154000/jpg/_74154424_a4e9ae7e-d5e0-464b-9642-5a55c306d52c.jpg
Minecraft-maker Mojang shut down game servers for several hours while potentially vulnerable software was patched
Computers vulnerable to the Heartbleed bug are actively being targeted online, say security experts.
However, it is not yet clear whether the scanning efforts are benign or are the work of cyber-thieves keen to steal data, they say.
The news comes as some security professionals and developers advised people to change all their passwords.
But Google said that logins for its services did not need to be reset unless they were used on other sites.
That contradicted advice from Yahoo's blogging platform Tumblr and the developers of the app If This Then That who have told users they should change their passwords "everywhere".
The conflicting guidance is further complicated by the fact that experts say updating a password is useless unless a site has patched its servers - but it is not always obvious to the public when this is the case.
Attack pattern
News about the Heartbleed bug broke on 8 April and has kicked off a frenzy of activity as web companies check to see if their systems are vulnerable.
The bug emerged in software that should have kept data passing between sites and users safe from scrutiny. Instead the bug meant that attackers could use specially crafted queries to slowly steal data from servers.
Ars Technica reported that some sites had seen evidence that networks of bots were probing them for the Heartbleed weakness long before the bug was publicised.
Rory Cellan-Jones looks at ways to manage strong online passwords
Information about scans of vulnerable servers are also circulating among security researchers. One scan turned out to pose no threat as whoever was behind it simply told the gaming company who ran the computers that they were leaking data.
"It's difficult to detect an attack unless you are actively looking for it," said Ken Munro, an analyst at security company Pen Test Partners. He added that many intrusion detection systems had now added signatures that spot the subtle signs that a Heartbleed-inspired attack is under way.
In addition, organisations running "honeypots" that try to trick hackers into attacking bogus web servers have written code that generates nonsensical server data in response to Heartbleed requests.
About 500,000 servers are vulnerable to the Heartbleed bug, statistics from net monitoring company Netcraft suggest.
Many large sites that ran vulnerable servers have now patched their systems and many others are following suit. However, a huge number of sites still remain vulnerable. Websites have sprung up that let people check if a site they use is vulnerable.
Conflicting advice has been given to web users from different companies about about whether they should be updating their passwords. Google said users did not need to change credentials; Facebook advised users to make a change; and others, such as web service If This Then That, said users should change all passwords.
Users should first check to see if a site they were using was vulnerable to the bug and whether they had taken action to fix it, said James Lyne, global head of research at Sophos. Changing a password on an unprotected site could still leave people open to data theft, he said.
In addition, he added, the rush to change passwords was likely to encourage phishing gangs to start sending out bogus messages advising people to reset or change their passwords.
"This is not the first defect of its kind and it certainly won't be the last, but it is one of the more serious faults we've seen in recent internet history," said Mr Lyne.
NameVulnerable?Patched?Change password?
AmazonNoNo needOnly if shared with vulnerable service
Amazon Web ServicesYesYesYes
AppleNot clearNot clearNot clear
BarclaysNot clearNot clearNot clear
eBayNoNo needOnly if shared with vulnerable service
EvernoteNoNo needOnly if shared with vulnerable service
FacebookYesYesYes
Google/GmailYesYesYes
HSBCNoNo needOnly if shared with vulnerable service
If This Then ThatYesYesWill force users to log out and ask them to update
LinkedInNoNo needOnly if shared with vulnerable service
LloydsNoNo needNo
Microsoft/Hotmail/OutlookNoNo needOnly if shared with vulnerable service
PayPalNoNo needOnly if shared with vulnerable service
RBS/NatwestNoNo needOnly if shared with vulnerable service
SantanderNoNo needOnly if shared with vulnerable service
TumblrYesYesYes
TwitterNoNo needOnly if shared with vulnerable service
Yahoo/Yahoo MailYesYes
http://imgs.xkcd.com/comics/heartbleed_explanation.png
Source: http://xkcd.com/1354/
頁:
[1]