Quantcast

Heartbleed Security Bug: What Apple Users Need to Know

Discussion in 'Off-Topic Discussion' started by sparkyscott21, Apr 9, 2014.

  1. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    The newly discovered Heartbleed bug is being called the Web’s worst security bug ever.

    It allows hackers to steal passwords and login details when users visit vulnerable sites — undetected. That’s the bad part: affected sites probably have no idea they’re vulnerable. The bug is subject to an emergency security advisory. Some experts are estimating that up to 66% of the Internet’s servers could be affected. Each server has to be fixed manually. So it could take a while.



    In the meantime:

    • Don’t log into any sites until you’ve officially been given the all clear.
    • Change all your passwords for websites and email. Especially for sensitive sites like banks, credit cards and webmail. However: wait until you know a site has been patched before changing passwords. Sites like Tumblr and Yahoo sent out warning emails earlier today telling users to change their passwords.
    • Apple.com and iCloud appear to be unaffected, according to this (unofficial) list on Github.
    • Install the Chromebleed Checker for Google’s Chrome browser — it pops a warning if a site is vulnerable
    We’ve reached out to Apple’s PR department for comment. No reply yet. We’ll update if Apple makes any statement or issues an advisory.

    The Heartbleed bug is a nasty one. It affects webservers — the computers that power websites. It does not affect your computer or iOS device — but it makes you vulnerable because hackers can potentially steal your details from the sites you visit. It’s a flaw in OpenSSL, an encryption technology used by the vast majority of websites on the Net, although, apparently, not Apple’s website or its online services like iCloud. Google, Microsoft and big banks also appear not to be vulnerable, but many smaller sites and servers could be.

    The flaw allows hackers to pull data from a server’s working memory, including the server’s encryption keys. That would allow hackers to decrypt all traffic to and from the server, exposing sensitive data like logins, passwords and everything else.

    You can check individual sites using this Heartbleed checker.

    It affects an older version of OpenSSL that’s been around for two years, so even sites that have been updated may have been vulnerable in the past. No one can tell because the flaw allows hackers to plunder data without leaving any trace that they were there. There’s evidence that hackers are aware of the flaw and have been exploiting it, according to reports.

    There’s a more technical explanation at Heartbleed.com, which estimates that up to 66 percent of the web may be vulnerable. Huge services like Yahoo, OKCupid and Tumblr use OpenSSL to encrypt data.

    Until the majority of webservers are fixed, the best advice is to temporarily stay away from sites that could expose your private details.

    Vulnerable servers will have to be patched by their administrators, on a server-by-server basis, which might take days or even weeks. And there’s no guarantee that all the vulnerable servers will get patched. The best advice is to treat each on a site-by-site basis.

    And if you are really security conscious, the TOR project is advising that you might want to avoid the internet altogether.





    4-9-14

    Source
     
  2. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    Heartbleed is a scary, scary bug. Without getting into the technical aspects of this recently discovered security hole, it’s an issue with OpenSSL, the security protocol used to encrypt web traffic. How vast is this gaping security hole? According to experts, about 66% of the entire Internet is impacted by Heartbleed.
    It sounds terrifying… and it is.

    The Wire put together a great comprehensive post explaining what the vulnerability is and how it works, but the most important thing to know is what you should do about it. And unfortunately, for the time being, options are pretty limited and ineffective.

    Because this bug exists on numerous hugely popular websites such as Yahoo, Tumblr, OKCupid and Flickr, millions of usernames and passwords may have been exposed as a result of the vulnerability. This also means that until all of these companies update their websites with a new version of OpenSSL that fixes the bug, users will continue to be at risk.

    In the meantime though, there are some steps you can take.

    First off, check out this GutHub page for a list of big websites that are or were vulnerable. If you have accounts on any of those sites, change your password immediately. If you use the same password on other sites, change those passwords immediately as well — preferably to something different (everyone should be using a solution like 1password at this point).

    Then, sadly, all we can do is wait. Change your password frequently on sites that are known to be exposed until you confirm that they have updated OpenSSL.





    4-9-14

    Source
     
  3. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    The discovery of the Heartbleed security bug sent the web into a panic with it’s devastating OpenSSL vulnerability.

    On a scale of 1 to 10 of Internet catastrophes this one goes all the way to 11, according to respected security analyst Bruce Schneier, who isn’t prone to manic exaggeration.

    A shriek of “CHANGE YOUR PASSWORDS” has erupted from the throats of sitesissuing evasive maneuvers, but you might want to hold off on going password-reset-crazy for just a few days.


