# 'Heartbleed' bug undoes Web encryption, reveals Yahoo passwords



## JMH3143 (Jun 18, 2012)

> A flaw in software that's widely used to secure Web communications means that passwords and other highly sensitive data could be exposed. Some say they've already found hundreds of Yahoo passwords.


'Heartbleed' bug undoes Web encryption, reveals Yahoo passwords - CNET


----------



## JMH3143 (Jun 18, 2012)

*OpenSSL Heartbleed Vulnerability Update*



> This past Monday, April 7th, the OpenSSL Project released an update to address a serious security issue – CVE-2014-0160 – nicknamed “Heartbleed“. Any server or client application that depends on impacted versions of OpenSSL is vulnerable to a leak of encrypted secrets to a remote attacker.


Cerulean Studios’ Blog Â» Blog Archive Â» OpenSSL Heartbleed Vulnerability Update


----------



## JMH3143 (Jun 18, 2012)

*Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet*



> I saw a t-shirt one time. “I’m a bomb disposal technician,” it read. “If you see me running, try to keep up.”
> The same sort of idea can be applied to net security: when all the net security people you know are freaking out, it’s probably an okay time to worry.
> This afternoon, many of the net security people I know are freaking out. A very serious bug in OpenSSL — a cryptographic library that is used to secure a very, _very_ large percentage of the Internet’s traffic — has just been discovered and publicly disclosed.


Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet | TechCrunch


----------



## JMH3143 (Jun 18, 2012)

*The Heartbleed Bug, explained*



> There was big news in the computer security world yesterday when researchers announced a massive vulnerability in popular web encryption software called OpenSSL. Major online service providers are scrambling to address the problem. What happened? And how does it affect you? Read on to find out.
> 
> *What's SSL?*
> 
> SSL is a popular encryption technology that allows web users to protect the privacy of information they transmit over the internet. When you visit a secure website such as Gmail.com, you'll see a lock next to the URL, indicating that your communications with the site are encrypted. Here's what that looks like in Google's Chrome browser:


The Heartbleed Bug, explained - Vox


----------



## Dave Atkin (Sep 4, 2009)

"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11"

https://www.schneier.com/blog/archives/2014/04/heartbleed.html

You wonder how something like this wasn't discovered after being live for two years.


----------



## Steve40th (Feb 7, 2005)

Dang, so now we sit and wait?


----------



## Flight Sim Guy (Dec 19, 2011)

Just found these:

Which Websites are Affected by the Heartbleed OpenSSL Encryption Bug? | Digital Trends

https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt


----------



## sobeit (Nov 11, 2007)

what I find interesting is they are advising to NOT to change your password until the site is secure. It sounds like since they made the security issue publi they may have made it worse. between now and the time the different sites becomes secured those hackers who did not know about the breach, will be checking it out.


----------



## Flight Sim Guy (Dec 19, 2011)

Exactly.


----------



## Masterchiefxx17 (Feb 27, 2010)

This has been around since 2012. Not sure why all of a sudden its a big deal.


----------



## Flight Sim Guy (Dec 19, 2011)

Because they discovered it?


----------



## Masterchiefxx17 (Feb 27, 2010)

They have known about this bug for two years now. How do they just have discovered it??


----------



## JMH3143 (Jun 18, 2012)

*Heartbleed vulnerability may have been exploited months before patch [Updated]*



> *Update:* Errata Security's Robert Graham has acknowledged that he was mistaken in his assessment, and that private keys could be at risk. The original story below has been marked up accordingly.
> There’s good news, bad news, and worse news regarding the “Heartbleed” bug that affected nearly two-thirds of the Internet’s servers dependent on SSL encryption. The good news is that many of those servers (well, about a third) have already been patched. And according to analysis by Robert Graham of Errata Security, the bug won’t expose the private encryption key for servers “in most software" (though others have said several web server distributions are vulnerable to giving up the key under certain circumstances.)


Heartbleed vulnerability may have been exploited months before patch [Updated] | Ars Technica


----------



## JMH3143 (Jun 18, 2012)

*Heartbleed bug: how to avoid this massive web hack*



> Since a fix was released yesterday, a bug has been crawling around the internet for a staggering two years. Introduced to glom on to the system known as OpenSSL back in December of 2011 and in the wild since Open SSL v1.0.1, this bug has been on the web since the 14th of March, 2012. But why was it only made apparent this week, and what can you do?


