| |||||||||
| |||||||||
Current Filter: Security>>>>>> 'Heartbleed' vulnerability sparks widespread fears Editorial Type: News Date: 05-2014 Views: 2495 Key Topics: Security Cryptography Security Breach Authentication Passwords Servers Key Companies: SecureData SensePost Key Products: OpenSSL Key Industries: | |||
| A critical vulnerability affecting the popular OpenSSL cryptographic software library has been exposed Dubbed the 'Heartbleed' bug - after the SSL heartbeat code it exploits - the new vulnerability allows an attacker to access parts of an affected server's memory. This could include email, usernames, passwords and other authentication tokens, and maybe even the private keys used to secure SSL traffic. This could severely impact countless businesses, it is feared - although it may have been in existence for the past two years. Current estimates hypothesise between 10-20% of SSL protected services on the Internet as at risk, according to Daniel Cuthbert, chief operating officer at SecureData-owned security consultancy SensePost. "The vulnerability was the result of a missing check in the source code controlling the size of a heartbeat response sent by the server. This could allow a user to specify a larger payload size and cause the server to read beyond the buffer being addressed, and include up to 64k of other memory from the heap space of the vulnerable process," states Cuthbert. "As a result, it allows the retrieval of information stored in memory of the vulnerable server." Using available exploit code, attackers are able to obtain credentials, secret cryptographic keys, instant messages and business-critical documents. "There is no way to know what has been exposed to attackers so far and so post-breach activities should be initiated in a general way," he advises. "If the vulnerable services made use of, or transported, authentication credentials, such as usernames and passwords or single-sign on tokens, such as OAuth, these should be reset. Additionally, any long-running server side sessions [identified to a user by a cookie] should be terminated. For high security systems, the SSL keys should be re-issued and the previous certificate revoked." | ||
Like this article? Click here to get the Newsletter and Magazine Free! | |||
Email The Editor! OR Forward Article | Go Top | ||
PREVIOUS | NEXT |