    Here’s why:

    As explained by the creators of 1Password – which isn’t affected by Heartbleed – many servers haven’t patched up their vulnerability, and probably won’t for a few days, which means that new password you’re creating can still be stolen and used in the future.

    “You will, at some point, need to change a lot of passwords. But don’t rush to do that just yet. Not every server is affected, and those that are need to fix things at their end before you change your password. If you change your password before the servers fix things, then your new password will also be vulnerable to capture.

    All that most of us can do is wait at this point. Presumably, various service providers will announce over the next few days when and whether users should change passwords or be aware that other confidential information may have been exposed.”
    So what’s taking the providers so long to fix things up?

    First they have to find out if they’re vulnerable which requires them to see if their particular SSL/TLS service was on OPENSSL 1.0.1 – 1.0.1f. After they’ve upgraded to the fixed version of OpenSSL (1.0.1g) they’ll have to revoke old certificates and sort things out with certificate authorities to obtain a new one.
    Certificate Authorities are going to be very, very busy the next few days.


    4-9-14

    Source
     
    • Like Like x 2
  4. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    Heartbleed is one of the most widespread vulnerabilities we have seen in recent years — it impacted an estimated 66% of the entire Internet at the time of its discovery. The bug affects OpenSSL, which is a popular security protocol used to encrypt sensitive data sent to and from websites. Major sites such as Yahoo, Flickr and Imgur are among the sites that were affected by Heartbleed, potentially exposing users’ passwords and other data to hackers. While many have patched the bug and others continue to do so, it will be months or even years before every site addresses the issue.

    In the meantime, a simple free Chrome browser plugin will alert users when they visit a website that is still vulnerable.

    Developer Jamie Hoyle has created a nice Chrome extension dubbed Chromebleed that serves a single purpose: It displays a warning when you visit a website affected by Heartbleed.


    From the plugin’s description:

    Many HTTPS-secured sites on the internet use OpenSSL. Unfortunately, a major vulnerability in OpenSSL was disclosed – known as the Heartbleed bug – yesterday that put hundreds of thousands of servers at risk of compromise.

    Whilst some servers have been patched already, many remain that have not been patched. Chromebleed uses a web service developed by Filippo Valsorda and checks the URL of the page you have just loaded. If it is affected by Heartbleed, then a Chrome notification will be displayed. It’s as simple as that!

    Head over to this post to learn exactly what you should do when you encounter sites with the Heartbleed vulnerability.






    4-10-14

    Source
     
  5. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    Apple on Thursday released a statement saying its major operating platforms, iOS, OS X and certain Web services, are not affected by the massive "Heartbleed" security flaw discovered earlier this week.

    As reported by Re/code, Apple has confirmed that its systems and services remain largely untouchedby the secure sockets layer (SSL) bug known as "Heartbleed," a bug found in open source software that could potentially compromise the passwords and personal information of millions.

    "Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected," the spokesperson said.

    News of Heartbleed, a name given to the bug officially designated as CVE-2014-0160 by MITRE, first hit earlier this week. The flaw was discovered in the OpenSSL implementation of the TLS/DTLS heartbeat extension and, when exploited, leaks both server-client and client-to-server cached memory.

    According to Heartbleed.org, the bug allows anyone on the Internet to read the memory of systems protected by vulnerable versions of OpenSSL software, including secret keys websites used to encrypt traffic. Nefarious users can use the data to gather usernames and passwords, eavesdrop on communications and steal data directly from services affected.

    Major websites like Google, Facebook and others have already implemented fixes for the flaw, but security researchers still urge users to change their passwords as there was a point when these sites were not patched.




    4-10-14

    Source





     
  6. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    The odds are good that no one will be surprised to learn that the National Security Agency knew about the Heartbleed OpenSSL vulnerability that affected 66% of the entire Internet at the time of its discovery. The allegation that the NSA used the security hole itself to snoop might not be terribly shocking either. What is pretty appalling, however, is the fact that Bloomberg is reporting the NSA knew about the huge vulnerability for “at least two years” and did nothing, leaving us all at risk.

    More details can be found in Bloomberg’s report, which is linked below in our source section.

    Head here for more on Heartbleed and instructions on what to do if you’re affected. A plugin that can protect you from sites impacted by Heartbleed can be found here.



