The newly exposed Heartbleed bug plaguing some 17 percent of SSL-secured websites as well as various VPN products has caused a massive case of Internet heartburn over the past 48 hours as companies rushed to confirm their exposure and lock down their SSL/TLS software. But just how bad is it?Errata Security CEO Robert Graham scanned the Net for machines vulnerable to the implementation flaw in the so-called Heartbeat function of TLS, and discovered some 600,000 affected out of 28 million SSL machines. He estimates that some one-third of SSL machines had been patched with the update to the buggy OpenSSL library. Netcraft, meanwhile, says the buggy Heartbeat extension is enabled on 17.5 percent of SSL sites, which include close to a half-million digital certificates at risk of theft and spoofing from the attack.
www.darkreading.com/informationweek-home/more-than-a-half-million-servers-exposed-to-heartbleed-flaw/d/d-id/1204318Also see:Flaw Calls for Altering Passwords, Experts Say
A programming mistake from two years ago has forced countless websites to make fixes to protect the sensitive personal information of consumers.What consumers should do to protect their own information isn’t quite as clear, because security experts have offered conflicting advice.Should users change their web passwords immediately or wait until sites have fixed the problem?
http://www.nytimes.com/2014/04/10/technology/flaw-calls-for-altering-passwords-experts-say.htmlDifficulty of Detecting OpenSSL Heartbleed Attacks Adds to Problem
The list of products and sites affected by the OpenSSL heartbleed vulnerability continues to grow, and as security teams implement the patch and dig into the thornier work of revoking certificates, a new problem is emerging: It’s difficult to know whether an attacker has exploited the vulnerability on a given system.The nature of the vulnerability in OpenSSL is such that an attacker can exploit the vulnerability without the site operator knowing. The flaw lies in the way that the OpenSSL library handles the heartbeat extensions for TLS and it exists in many versions of the software. OpenSSL is deployed on a huge number of sites, roughly two-thirds of the Web by some estimates, and although the OpenSSL Foundation has released a fixed version, it could be some time before the majority of sites are patched.
http://threatpost.com/difficulty-of-detecting-openssl-heartbleed-attacks-adds-to-problem/105354Users’ Stark Reminder: As Web Grows, It Grows Less Secure
It was the computer programming equivalent of misspelling Mississippi — an error at once careless, inevitable and hard for most human eyes to spot.The bug known as Heartbleed, a flaw widely replicated in the main system for encrypting consumers’ online data, is a stark reminder that the Internet is still in its youth, and vulnerable to all sorts of unseen dangers, including simple human error. Today’s digital systems are complex and penetrate every corner of our lives. It is impossible to lock them down.
http://www.nytimes.com/2014/04/10/technology/users-stark-reminder-as-web-grows-it-grows-less-secure.html
More Than A Half-Million Servers Exposed To Heartbleed Flaw
The newly exposed Heartbleed bug plaguing some 17 percent of SSL-secured websites as well as various VPN products has caused a massive case of Internet heartburn over the past 48 hours as companies rushed to confirm their exposure and lock down their SSL/TLS software. But just how bad is it?