NovaED - Building IT Careers
  • Home
  • About Us
    • Facilities
  • Programs
    • Schedule
  • Student Log-In
  • FAQ
  • News
  • Careers
  • Contact Us

‘Heartbleed’ bug a critical Internet illness

4/11/2014

0 Comments

 
SAN FRANCISCO–The “Heartbleed” flaw in Internet security is as critical as the name implies and wider spread than first believed.

Warnings about the danger exposed early this week reached widening circles on Thursday, with everyone from website operators and bank officials to Internet surfers and workers who tele-commute being told their data could be in danger.

“Heartbleed is a catastrophic bug in OpenSSL,” well-known computer security specialist Bruce Schneier said in a post at his schneier.com website.

OpenSSL is a commonly used software platform for encrypted transactions at “https” websites that Internet users have been taught to trust.

The Heartbleed flaw lets hackers snatch packets of data from working memory in computers, creating the potential for them to steal passwords, encryption keys, or other valuable information.

“This is going to be a pretty devastating bug,” Trustwave security research manager John Miller told AFP.

“Even after the majority of it is fixed on the Internet, there will be internal services vulnerable.”

Threat widens

The Heartbleed flaw can be found in virtual private network (VPN) software commonly used by workers on the go to securely link with company computer networks.

Computer networking titans Cisco and Juniper put out advisories on Thursday that some of their data-handling gear is susceptible to the bug.

“An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server,” California-based Cisco said in an advisory note.

“The disclosed portions of memory could contain sensitive information.”

Canada’s tax agency shuttered its website Wednesday after warning that encrypted taxpayer data could be vulnerable.

OpenSSL is commonly used to protect passwords, credit card numbers and other data sent via the Internet.

Web masters have been scrambling to update to safe versions of OpenSSL. The vulnerability has existed for about two years, since the version of OpenSSL at issue was released.

The Tor Project devoted to letting people use the Internet anonymously advised those in need of privacy to stay offline until the Heartbleed threat is ameliorated.

Crown jewels at risk

Information considered at risk includes source codes, passwords, and “keys” that could be used to impersonate websites or unlock encrypted data.

“These are the crown jewels, the encryption keys themselves,” said a heartbleed.com website devoted to details of the vulnerability.

“Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will.”

The flaw in OpenSSL allows a hacker to read the memory of a machine working the software, but no more than 64 kilobytes of data at a time, according to security specialists.

However, hackers could repeatedly grab packets of memory to ramp up the odds of stealing valuable data.

“We don’t know how actively Heartbleed was exploited before publication of the vulnerability,” Trustwave’s Miller told AFP.

“Since Monday, when they published, it has been used a lot. People have been executing the attack all over the Internet.”

OpenSSL is used by more than half of websites, but not all versions have the vulnerability, according to heartbleed.com.

The group behind open-source OpenSSL is urging users to upgrade to an improved version of the software and gave credit for finding the bug to Neel Mehta of Google Security.

Major websites and services were given advanced word of the Heartbleed flaw to allow time for patches to be put in place before the flaw was made public.

Miller and other security specialists said Heartbleed appeared to be the result of a mistake in writing the OpenSSL code.

Software patches and updates were being rushed out, but it was expected to take time for websites, businesses, router makers and others on the growing list of those at risk to replace software keys used to prevent impersonation or safeguard encrypted data.

Websites need to change credentials used to verify authenticity in order to prevent hackers who may have looted the data from impersonating legitimate online venues and tricking visitors to enter valuable personal information.

Internet users were advised to change passwords to online accounts or services, but only after checking to make sure the Heartbleed flaw has been fixed and new certificates of online identity installed.

While Heartbleed has shaken trust in the Internet, it may well wind up providing insight into which websites or services deserve to be trusted.

“I don’t think it’s a matter of losing faith,” Miller said.

“It is really going to be an individual measure of how organizations respond; and we can start to judge their security postures.”



Source: http://technology.inquirer.net/35393/heartbleed-bug-a-critical-internet-illness
0 Comments

Heartbleed bug and what you need to know

4/11/2014

0 Comments

 
NEW YORK — Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.

The damage caused by the “Heartbleed” bug is currently unknown. The security hole exists on a vast number of the Internet’s Web servers and went undetected for more than two years. While it’s conceivable that the flaw was never discovered by hackers, it’s nearly impossible to tell.

There isn’t much that people can do to protect themselves until the affected websites implement a fix.

Here are answers to some common questions about Heartbleed and how you can protect yourself:

Q: What is Heartbleed and why is it a big deal?

A: Heartbleed affects the encryption technology designed to protect online accounts for email, instant messaging and e-commerce. It was discovered by a team of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately.

It’s unclear whether any information has been stolen as a result of Heartbleed, but security experts are particularly worried about the bug because it went undetected for more than two years.

Q: How does it work?

A: Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed. Interlopers can also grab the keys for deciphering encrypted data without the website owners knowing the theft occurred.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.

Q: So if the problem has been identified, it’s been fixed and I have nothing to worry about. Right?

A: It depends on the website. A fixed version of OpenSSL has been released, but it’s up to the individual website administrators to put it into place.

Yahoo Inc., which has more than 800 million users around the world, said Tuesday that most of its popular services — including sports, finance and Tumblr — had been fixed, but work was still being done on other products that it didn’t identify.

Q: So what can I do to protect myself?

A: Ultimately, you’ll need to change your passwords, but that won’t do any good until the sites you use adopt the fix. It’s also up to the Internet services affected by the bug to let users know of the potential risks and encourage them to change their passwords.



