Growing urgency to deal with cyber security following Heartbleed bug

Posted on Thứ Năm, 24 tháng 4, 2014 by

Unknown

. Contact him by

email or

follow him.

Heartbleed is a buffer over-read — a security bug — in the open-source OpenSSL cryptography library, widely used to implement the Internet's Transport Layer Security (TLS) protocol. This vulnerability results from a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension, the heartbeat being behind the bug's name.

A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords. The Electronic Frontier Foundation, Ars Technica and Bruce Schneier all deemed the Heartbleed bug "catastrophic".

Forbes cyber security columnist Joseph Steinberg wrote,

"Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet."

A United Kingdom Cabinet spokesman has recommended that "People should take advice on changing passwords from the websites they use. Most websites have corrected the bug and are best placed to advise what action, if any, people need to take."On the day of disclosure, the Tor Project advised anyone seeking "strong anonymity or privacy on the Internet" to "stay away from the Internet entirely for the next few days while things settle."

Heartbleed is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160. The federal Canadian Cyber Incident Response Centre has issued one security bulletin advising all the system administrators about the bug.

Via: Wikipedia