Heartbleed bug: how to avoid this massive web hack - SlashGear


----------



## JMH3143 (Jun 18, 2012)

*Here's How To Protect Yourself From The Massive Security Flaw That's Taken Over The Internet*



> It’s been a while since there was a computer security bug we all had to worry about.
> Unfortunately, it seems like we may all have been facing one for two years and not even realised it.
> Yesterday, security researchers announced a security flaw in OpenSSL, a popular data encryption standard, that gives hackers who know about it the ability to extract massive amount of data from the services that we use every day and assume are mostly secure.
> This isn’t simply a bug in some app that can quickly be updated — the vulnerability is in on the machines that power services that transmit secure information, like Facebook and Gmail.


Here's How To Protect Yourself From The Massive Security Flaw That's Taken Over The Internet | Business Insider


----------



## koala (Mar 27, 2005)

From Heartbleed vulnerability means resetting these passwords is a good idea | Geek.com


> Which companies answered the bell and have plugged the Heartbleed hole? Here’s a quick list of the big names:
> 
> Google (including Gmail)
> Yahoo! (including Yahoo! Mail)
> ...


----------



## JMH3143 (Jun 18, 2012)

*Not just websites hit by OpenSSL's Heartbleed – PCs, phones and more under threat*



> While most of the buzz surrounding OpenSSL's Heartbleed vulnerability has focussed on websites and other servers, the SANS Institute reminds us that software running on PCs, tablets and more is just as potentially vulnerable.
> Institute analyst Jake Williams said the data-leaking bug “is much scarier” than the gotofail in Apple's crypto software, and his opinion is that it will have been known to black hats before its public discovery and disclosure.
> In a presentation given yesterday, Williams – aka MalwareJake – noted that vulnerable OpenSSL installations on the client side can be attacked by malicious servers to extract passwords and cryptographic keys from users' computers and gadgets.


Not just websites hit by OpenSSL's Heartbleed â€“ PCs, phones and more under threat â€¢ The Register


----------



## JMH3143 (Jun 18, 2012)

*Cisco finds 13 products (so far) vulnerable to Heartbleed—including phones*



> Cisco has issued a security bulletin for customers about the Heartbleed bug in the OpenSSL cryptography code, and it’s not about Web servers. So far, the company has unearthed 11 products and 2 services susceptible to attack through the vulnerability, which can be used to retrieve random bits of content from an attacked device’s memory. Cisco’s IOS XE operating system for network hardware is one of the higher-profile products on the company's list.


Cisco finds 13 products (so far) vulnerable to Heartbleedâ€”including phones | Ars Technica


----------



## JMH3143 (Jun 18, 2012)

*US government warns of Heartbleed bug danger*



> The US government has warned that it believes hackers are trying to make use of the Heartbleed bug.
> The Department of Homeland Security advised the public to change passwords for sites affected by the flaw once they had confirmed they were secure.


BBC News - US government warns of Heartbleed bug danger


----------



## JMH3143 (Jun 18, 2012)

*Beware of Fraudulent Heartbleed Password Reset Emails*



> The most common advice for end users in all the buzz surrounding the Heartbleed vulnerability in OpenSSL was to reset passwords used for sensitive Websites. Setting aside the fact that may not be the best advice, users have to be alert for potential phishing attacks on the way, security experts warned.


Beware of Fraudulent Heartbleed Password Reset Emails


----------



## JMH3143 (Jun 18, 2012)

*Heartbleed Bug: What Can You Do?*



> In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here’s a short primer.


Heartbleed Bug: What Can You Do? â€” Krebs on Security


----------



## Dave Atkin (Sep 4, 2009)

Masterchiefxx17 said:


> This has been around since 2012. Not sure why all of a sudden its a big deal.


Yes its been around for years but it was only discovered recently by officials. This doesn't however mean that other people haven't discovered the vulnerability previously and have been stealing data for years - Although nothing has been proven other than one case in Canada I think I read.

Interesting how one line of wrongly typed code can affect such a massive amount of people and businesses. It would be really interesting to know how many man hours have been put into to updating servers and equipment. I've done about 4 Servers which took about 10 mins each.


----------



## koala (Mar 27, 2005)

From Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL | Ars Technica


> IBM, Intel, Microsoft, Facebook, Google, and others pledge millions to open source.
> 
> The important role OpenSSL plays in securing the Internet has never been matched by the financial resources devoted to maintaining it.
> 
> ...


----------