Source: http://technology.inquirer.net/35390/heartbleed-bug-and-what-you-need-to-know
0 Comments

End of Windows XP support spells trouble for some

4/8/2014

0 Comments

 
NEW YORK—Microsoft will end support for the persistently popular Windows XP on Tuesday (Wednesday in Manila), and with an estimated 30 percent of businesses and consumers still using the 12-year-old operating system, the move could put everything from the operations of heavy industry to the identities of everyday people in danger.

“What once was considered low-hanging fruit by hackers now has a big neon bull’s eye on it,” says Patrick Thomas, a security consultant at the San Jose, California-based firm Neohapsis.

Microsoft has released a handful of Windows operating systems since 2001, but XP’s popularity and the durability of the computers it was installed on kept it around longer than expected. Analysts say that if a PC is more than five years old, chances are it’s running XP.

While users can still run XP after Tuesday, Microsoft says it will no longer provide new security updates, issued fixes to non-security related problems or offer online technical content updates. The Redmond, Wash.-based company says it will provide anti-malware-related updates through July 14, 2015, but warns that the tweaks could be of limited help on an outdated operating system.

Most industry observers say they recognize that the time for Microsoft to end support for such a dated system has come, but the move poses both security and operational risks for the remaining users. In addition to home computers, XP is used to run everything from water treatment facilities and power plants to small businesses like doctor’s offices.

Thomas says XP appealed to a wide variety of people and businesses that saw it as a reliable workhorse and many chose to stick with it instead of upgrading to Windows Vista, Windows 7 or 8.

Prone to crashing

Thomas notes that companies that don’t like risk, generally don’t like change. As a result, companies most likely to still be using XP include banks and financial services companies, along with healthcare providers. He also pointed to schools from the university level down, saying that they often don’t have enough money to fund equipment upgrades.

Marcin Kleczynski, CEO of Malwarebytes, says that without patches to fix bugs in the software XP PCs will be prone to freezing up and crashing, while the absence of updated security related protections make the computers susceptible to hackers.

He added that future security patches released for Microsoft’s newer systems will serve as a way for nefarious people to reverse engineer ways to breach now-unprotected Windows XP computers.

“It’s going to be interesting to say the least,” he says. “There are plenty of black hats out there that are looking for the first vulnerability and will be looking at Windows 7 and 8 to find those vulnerabilities. And if you’re able to find a vulnerability in XP, it’s pretty much a silver key.”

Those weaknesses can affect businesses both large and small.

Mark Bernardo, general manager of automation software at General Electric Co.’s Intelligent Platforms division, says moving to a new operating system can be extremely complicated and expensive for industrial companies. Bernardo, whose GE division offers advisory services for upgrading from XP, says many of the unit’s customers fall into the fields of water and waste water, along with oil and gas.

“Even if their sole network is completely sealed off from attack, there are still operational issues to deal with,” he says.

Hefty cost of upgrading

Meanwhile, many small businesses are put off by the hefty cost of upgrading or just aren’t focused on their IT needs.

Barry Maher, a salesperson trainer and motivational speaker based in Corona, California, says his IT consultant warned him about the end of XP support last year. But he was so busy with other things that he didn’t start actively looking for a new computer until a few weeks ago.

“This probably hasn’t been as high a priority as it should have been,” he says.

He got his current PC just before Microsoft released Vista in 2007. He never bought another PC because, “As long as the machine is doing what I want it to do, and running the software I need to run, I would never change it.”

Mark McCreary, a Philadelphia-based attorney with the firm Fox Rothschild LLP, says small businesses could be among the most effected by the end of support, because they don’t have the same kinds of firewalls and in-house IT departments that larger companies possess. And if they don’t upgrade and something bad happens, they could face lawsuits from customers.

But he says he doesn’t expect the wide-spread malware attacks and disasters that others are predicting — at least for a while.

“It’s not that you blow it off and wait another seven years, but it’s not like everything is going to explode on April 8 either,” he says.

McCreary points to Microsoft’s plans to keep providing malware-related updates for well over a year, adding that he doubts hackers are actually saving up their malware attacks for the day support ends.

But Sam Glines, CEO of Norse, a threat-detection firm with major offices in St. Louis and Silicon Valley, disagrees. He believes hackers have been watching potential targets for some time now.

“There’s a gearing up on the part of the dark side to take advantage of this end of support,” Glines says.

He worries most about doctors like his father and others the healthcare industry, who may be very smart people, but just aren’t focused on technology. He notes that healthcare-related information is 10 to 20 times more valuable on the black market than financial information, because it can be used to create fraudulent medical claims and illegally obtain prescription drugs, making doctor’s offices tempting targets.

Hoping for the best

Meanwhile, without updates from Microsoft, regular people who currently use XP at home need to be extra-careful.

Mike Eldridge, 39, of Spring Lake, Mich., says that since his computer is currently on its last legs, he’s going to cross his fingers and hope for the best until it finally dies.

“I am worried about security threats, but I’d rather have my identity stolen than put up with Windows 8,” he says.--Bree Fowler with Joyce M. Rosenberg 



Source: http://technology.inquirer.net/35304/end-of-windows-xp-support-spells-trouble-for-some

0 Comments

    Author

    NovaED

    Archives

    June 2014
    May 2014
    April 2014
    March 2014
    September 2013
    July 2013
    June 2013
    August 2012
    June 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012
    November 2011
    October 2011

    Categories

    All

    RSS Feed


©2012 NovaED IT Training Services, Inc. 21/F The Pearlbank Centre, 146 Valero Street, Salcedo Village, Makati City, Metro Manila 1227 Philippines. +63 (2) 478-7345