|FROM ||Ruben Safir
|SUBJECT ||Subject: [NYLXS - HANGOUT] openssl security hole
|From owner-hangout-outgoing-at-mrbrklyn.com Tue Apr 8 23:22:36 2014
Received: by mrbrklyn.com (Postfix)
id CF1BA161151; Tue, 8 Apr 2014 23:22:35 -0400 (EDT)
Received: by mrbrklyn.com (Postfix, from userid 28)
id BD21D161154; Tue, 8 Apr 2014 23:22:35 -0400 (EDT)
Received: from mailbackend.panix.com (mailbackend.panix.com [188.8.131.52])
by mrbrklyn.com (Postfix) with ESMTP id 40E2E161151
for ; Tue, 8 Apr 2014 23:22:35 -0400 (EDT)
Received: from panix2.panix.com (panix2.panix.com [184.108.40.206])
by mailbackend.panix.com (Postfix) with ESMTP id 56E932E4D8
for ; Tue, 8 Apr 2014 23:22:34 -0400 (EDT)
Received: by panix2.panix.com (Postfix, from userid 20529)
id 2E6A833C98; Tue, 8 Apr 2014 23:22:34 -0400 (EDT)
Date: Tue, 8 Apr 2014 23:22:34 -0400
From: Ruben Safir
Subject: [NYLXS - HANGOUT] openssl security hole
Content-Type: text/plain; charset=us-ascii
User-Agent: Mutt/1.5.20 (2009-06-14)
8 April 2014 Last updated at 07:05 ET
Share this page
Scramble to fix huge 'heartbleed' security bug
Screengrab from Heartbleed page The researchers who discovered the bug
publicised their findings via the web
Continue reading the main story
Global push to fix power plant code
Target data theft hit 70 million
Bitcoin theft closes drug website
A bug in software used by millions of web servers could have exposed
anyone visiting sites they hosted to spying and eavesdropping, say
The bug is in a software library used in servers, operating systems and
email and instant messaging systems.
Called OpenSSL the software is supposed to protect sensitive data as it
travels back and forth.
It is not clear how widespread exploitation of the bug has been because
attacks leave no trace.
"If you need strong anonymity or privacy on the internet, you might want
to stay away from the internet entirely for the next few days while
things settle," said a blog entry about the bug published by the Tor
Project which produces software that helps people avoid scrutiny of
their browsing habits.
A huge swathe of the web could be vulnerable because OpenSSL is used in
the widely used Apache and Nginx server software. Statistics from net
monitoring firm Netcraft suggest that about 500,000 of the web's secure
servers are running versions of the vulnerable software.
"It's the biggest thing I've seen in security since the discovery of SQL
injection," said Ken Munro, a security expert at Pen Test Partners. SQL
injection is a way to extract information from the databases behind web
sites and services using specially crafted queries.
Many firms were scrambling to apply patches to vulnerable programs and
others had shut down services while fixes were being worked on, he said.
Many were worried that with proof of concept code already being shared
it would only be a matter of time before cyber thieves started
exploiting the vulnerability.
Mojang, maker of the hugely popular Minecraft game, took all its
services offline while Amazon, which it uses to host games, patched its
The bug in OpenSSL was discovered by researchers working for Google and
security firm Codenomicon.
In a blog entry about their findings the researchers said the "serious
vulnerability" allowed anyone to read chunks of memory in servers
supposedly protected with the flawed version of OpenSSL. Via this route,
attackers could get at the secret keys used to scramble data as it
passes between a server and its users.
"This allows attackers to eavesdrop [on] communications, steal data
directly from the services and users and to impersonate services and
users," wrote the team that discovered the vulnerability. They called it
the "heartbleed" bug because it occurs in the heartbeat extension for
The bug has been present in versions of OpenSSL that have been available
for over two years. The latest version of OpenSSL released on 7 April is
no longer vulnerable to the bug.
"Considering the long exposure, ease of exploitation and attacks leaving
no trace this exposure should be taken seriously," wrote the
Installing an updated version of OpenSSL did not necessarily mean people
were safe from attack, said the team. If attackers have already
exploited it they could have stolen encryption keys, passwords or other
credentials required to access a server, they said.
Full protection might require updating to the safer version of OpenSSL
as well as getting new security certificates and generating new
encryption keys. To help people check their systems some security
researchers have produced tools that help people work out if they are
running vulnerable versions of OpenSSL.