    4-11-14

    Source



     
  7. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    After a week of unescapable coverage on tech blogs and news sites, it’s probably safe to say most of us now know what Heartbleed is. The positively terrifying OpenSSL vulnerability affected an estimated 66% of the entire Internet at the time of its discovery, and passwords for many big sites including Yahoo, Flickr and thousands more were at risk. Sure, we all know what Heartbleed is, and now, thanks to a simple browser plugin, we know how to avoid websites affected by Heartbleed. What most people don’t know, however, is how Heartbleed got its name.

    In an interview with Vocativ, Codenomicon CEO David Chartier gave the world the backstory on Heartbleed, including exactly how and why the bug got its name. Codenomicon is a cybersecurity company based in Finland, and it was the first to discover the Heartbleed vulnerability.

    Chartier explained that the bug was first referred to as “CVE-2014-0160,” which was a designator that referenced the line of code containing the bug. As huge as this was, however, they apparently decided it needed a catchier name.

    And that’s when one Codenomicon developer — Ossi Herrala — got the idea to call it Heartbleed.

    “There’s an extension on OpenSSL called Heartbeat,” Chartier said in the interview. “[Herrala] thought it was fitting to call it Heartbleed because it was bleeding out the important information from the memory.”

    Simple, catchy and memorable. Heartbleed it is.

    The company then whipped up a logo and a FAQ, and the rest is history.

    “Our mission is to make the Internet safer,” Chartier noted. “I’m happy to see the overall community response. The IT security community has really taken this and done a lot with it. I think it’s a tremendous community effort here.”

    If you have an account on a site known to have been affected by Heartbleed, head over to this post to learn exactly what you need to do.






    4-11-14

    Source
     
  8. Carlszone

    Carlszone Well-Known Member

    Joined:
    Jan 19, 2012
    Messages:
    1,133
    Likes Received:
    182
    Trophy Points:
    63
    Location:
    Norfolk Va
    Hell, for all we know the NSA invented it. Or hired hackers to do it & then hid behind their hands while they invested sites that threatened the security of the ole USA & its interests overseas.

    A case of chickens coming home to roost...

    Carl
     
  9. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    The National Security Agency has already denied reports that claimed it had been aware of the Heartbleed security threat and used it in its advantage, and now the agency has issued its own document, picked up by Engadget, advising users on how to deal with this major security risk that has been found to affect a large number of websites.

    The NSA says that any users operating websites and online services that use OpenSSL versions 1.0.1 through 1.0.1f should immediately update it, to patch the “serious vulnerability.”

    Furthermore, the NSA advises regular Internet users to contact directly the providers of online services or developers of operating systems that may be affected by Heartbleed in order to inform them about the security risk – although considering the amount of media coverage Heartbleed received, it’s likely that many Internet companies are well aware of the issue.

    Finally, the agency advises users to change their passwords immediately once an online service affected by the OpenSSL bug has been patched in order to avoid any further issues.

    All in all, this isn’t the first time these pointers on how to deal with Heartbleed have been given to users, but this time around it’s the NSA sending out instructions for mitigating the “Heartbeat Extension Vulnerability.”

    Internet users can already check sites affected by Heartbleed using a Chrome plugin or use an Android app to check their phone’s integrity, while this handy infographic explains how to craft more secure passwords.

    An image from the NSA document showing the suggestions above follows below.



    [​IMG]






    4-15-14

    Source

     
  10. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    For the past week, a lot of the tech world has been trying to figure out what to do about the Heartbleed bug that has the potential to compromise the security of any website that uses the Open SSL encryption protocol. However, The National Journalreports that Google got a big head start on patching Heartbleed because it discovered the security hole back in March and never told anyone else about it.

    In some ways this isn’t too surprising since companies often make sure to patch their own websites and services when they discover security flaws before telling the world about them. However, The National Journal notes that “keeping the bug secret from the U.S. government may have left federal systems vulnerable to hackers” and that Google maintained complete silence about Heartbleed even though “the government encourages companies to report cybersecurity issues to the U.S. Computer Emergency Readiness Team, which is housed in the Homeland Security Department.”

    While the government is probably annoyed that Google never told it about Heartbleed when it learned of it last month, Google users can at least be happy that the company has already started fixing flaws in its websites that could leave them vulnerable. Over the next several weeks, tech companies are going to be revoking their security certificates and issuing new ones to protect against hackers stealing and copy the certificates that they were using before the Heartbleed bug was unveiled.

    This will likely mean some serious disruptions for popular websites but Google sites might operate more smoothly if the company has already started replacing its security certificates before everyone else rushes in and tries to do the same.






