After the Heartbleed bug decimated OpenSSL security across the web, users are understandably fearful of a reprisal. As a preventative measure, Dashlane are releasing a tool to allow users to reset passwords for up to 75 popular sites, such as Amazon, Google, and Facebook, at the click of a button. The software is in beta, and only available on desktop at present, but a mobile app is expected to follow.
As of yet, Dashlane has no way of confirming, after a website has been breached, that the vulnerability has been patched, making a change of password potentially redundant. A Dashlane spokesperson advises that, should such a vulnerability be found, the user should update their passwords immediately, then change them again a few weeks later, by which point any security holes should be fixed. “Obviously that’s something we can’t control,” The spokesperson said. “We can’t go to 500 million websites and say, oh, have you patched yet?”
The Dashlane software is available for free download from dashlane.com.
It has been a while since the Heartbleed bug got publicly know and went trough every media type, about four months and you would expect critical systems to be patched by now. After all, pretty much every manufacturer and software developer rushed out with a fix to their system. It however seems that some government employed backwater system administrator somewhere doesn’t have access to any form of news.
Heartbleed is a major bug in OpenSSL encryption software that is widely used to secure websites and technology products including mobile phones, data centre software and telecommunications equipment. It makes systems vulnerable to data theft by hackers who can attack them without leaving a trace.
Hackers made off with personal data of about 4.5 million patients of the hospital group Community Health Systems Inc, one of the biggest groups in the US. They broke into the system using the Heartbleed bug and made away with their database without leaving a trace. This is the first publicly known large-scale cyber attack using the Heartbleed exploit.
The hackers got into the system by using the Heartbleed bug in equipment made by Juniper Networks Inc, said David Kennedy, chief executive of TrustedSec LLC, Multiple sources familiar with the investigation into the attack had confirmed that Heartbleed had given the hackers access to the system. Community Health Systems said on Monday that the attack had originated in China.
Community Health Systems, said the information stolen included patient names, addresses, birth dates, phone numbers and social security numbers of people who were referred or received services from doctors affiliated with the company over the last five years.
Thank you Reuters for providing us with this information.
The OpenSSL security flaw known as Heartbleed has been one of the most chilling news stories in the tech world over the last few months and it’s not surprising considering an estimated two-thirds of the world’s servers are reliant on the OpenSSL platform to operate. Now even though things have died down a little and the bug seems to be in the past, the truth is that Heartbleed is still as much of a concern as it was a couple of months ago.
Robert Graham, a security researcher and blogger on Errata Security has discovered that over 300,000 servers are still open to attack – that’s still half of those originally discovered when the bug was exposed by one of Google’s engineers. The search into how many servers are still open is easy conducted by scanning the internet on port 443 and seeing how many servers respond to the scan. Those that do not respond have been patched, but port 443 is only one of the ports affected.
When the Heartbleed vulnerability was announced, we found 600k systems vulnerable. A month later, we found that half had been patched, and only 300k were vulnerable. Last night, now slightly over two months after Heartbleed, we scanned again, and found 300k (309,197) still vulnerable. This is done by simply scanning on port 443, I haven’t check other ports.
Of the originally estimated 600,000 servers that were vulnerable, the 300k that have attended to the flaw are predominantly the major names around the world so this means that the huge number of servers that are still open, and may continue to be for a number of years, belong to much smaller sites that either don’t know about the problem, or simply don’t care.
How long Heartbleed will continue to be a threat to security is an unknown entity. Until each and every single server around the world has been patched or replaced as part of routing upgrades, it is impossible to state when the bug will be extinct. All I can urge server owners to do is to check that they have their systems patched and secure. It is not just the integrity of your business that could be at stake, but also the personal information of anyone that uses your server.
The heartbleed bug is back and this time it’s a different for of monster. The new variant of heartbleed is being dubbed “Cupid” by the security researcher who discovered it, Luis Grangeia. The “Cupid” bug can be used to launch heartbleed style attacks but this time on WiFi based routers (instead of the open web) and Android Jelly Bean devices connected to those routers. The bug allows hackers to target certain routers that are EAP based routers (e.g. require an individual logon and password, such as WiFi routers) by pulling the private security keys effectively bypassing any security measures. From this position the hackers could even view snippets of the working memory of the targeted devices potentially exposing user credentials, client certificates and private keys. The damage from this variant of heartbleed will apparently be much more contained than the first variant, however, it still isn’t known how many devices and routers are currently vulnerable to the attack. Any Android devices running 4.1.1 Jelly Bean are particularly vulnerable and if possible those users are encouraged to upgrade. Check out the technical details at the two source links.
As the Heartbleed bug still stands as one of the biggest security vulnerabilities that has been seen in recent years, we are hearing continuing news of security patches and updates coming out to close the loopholes that are found in each instance of OpenSSL.
The latest update that we are hearing of comes from one of the leading NAS manufacturers, QNAP. Released today, QNAP’s security patch is targeted at system operating systems that run on QTS versions 4.0 and 4.1 – earlier releases use and earlier version of OpenSSL which appears to be unaffected.
“We strongly urge users of vulnerable Turbo NAS systems to update their firmware,” said Jason Hsu, Product Manager of QNAP. “Users are also recommended to contact their SSL providers to regenerate their SSL CSR/keys for server protection.”
Whilst QNAP are urging users with the above QTS releases to update their systems, either by running an update through the QTS control panel or by downloading the patch manually.
In addition to this I will point out that keeping your system up to date with the latest firmware and software releases is always highly recommended and even if you are running any of the earlier QTS revisions, it is still wise to update to the latest QTS 4.0.7 and 4.1.0 RC2 revisions.