German software engineer steps forward to take blame for OpenSSL mistake, but issue goes wider

Who's to blame for 'catastrophic' Heartbleed Bug?

By Ellen Messmer, Network World
April 10, 2014 12:22 PM ET

Network World - The Heartbleed Bug, basically a flaw in OpenSSL that would let savvy attackers eavesdrop on Web, e-mail and some VPN communications that use OpenSSL, has sent companies scurrying to patch servers and change digital encryption certificates and users to change their passwords. But who's to blame for this flaw in the open-source protocol that some say also could impact routers and even mobile devices as well?

A German software engineer named Robin Seggelmann of Munster, Germany has reportedly accepted responsibility for inserting what experts are calling a mistake of catastrophic proportions into the open-source protocol OpenSSL used by millions of websites and servers, leaving them open to stealing data and passwords that many think has already been exploited by cyber-criminals and government intelligence agencies.
“Half a million websites are vulnerable, including my own,” wrote security expert Bruce Schneier in his blog, pointing to a tool to test for the Heartbleed Bug vulnerability. He described Heartbleed as a “catastrophic bug” in OpenSSL because it “allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.” It compromises secret keys used to identify service providers and encrypt traffic, he pointed out. “This means anything in memory—SSL private keys, user keys, anything—is vulnerable.”
+More on Network World: The Heartbleed Bug: How to keep your info safe | The worst data breaches of 2014…so far (Q1)+
The Heartbleed Bug was discovered by security analysts from Google and Codenomicon and disclosed by the OpenSSL open-source group on April 7 as an OpenSSL Advisory and a fix prepared by OpenSSL open-source contributors Adam Langley and Bodo Miller. Across the world, companies and vendors have been scrambling to either patch their systems or assure users that their services weren’t using OpenSSL.
Microsoft for example, issued an advisory that “Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections. Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.”
But Microsoft added, “However, if you are using Microsoft Azure’s IaaS to host linux images, then you should make sure that your OpenSSL implementation is not vulnerable.”
Twitter also said its services weren’t impacted by Heartbleed. However, websites including Yahoo Mail, Yahoo Messenger and others were impacted. As news stories about the Heartbleed Bug filled the news, there was widespread concern and bewilderment in the general public, and it wasn’t uncommon to hear the problem described by people as a computer virus, rather than a software flaw.

Read More Here

Related articles

• 'Heartbleed' contributor denies he inserted it deliberately
• OpenSSL Fixes Serious TLS Vulnerability
• 'Heartbleed is a catastrophic bug ... on a scale of 1 to 10, it is an 11'
• Yahoo Among Millions of Websites Vulnerable to 'Heartbleed' OpenSSL Security Bug
• Everything You Need to Know About the Heartbleed SSL Bug

Heartbleed Bug Online security breach is described as 'catastrophic'

Internet users told to change ALL passwords in security alert over 'catastrophic' Heartbleed bug

• Online security breach is described as 'catastrophic'

• Alert is result of internet bug Heartbleed being uncovered

• Heartbleed is able to bypass websites' security measures to access passwords and personal information

By Rebecca Evans and Tania Steere

Published: 17:33 EST, 9 April 2014 | Updated: 17:57 EST, 9 April 2014

Internet users have been warned to change all their computer and phone passwords following what could be a ‘catastrophic’ security breach.

Major technology firms have urged the public to immediately update their online security.

The alert is the result of the discovery of an internet bug called ‘Heartbleed’, which is able to bypass computer security settings.

LastPass Heartbleed Checker warns if a website may be at risk. It also reveals websites that aren't affected

HOW TO BEAT THE BUG

If a password is in any dictionary in any language then it will take just three minutes to crack, warned computer expert Tony McDowell.

The worst passwords are the likes of ‘password’, ‘123456’, ‘qwerty’, or your child’s name. Using the same password for every site can leave you even more vulnerable to hackers, he added.
His advice is to use a phrase rather than a word. For example, use ‘nameisabella’ rather than just ‘Isabella’ – and use a mixture of letters and numbers.

A password of ‘name!saBe1la’ would take a year to crack, said Mr McDowell, managing director of Encription Ltd.

‘Most hackers give up after 24 hours unless it is something they really want to gain access to,’ he added.

WHICH MAJOR SITES ARE AT RISK?

Potentially vulnerable sites:

Facebook, Twitter, Tumblr, Instagram, Google, Gmail, Lloyds TSB, Nationwide, Santander

Safe sites:

Bing, Yahoo, Flickr, LastPass, DuckDuck Go, Natwest, GitHub

The tool is a guide to affected services; it is not a definitive list.

Sites listed as vulnerable may use unreported servers, meaning their status can't be officially verified.

As a result, personal information such as passwords and credit card details has been accessible.


Read More Here

.....

Heartbleed test

......