    4-15-14

    Source
     
  11. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    In 2011, Apple told its developers that it would be deprecating OS X's Common Data Security Architecture including OpenSSL, describing it as an outdated relic of the late 1990s. Nearly three years later, OpenSSL was hit by a severe flaw that affected a wide swath of vendors and their users, but not Apple.

    When it announced plans to deprecate OpenSSL in June 2011, Apple wasn't aware of the Heartbleed flaw because it didn't yet exist. However, the company was aware of other problems with OpenSSL (libcrypto), a security toolkit Apple began using within the Common Data Security Architecture more than a decade ago.

    CDSA, according to the Open Group that designed it, "is a set of layered security services and cryptographic framework that provide an infrastructure for creating cross-platform, interoperable, security-enabled applications for client-server environments is an architecture."

    Apple incorporated support for CDSA and OpenSSL in its early development of Mac OS X. In 2004, Apple was recommending that Mac developers adopt CDSA, noting that it "will improve the overall performance of the system by reducing the number of libraries that frameworks link against to do cryptography."

    As the company noted in its Mac security documentation from a decade ago, "CDSA is an Open Source security architecture adopted as a technical standard by the Open Group. Apple has developed its own Open Source implementation of CDSA, available as part of Darwin at Apple's Open Source site. This API provides a wide array of security services, including fine-grained access permissions, authentication of users' identities, encryption, and secure data storage."

    Apple builds its own security architecture



    By at least 2006 however, Apple began working on a new cryptography API for the future, designed to use less code, run faster and support concurrent use of multiple processors. These features were not only necessary for future Macs, but would also be critically important to iOS.

    The desire to build a streamlined, modern security architecture was also driven by a need for FIPS 140-2 validation, required to sell devices to a variety of U.S. government agencies. As sales of iPhone and later iPad began to explode, Apple's efforts to address a robust alternative to the outdated CDSA took on new urgency.

    The first step was Common Crypto, a low level C framework supporting core encryption algorithms Apple first released for OS X 10.5 Leopard in 2007 and later brought to iOS 5 in 2011. Apple has continued to work on making low level crypto functions easier for developers to use.

    That includes Apple's OS X Security Transforms package, which is deeply integrated with Grand Central Dispatch to enable pipelines of data (including encryption tasks) to be spread out across available processors. It also supports hardware acceleration of crypto functions on modern processors like Intel's Core i5 and i7.

    Apple deprecates CDSA & OpenSSL



    By 2011, Apple was ready to deprecate CDSA, noting to developers at its WWDC event that the architecture was based on an Open Group standard that few other vendors supported besides Apple, and included lots of features nobody actually used. That required Apple to assume and manage a lot of complex external issues without any real cross-platform benefit.

    "CDSA has its own standard programming interface, it is complex and does not follow standard Apple programming conventions," the company noted to its developers in Mac security documentation. iOS never incorporated CDSA, and both OS X and iOS "include their own higher-level security APIs that abstract away much of that complexity."

    Building its own security software meant that Apple and its developers were no longer captive to the external development issues and eccentricities related to the OpenSSL open source project, which despite its critical importance and broad use by the industry, was being funded through donations and was, incredibly, maintained by a very small team of just four core developers.

    "Although OpenSSL is commonly used in the open source community," Apple stated in its documentation, "OpenSSL does not provide a stable API from version to version. For this reason, although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS. Use of the OS X OpenSSL libraries by apps is strongly discouraged.

    "If your app depends on OpenSSL, you should compile OpenSSL yourself and statically link a known version of OpenSSL into your app. This use of OpenSSL is possible on both OS X and iOS. However, unless you are trying to maintain source compatibility with an existing open source project, you should generally use a different API."

    Apple's concern about OpenSSL lacking a "stable API from version to version" relates to the complications it would face in trying to update or patch security flaws in the open source software package in a way that wouldn't break third party apps wired to a previous version of OpenSSL. Deprecating OpenSSL in favor of its own software meant that Apple had greater control in managing its own platform.

    A broad variety of vulnerabilities in Apple's OS X software have actually related to outside software that Apple has bundled with its own, including both open source software packages and third party commercial components like Adobe Flash.

    Heartbleed hits OpenSSL



    Apple's timing proved to be fortuitous. Just six months after Apple officially deprecated OpenSSL, the Heartbleed flaw was inadvertently introduced in OpenSSL via a Heartbeat feature designed to keep secure connections alive and active. The flawed Heartbeat feature was included in the following March 2012 release of OpenSSL, and enabled by default.

