On New Years Eve in 2011, at one minute before 11pm, a British computer consultant named Stephen Henson finished testing a new version of a popular piece of free security software. With a few keystrokes he released OpenSSL version 1.0.1 into the public domain. Now, more than two years later, the events of that night have shaken the foundations of the internet.
Israeli hackers attacked computers belonging to Anonymous and allied hacker groups, taking pictures with exploited webcams and posting the photos online, during the organization’s OpIsrael hacking attack last week
A hacker called Buddhax, a member of the Israeli Elite Force hacking group, posted the information on the IEF’s Facebook page Wednesday, two days after anti-Israel hackers attempted to repeat last year’s mass attacks on Israeli sites.
Botnet operators in the criminal underground are launching large denial of service attacks against each other in a bid to knock out rivals in the race to compromise computers.
Security researchers have discovered command and control servers owned by operators of Zeus botnets were blasted by those running a rival Cutwail botnet in a distributed denial of service attack reaching 300,000 connections a minute.
Facebook has never seemed to have a particularly friendly relationship with security and privacy. After all, the more Facebook knows about you, the more the company can profit from the social graph. But while the company has implemented some fine security features for users, the way they present them leaves a lot to be desired.
Four researchers working separately have demonstrated a server’s private encryption key can be obtained using the Heartbleed bug, an attack thought possible but unconfirmed.
The findings come shortly after a challenge created by CloudFlare, a San Francisco-based company that runs a security and redundancy service for website operators.
The administration of U.S. President Barack Obama favors disclosing to the public vulnerabilities in commercial and open source software in the national interest, unless there is a national security or law enforcement need, the country’s spy agency said.
As the Heartbleed fallout continues, the good news is that code to fix the problem in OpenSSL has been released. The bad news is that exploit code is also available.
Let's start with the latter, released by a chap who took up Cloudlare's challenge to coders in the hope someone, somewhere, would be able to use Heartbleed to extract a private SSL key from an undefended server it erected.
Think about the ways your home is kept secure. You rely on structural security features—secure locks, a rock-hard foundation, strong windows and doors. You might also have an alarm or video camera to give you an extra layer of security, with a support team behind those tools making them more powerful, all but invisible until the moment you need them.
The OpenSSL flaw named Heartbleed is pretty huge. Many of us in the computer security industry are prone to hyperbole when a big exploit in a popular piece of software is announced, but I can't put it any better than Bruce Schneier did when he said, "On the scale of 1 to 10, this is an 11."
The Heartbleed Bug, a flaw in OpenSSL that would let attackers eavesdrop on Web, e-mail and some VPN communications, is a vulnerability that can be found not just in servers using it but also in network gear from Cisco and Juniper Networks. Both vendors say there's still a lot they are investigating about how Heartbleed impacts their products, and to expect updated advisories on a rolling basis.
Juniper detailed a long list in two advisories, one here and the other here. Cisco acted in similar fashion with its advisory.
