By Kota Saumya - HYDERABAD
Published: 14th April 2014 09:25 AM
Last Updated: 14th April 2014 09:25 AM
Most of us take the necessary precaution when it comes to keeping our personal computers safe with the usual anti-virus softwares available. And keeping up-to-date with the latest troublemakers is part of that. However, for two years, the Heartbleed bug has gone undetected and yet has affected millions of websites, wreaking havoc.
Actually a loophole in the programme OpenSSL software version 1.1, the open-source encryption standard used by the most of the websites, hackers across the world have been using this vulnerability to access personal information uploaded by users on to these sites.
Google’s security researcher and security firm Codenomicon discovered the culprit last week, by which time most popular websites that use this encryption software like Facebook, Instagram and Dropbox and Gmail were affected, including certain bank transactions.
Now in damage control mode, code experts are working overnight to reign in the bug. While word is some of these sites have managed to mitigate the problem, there isn’t any official confirmation yet.
What makes this such a deadly vulnerability is the rather late wake up call.
Explaining the issue, Kiran Chandra, general secretary, Free Software Movement of India, says, “Websites use this to transmit data which users want to keep secure. The encryption comes into play by making the information appear unreadable for anyone except the intended person. It helps provide a secure connection when one is chatting on Gmail or using any other application, working from point to point.”
So when one computer wants to check if there’s still a computer at the end of its secure connection it will send out what’s known as a ‘heartbeat,’ a small packet of data that asks for a response. The twist in the story comes here: researchers at Google and Codenomicon found that one can send a well-disguised packet of data which looks like this heartbeat to trick a computer at the other end into divulging data stored in its memory.
“Due to this loophole, hackers can access information like usernames, passwords, credit card numbers, etc, that are stored on servers. Hackers have been able to access encryption keys of websites which turn the unreadable information into valuable information,” adds Kiran. With encryption keys at their disposal, hackers can access the information from the site’s server and read it without establishing a secure connection. Unless websites change their encryption codes, users and the future traffic will continue to remain affected, he opines.
Most popular sites are powered by the Open SSL inlcuding Twitter, Tumblr, Yahoo, GoDaddy and Minecraft to name a few more. While sites try and secure their users information in the mean time, you can check if you are still vulnerable by taking the Heartbleed test on to http://filippo.io/Heartbleed.
Source: The New Indian Express
Published: 14th April 2014 09:25 AM
Last Updated: 14th April 2014 09:25 AM
Most of us take the necessary precaution when it comes to keeping our personal computers safe with the usual anti-virus softwares available. And keeping up-to-date with the latest troublemakers is part of that. However, for two years, the Heartbleed bug has gone undetected and yet has affected millions of websites, wreaking havoc.
Actually a loophole in the programme OpenSSL software version 1.1, the open-source encryption standard used by the most of the websites, hackers across the world have been using this vulnerability to access personal information uploaded by users on to these sites.
Google’s security researcher and security firm Codenomicon discovered the culprit last week, by which time most popular websites that use this encryption software like Facebook, Instagram and Dropbox and Gmail were affected, including certain bank transactions.
Now in damage control mode, code experts are working overnight to reign in the bug. While word is some of these sites have managed to mitigate the problem, there isn’t any official confirmation yet.
What makes this such a deadly vulnerability is the rather late wake up call.
Explaining the issue, Kiran Chandra, general secretary, Free Software Movement of India, says, “Websites use this to transmit data which users want to keep secure. The encryption comes into play by making the information appear unreadable for anyone except the intended person. It helps provide a secure connection when one is chatting on Gmail or using any other application, working from point to point.”
So when one computer wants to check if there’s still a computer at the end of its secure connection it will send out what’s known as a ‘heartbeat,’ a small packet of data that asks for a response. The twist in the story comes here: researchers at Google and Codenomicon found that one can send a well-disguised packet of data which looks like this heartbeat to trick a computer at the other end into divulging data stored in its memory.
“Due to this loophole, hackers can access information like usernames, passwords, credit card numbers, etc, that are stored on servers. Hackers have been able to access encryption keys of websites which turn the unreadable information into valuable information,” adds Kiran. With encryption keys at their disposal, hackers can access the information from the site’s server and read it without establishing a secure connection. Unless websites change their encryption codes, users and the future traffic will continue to remain affected, he opines.
Most popular sites are powered by the Open SSL inlcuding Twitter, Tumblr, Yahoo, GoDaddy and Minecraft to name a few more. While sites try and secure their users information in the mean time, you can check if you are still vulnerable by taking the Heartbleed test on to http://filippo.io/Heartbleed.
Source: The New Indian Express