Tag Archive: Password


Who’s to blame for ‘catastrophic’ Heartbleed Bug?

By , Network World
April 10, 2014 12:22 PM ET

Network World – The Heartbleed Bug, basically a flaw in OpenSSL that would let savvy attackers eavesdrop on Web, e-mail and some VPN communications that use OpenSSL, has sent companies scurrying to patch servers and change digital encryption certificates and users to change their passwords. But who’s to blame for this flaw in the open-source protocol that some say also could impact routers and even mobile devices as well?

A German software engineer named Robin Seggelmann of Munster, Germany has reportedly accepted responsibility for inserting what experts are calling a mistake of catastrophic proportions into the open-source protocol OpenSSL used by millions of websites and servers, leaving them open to stealing data and passwords that many think has already been exploited by cyber-criminals and government intelligence agencies.

“Half a million websites are vulnerable, including my own,” wrote security expert Bruce Schneier in his blog, pointing to a tool to test for the Heartbleed Bug vulnerability. He described Heartbleed as a “catastrophic bug” in OpenSSL because it “allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.” It compromises secret keys used to identify service providers and encrypt traffic, he pointed out. “This means anything in memory—SSL private keys, user keys, anything—is vulnerable.”

+More on Network World: The Heartbleed Bug: How to keep your info safe | The worst data breaches of 2014…so far (Q1)+

The Heartbleed Bug was discovered by security analysts from Google and Codenomicon and disclosed by the OpenSSL open-source group on April 7 as an OpenSSL Advisory and a fix prepared by OpenSSL open-source contributors Adam Langley and Bodo Miller. Across the world, companies and vendors have been scrambling to either patch their systems or assure users that their services weren’t using OpenSSL.

Microsoft for example, issued an advisory that “Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections. Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.”

But Microsoft added, “However, if you are using Microsoft Azure’s IaaS to host linux images, then you should make sure that your OpenSSL implementation is not vulnerable.”

Twitter also said its services weren’t impacted by Heartbleed. However, websites including Yahoo Mail, Yahoo Messenger and others were impacted. As news stories about the Heartbleed Bug filled the news, there was widespread concern and bewilderment in the general public, and it wasn’t uncommon to hear the problem described by people as a computer virus, rather than a software flaw.

 

Read More Here

Enhanced by Zemanta

 

Internet users told to change ALL passwords in security alert over ‘catastrophic’ Heartbleed bug

  • Online security breach is described as ‘catastrophic’
  • Alert is result of internet bug Heartbleed being uncovered
  • Heartbleed is able to bypass websites’ security measures to access passwords and personal information

By Rebecca Evans and Tania Steere

Internet users have been warned to change all their computer and phone passwords following what could be a ‘catastrophic’ security breach.

Major technology firms have urged the public to immediately update their online security.

The alert is the result of the discovery of an internet bug called ‘Heartbleed’, which is able to bypass computer security settings.

LastPass Heartbleed Checker warns if a website may be at risk. It also reveals websites that aren't affected

LastPass Heartbleed Checker warns if a website may be at risk. It also reveals websites that aren’t affected

 

HOW TO BEAT THE BUG

If a password is in any dictionary in any language then it will take just three minutes to crack, warned computer expert Tony McDowell.

The worst passwords are the likes of ‘password’, ‘123456’, ‘qwerty’, or your child’s name. Using the same password for every site can leave you even more vulnerable to hackers, he added.

His advice is to use a phrase rather than a word. For example, use ‘nameisabella’ rather than just ‘Isabella’ – and use a mixture of letters and numbers.

A password of ‘name!saBe1la’ would take a year to crack, said Mr McDowell, managing director of Encription Ltd.

‘Most hackers give up after 24 hours unless it is something they really want to gain access to,’ he added.

WHICH MAJOR SITES ARE AT RISK?

Potentially vulnerable sites:

Facebook, Twitter, Tumblr, Instagram, Google, Gmail, Lloyds TSB, Nationwide, Santander

Safe sites:

Bing, Yahoo, Flickr, LastPass, DuckDuck Go, Natwest, GitHub

The tool is a guide to affected services; it is not a definitive list.

Sites listed as vulnerable may use unreported servers, meaning their status can’t be officially verified.

As a result, personal information such as passwords and credit card details has been accessible.

 

Read More Here

 

…..

Heartbleed test

 

……

Enhanced by Zemanta

Hackers Publish Over 450,000 Emails and Passwords Stolen From Yahoo

By Lucian Constantin, IDG-News-Service:Romania-Bureau

A Yahoo representative has confirmed that the data published Thursday was indeed some 450,000 names and passwords for Yahoo and other companies.

“We confirm that an older file from Yahoo Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo and other company users names and passwords was compromised yesterday, July 11,” Caroline MacLeod-Smith, Yahoo’s head of consumer PR in the UK said via e-mail. “Of these, less than 5 percent of the Yahoo accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users accounts may have been compromised. We apologize to all affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.”

The group of hackers calls itself “the D33Ds Company” and claims to have hacked into the database by exploiting an SQL injection vulnerability found on a Yahoo subdomain. They published a list of over 453,000 log-in credentials on the Internet that were allegedly stolen from a database associated with an unnamed Yahoo service…………

 

…….  Hackers Mock Yahoo’s Security

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the hackers said. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly.”

“The subdomain and vulnerable parameters have not been posted to avoid further damage,” the hackers said in their release notes…….