Security experts have expressed doubts about a hacker claim that there’s a new vulnerability in the patched version of OpenSSL, the widely used cryptographic library repaired in early April.
A group of five hackers writes in a posting on Pastebin that they worked for two weeks to find the bug and developed code to exploit it. They’ve offered the code for the price of 2.5 bitcoins, around US$870.
By now everyone knows about the OpenSSL Heartbleed vulnerability: a missing bounds check in one of the most popular TLS implementations has made millions of Web servers (and more) leak all sorts of sensitive information from memory. This can leak login credentials, authentication cookies, and Web traffic to attackers. But could it be used to recover the site’s TLS private key? This would enable complete decryption of previously-recorded traffic if perfect forward secrecy was not negotiated at the time and otherwise Man-in-The-Middle attacks to all future TLS sessions.
The world's top 1,000 websites have been patched to protect their servers against the "Heartbleed" exploit, but up to 2% of the top million were still vulnerable as of last week, according to a California security firm.
On Thursday, Menifee, Calif.-based Sucuri Security scanned the top 1 million websites as ranked by Alexa Internet, a subsidiary of Amazon that collects Web traffic data.
Canada’s tax authority and a popular British parenting website both lost user data after attackers exploited the Heartbleed SSL vulnerability, they said Monday.
The admissions are thought to be the first from websites that confirm data loss as a result of Heartbleed, which was first publicized last Tuesday. The flaw existed in Open SSL, a cryptographic library used by thousands of websites to enable encryption, and was quickly labeled one of the most serious security vulnerabilities in years.
On New Years Eve in 2011, at one minute before 11pm, a British computer consultant named Stephen Henson finished testing a new version of a popular piece of free security software. With a few keystrokes he released OpenSSL version 1.0.1 into the public domain. Now, more than two years later, the events of that night have shaken the foundations of the internet.
Four researchers working separately have demonstrated a server’s private encryption key can be obtained using the Heartbleed bug, an attack thought possible but unconfirmed.
The findings come shortly after a challenge created by CloudFlare, a San Francisco-based company that runs a security and redundancy service for website operators.
As the Heartbleed fallout continues, the good news is that code to fix the problem in OpenSSL has been released. The bad news is that exploit code is also available.
Let's start with the latter, released by a chap who took up Cloudlare's challenge to coders in the hope someone, somewhere, would be able to use Heartbleed to extract a private SSL key from an undefended server it erected.
Computer security experts are advising administrators to patch a severe flaw in a software library used by millions of websites to encrypt sensitive communications.
The flaw, nicknamed “Heartbleed,” is contained in several versions of OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. Most websites use either SSL or TLS, which is indicated in browsers with a padlock symbol.
Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.
Saboteurs spreading the Gameover banking trojan are using an encrypted secure sockets layer connection to remain undetected and have infected at least a quarter of a million machines.
Researchers at Dell SecureWorks Counter Threat Unit (CTU) detailed attackers' latest schemes to spread the financial malware in a blog post published last Friday.