    While Apple had been advising its Mac and iOS developers to use other software before the bug had ever been introduced and never distributed the subsequent versions of OpenSSL that incorporated the security flaw, much of the rest of the industry had been standardizing on the latest, freely available version of OpenSSL.

    More than two years later, a researcher at Google discovered that the OpenSSL Heartbeat feature was flawed, potentially allowing a malicious user to "bleed" data from a server using an affected version of OpenSSL, and possibly even recover security keys that could be used to spy on intercepted streams of encrypted data. Client software affected by Heartbleed could also be exploited by a malicious server.

    "Servers vulnerable to Heartbleed are less secure than they would be if they simply had no encryption at all," noted a report by The Guardian

    According to a report by Brendan Sasso of the National Journal, Google began work on addressing the flaw internally without telling anyone else about it, not even the U.S. government, which ostensibly wasn't aware of the vulnerability until Google first disclosed it on April 1 via the company's Google Plus social network.

    A timeline compiled by Ben Grubb of the Sydney Morning Herald indicates that various firms over the next week battled both for publicity and against public disclosure of the Heartbleed flaw, with security companies seizing upon it as a way to make a name for themselves, and those affected scrambling to address the problem before they and their clients could be exploited by third parties armed with the same knowledge.

    The perceived advantage of open software being innately more secure through broad use and exposure to more eyeballs ran into the reality of disadvantages involved with broad industry reliance upon a widely distributed monoculture of software developed by relatively few people who didn't necessarily share the same design goals as their broad spectrum of users (including that lack of interest in maintaining API compatibility).

    A flaw in Apple's own code



    Apple and its Mac and iOS users weren't affected by Heartbleed, but just weeks before, the company had been hit by a similar vulnerability related to a flaw in Apple's own code, which just happened to also be related to SSL certificate based security.

    In Apple's case, the flaw, branded as "GoToFail," related to code the company maintained itself, although like OpenSSL, Apple's code had also been published as open source. As with OpenSSL, merely being open to eyeballs didn't result in Apple's code being free of undiscovered flaws.

    Apple was condemned in a series of posts laced with profanity for patching iOS first (before GoToFail was publicly known about) and not releasing a patch for OS X until three days later.

    In contrast, it took a week for the various parties involved in Heartbleed to even coordinate its disclosure, with embargo leaks informing some clients, including OpenSSL, Akamai and Facebook as much as several days before the general public and even major companies including Cisco, Dropbox, Juniper, Twitter, Ubuntu and Yahoo.

    Another security flaw, similarly affecting network security, was identified in Android's WebView 16 months ago. While much more serious in that it provided full control of a device to remote malicious users and had functional tools available that allowed virtually anyone to exploit the flaw, roughly 75 percent of Android devices appear to remain vulnerable.



    4-20-14

    Source








     
  12. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    After all this time, is Heartbleed really still an issue we should be concerned with? Yes, yes it is. Heartbleed, the shockingly severe and widespread OpenSSL flaw that impacted 66% of the entire Internet at the time of its discovery, has already been addressed by thousands upon thousands of websites. But believe it or not, there are still countless websites — and apps — out there that have yet to apply the updates necessary to protect their users.

    With vulnerable Android apps having been downloaded a whopping 150 million times, Heartbleed is a particularly important issue for Android users. And now, a simple new app claims that it will protect Android phone and tablet owners for free.

    Released last week and updated on Monday, CM Security Heartbleed Scanner by app developer KS Mobile will scan your Android device for apps that are still vulnerable to Heartbleed. Continued usage of apps and websites that remain vulnerable can lead to the theft of your login credentials and other sensitive personal data.


    KS Mobile highlights the following features:


    • It’s 100% free and available today on Google Play
    • Scans all Android mobile apps on Android Device to check for Heartbleed-infected applications
    • Checks Android hardware to verify security of physical mobile device
    • Reminds users to change their passwords or delete any infected apps until the Heartbleed bug is fixed
    • Protects users’ sensitive data, such as passwords and account credentials, by reminding users to change their passwords or delete any infected apps until the bugs are fixed.
    This developer is also the team behind popular anti-virus Android app CM Security, which has been downloaded more than 10 million times and has a 4.7 star rating in the Google Play store with nearly 2.5 million reviews.

    CM Security Heartbleed Scanner is completely free and can be downloaded by following the link below in our source section.

    For more on how to protect yourself from Heartbleed and other security flaws, see our post on how to tell if any of your accounts have been hacked.






    4-28-14

    Source
     

Share This Page