Friday, April 18, 2014

What Are We Supposed to Do Against Heartbleed Bug - CVE-2014-0160 (OpenSSL Exploit)?







Heartbleed Bug Outline


Heartbleed Bug was firstly found on the last Friday when Antti Karjalainen and other colleagues were updating the functionality of Codenomicon’s test components. Heartbleed bug belongs to zero day exploit, which indicates that the bug has long been existent or known by some technicians who are paid to find some man-made bug for Internet companies.

The moment Heartbleed bug was reportedly to be found, concerns over information security are aroused among the mass as more and more people become prone to store important documents online – Cloud. And now professionals and Internet operation staff are working hard to repair and fix heartbleed bug before hackers develop it. Meanwhile, Codenomicon company has bought the URL “heartbleed.com” to offer some detail information and the latest report on the OpenSSL Exploit.



Some Security Issues about Heartbleed Bug


In sum, Heartbleed bug occurs in the implementation code when OpenSSL is compiling TLS(Transport Layer Security)’s RFC6520. Due to the omissions in bounds checking, the hacker/attacker is enabled to access and quest, without privilege or authentication, for the data that can be up to 64KB stored someplace besides in memory.

The data can be:
  • Log-in credential
  • Account name
  • Password
  • Email content
  • Correspondents
  • Chat content

Heartbleed bug - CVE-2014-0160 (OpenSSL Exploit) is extremely dangerous and hard to be detected as such bug is able to allow the attacks even at the early stage of data transmission. NASA also has to bow to the bug and announced that its user database has been attacked and revealed.



What Are We Supposed to Do against Heartbleed Bug - CVE-2014-0160 (OpenSSL Exploit)?


Users who adopt OpenSSL should update it; when the update is not allowed, one should re-write OpenSSL through -DOPENSSL_NO_HEARTBEATS.

Affected OpenSSL
  • OpenSSL 1.0.2-beta
  • OpenSSL 1.0.1 - OpenSSL 1.0.1f

Unaffected OpenSSL
  • OpenSSL 1.0.2-beta2
  • OpenSSL 1.0.1g
  • OpenSSL 1.0.0
  • OpenSSL 0.9.8

Update yourself with the news on which companies have fixed the heartbleed bug. Never register onto the sites that are not reportedly to repair the OpenSSL exploit. It is advisable to check for the safety rate of a site on http://filippo.io/Heartbleed/ before visiting some pages.
  1. Please change your password the moment when you are received the confirmation on on security fixes from certain website.
  2. Please do contact the companies/enterprises like Yahoo and Imgur that have your personal information on hand to make sure that your information is safe.
  3. Keep an eye on your financial reports to see if there are some strange deductions.





Note: 

  • Visiting websites is still somewhat risky as Heartbleed bug is capable of tracking down browser cookies on online whereabouts.
  • A lot of folks are going around at the moment telling the public to change all of their passwords in response to the serious Heartbleed internet security bug. However, it is useless before the heartbleed bug is fixed/patched. 

As a matter of fact, coping with heartbleed bug is a matter of time race against the hackers. When the OpenSSL exploit is fixed and repaired on most reputable sites, the trepidation will pass and PC users could start our daily life, like online shopping all over again. However, as OpenSSL has been widely applied, the risk can be manifested and lasted in other fields like various client-side products, VPN, WAF, etc..

The heartbleed event makes us to re-consider the Internet safety. When all of us consider that we are safe to do things online, we are suffering from something so big and dangerous. So how and what will we do to maintain the existence, steadiness and safety of the virtual world? At least for now, many large-scale Internet companies have turned to PFS technology that will not save password that long to allow theft.

 expert help



No comments: