Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 29 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Heartbleed strikes fear into the internet

by The Gurus
April 8, 2014
in Editor's News
Share on FacebookShare on Twitter

The UK computer emergency readiness team (CERT) has issued its first major advisory since it officially opened regarding the OpenSSL vulnerability.
 
In the advisory, CERT-UK said that it was aware of reports of the vulnerability, which is also known as the Heartbleed bug which affects versions 1.0.1-1.0.1f of the OpenSSL cryptographic library.
 
It said: “This potentially permits the stealing of information normally protected by SSL/TLS encryption, and could affect applications used for web hosting, email, instant messaging and virtual private networks. This could include sensitive information such as secret keys, user credentials and traffic content. The vulnerability may have existed since as early as December 2011.
 
“Organisations running vulnerable versions of OpenSSL libraries should upgrade to 1.0.1g as soon as possible.”
 
The bug allows anyone to read the memory of the systems protected by the vulnerable versions of the OpenSSL software as it compromises keys used to identify the service providers and to encrypt traffic, names and passwords of the users and the actual content. “This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users”, an advisory website said.
 
A warning was also issued to certificate authorities to check how compromised keys can be revoked and new certificate reissued for the new keys. It also warned that open source web servers running Apache and nginx were vulnerable, as well as email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software.
 
The advisory said it was unsure how widespread this exploit was, as it has been in the wild since March. TK Keanini, CTO of Lancope, told IT Security Guru that this was one of the most major vulnerabilities to be reported this year, and warned that it will be around for some time as everyone who is vulnerable will need to remediate.
 
“Most, if not all of the major websites are aware and have fixed this problem – that is not the major concern. The major concern is everyone else who is affected by this bug as it does not just apply to websites and most have no idea they are at risk,” he said.

 
“It is not easy for most people to know what version they are running and if this is built into a router or embedded device, chances are very slim that they will ever know. The attacker will also leave no logs when they perform their attack because it is in the part of the code where no logging takes place of the activity.”
 
Mark Schloesser, security researcher at Rapid7, said: “An attacker who gains access to the private key of the server certificate can subsequently mount man-in-the-middle attacks against clients and impersonate the server/service. Log messages might also contain credentials or affect the privacy of communications by other clients.
 
“Looking only at web servers, it seems that OpenSSL 0.9.8 and 1.0.0 are still the most popular versions, which are not affected. However we count at least a few hundred thousand servers using affected library versions so that it poses a significant threat. As the same problem affects other protocols / services such as mail servers and databases, we assume that overall we’re looking at millions of vulnerable systems connected to the public internet.”

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

TrustDW – Big Data and privacy do not mix

Next Post

Why Heartbleed is the most dangerous security flaw on the web

Recent News

Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023
Lupovis eliminates false positive security alerts for security analysts and MSSPs

Lupovis eliminates false positive security alerts for security analysts and MSSPs

January 26, 2023
Threat actors launch one malicious attack every minute

Threat actors launch one malicious attack every minute

January 25, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information