Heartbleed: the bug that put the internet on high alert – The Verge

New Heartbleed attack hits Android devices and routers over Wi-Fi

2014-05-29T16:48:24-04:00

Seven weeks after the bug put the web on high alert, Heartbleed is still causing problems. A new report from Portuguese security researcher Luis Grangeia describes how the same bug could be used over Wi-Fi to enable new kinds of attacks that build on the same vulnerability.

The damage will be much more contained than Heartbleed

Dubbed Cupid, the new line of attack would perform the same Heartbleed procedure over Wi-Fi instead of the open web, either pulling data from enterprise routers or using a malicious router to pull data from Android devices as they connect. In each case, the attacker would be able to view snippets of the working memory …

Read the full story at The Verge.

More than 300,000 servers are still vulnerable to Heartbleed

2014-05-08T14:51:33-04:00

One month after the critical Heartbleed vulnerability was first revealed, there are still more than 300,000 servers vulnerable to the bug, according to security researcher Robert David Graham. Graham arrived at the number through a global internet scan, which found a full 1.5 million servers that still support the "heartbeat" feature of OpenSSL that allowed the bug, and exactly 318,239 systems that are still vulnerable. The number counts only confirmed cases and there may well be other systems that escaped Graham's accounting, either because of spam blocking or unorthodox OpenSSL setups.

It's a troubling number, given how available Heartble …

Read the full story at The Verge.

Just two men are tasked with taking care of OpenSSL

2014-04-27T14:13:05-04:00

OpenSSL is a key security backbone for untold thousands of websites to make sure strangers can't see what you're doing. But as the Heartbleed bug has revealed, this essential tool is in dire need of support; the hodgepodge team in charge of upkeep for the open source protocol is severely understaffed and underpaid. Buzzfeed has published a wonderful feature story on the two men who have been primarily responsible for OpenSSL for more than a decade, and it provides a look into just how a simple flaw like Heartbleed could have made it into the code. Thankfully, if one good thing has come out of this massive security breach, it's that OpenSSL m …

Read the full story at The Verge.

Google, Microsoft and Facebook launch $3.6 million project to stop the next Heartbleed

2014-04-24T08:00:08-04:00

The sudden chaos of the Heartbleed bug drove home just how much of the web relies on OpenSSL software, and just how little was being spent to maintain it. But in the aftermath, some of the biggest players in tech are coming together to change that, and hopefully spot the next Heartbleed before it can wreak quite as much havoc.

"I wish we had done this a long time ago."

The new project is called the Core Infrastructure Initiative, formed by the Linux Foundation and devoted to plowing money into the critical software infrastructure that needs it. Executive director Jim Zemlin says that after Heartbleed, it was clear something needed to change. …

Read the full story at The Verge.

Healthcare.gov users asked to reset passwords following Heartbleed bug

2014-04-19T13:04:01-04:00

The officials are requesting that Healthcare.gov users reset their passwords after a continuing internal review by the Department of Homeland security flagged the site as possibly being vulnerable to a Heartbleed exploit. The move to reset passwords is being taken "out of an abundance of caution," according to a a notice published on the site, which serves as a portal for the health insurance exchanges set up under Obamacare. In addition, the note says that "there's no indication" that any information was revealed through Heartbleed.

Critics of the Affordable Care Act may seize the opportunity to attack the much-maligned Healthcare.gov webs …

Read the full story at The Verge.

The first Heartbleed hacker has been arrested

2014-04-16T15:15:48-04:00

Canadian officials say they've tracked down the man responsible for the last week's Heartbleed-assisted breach at the Canadian Revenue Agency, which compromised the personal data of more than 900 citizens. According to The Calgary Herald, 19-year-old Stephen Arthuro Solis-Reyes from London, Ontario has been officially charged with the attack after five days of investigation. The official charges are "unauthorized use of a computer" and "mischief in relation to data."

The attack took place on Friday, after the Heartbleed bug was made public, but before the CRA was able to patch their servers to protect against it. As a result, attackers were …

Read the full story at The Verge.

Heartbleed bug responsible for theft of 900 Canadian tax ID numbers

2014-04-14T10:47:25-04:00

Canada's taxpayers may be the first victims of the Heartbleed bug that put the web on high alert last week. According to the Canada Revenue Agency, 900 social insurance numbers (SINs) were stolen by hackers exploiting the security vulnerability. Even on a small scale, the breach is tantamount to identity theft, and is a situation the CRA had worked hard to avoid.

Taxpayer information stolen in a brief six-hour period

In an official statement issued this morning, the CRA said that it removed public access to its online services when news broke about Heartbleed last week, and worked "around the clock" to patch the bug. However, the taxpayer in …

Read the full story at The Verge.

Hacker successfully uses Heartbleed to retrieve private security keys

2014-04-11T21:34:44-04:00

This morning, content distribution network Cloudflare gave some hope to those affected by the Heartbleed security flaw with an announcement that the bug might not be as bad as feared. In two weeks of testing, Cloudflare said, its researchers failed to exploit the bug to steal a website's private SSL keys, which secures the data sent to users. It issued a challenge to white-hat hackers to successfully retrieve the private security keys - and unfortunately for the web, one of them succeeded.

The hacker, Node.js team member Fedor Indutny, claimed on Twitter that he'd tracked down the SSL keys.

Just cracked @CloudFlare 's challenge: https://t. …

Read the full story at The Verge.

Glenn Greenwald and Laura Poitras return to US, blame government for climate of fear

2014-04-11T18:21:41-04:00

At the presentation ceremony for Long Island University's prestigious George Polk Awards in journalism, reporters were recognized for some of the biggest stories of the past year: the NFL's indifference to concussions, the deliberate attempts by New Jersey governor Chris Christie's office to create traffic jams, former Virginia governor Robert McConnell's acceptance of illegal gifts. But one of the most dramatic moments was a series of text messages signaling the arrival of two journalists who helped reveal the large and hidden web of NSA surveillance: documentarian Laura Poitras and reporter Glenn Greenwald.

The presentation of the Polk Aw …

Read the full story at The Verge.

The NSA has exploited Heartbleed bug for years, Bloomberg reports

2014-04-11T15:10:25-04:00

Bloomberg is reporting that the Heartbleed bug, which shocked the web security community this week, has been known and actively exploited by the National Security Agency for at least two years. According to two anonymous sources familiar with the matter, the bug was kept secret in the interest of national security, while the agency used it to obtain passwords and other data. Since the bug was first committed in 2012, the report suggests the NSA discovered the bug and maintained access for nearly the entire lifespan of Heartbleed.

"They are going to be completely shredded."

The vulnerability could have been used to attack many services that w …

Read the full story at The Verge.