This Monday, a bug in OpenSSL, revealed by security researchers at Codenomicon an independent security firm and also at Google, is named Heartbleed. Two third of the active world wide websites are compromised by this security flaw.
Referring to Heartbleed, Bruce Schneier a security expert wrote in his blog post this week:
On the scale of 1 to 10, this is an 11.
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.
At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof. The so-called bug was revealed on Monday, and it’s quickly considered as a biggest security vulnerability in computer history.
Heartbleed is a catastrophic bug found in OpenSSL version 1.0.1 and 1.0.2-beta:
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
Frankly speaking, the tools used to protect your data as it circulates over the net have a breach. Private data (passwords, card numbers, etc) is encrypted, turned into secret code and sent over the Internet, so that hackers cannot access it. But exploiting Heartbleed allow hackers to decypher the code and get their hands on your emails, passwords, messages, cryptical documentation, and communication.
That’s the quick picture on the vulnerability.
We are continuing in the alert mode against Heartbleed as well as other possible vulnerability and are on tops of our things. We suggest you to keep calm and keep tuned in for news and updates on the threat.