The Heartbleed bug allows anyone on the Internet to read the memory of
the systems protected by the vulnerable versions of the OpenSSL
software.
The first public evidence of the bug appeared as an OpenSSL advisory on April 7 and warns of “A missing bounds check in the handling of the TLS heartbeat extension”. The bug was discovered and reported by Neel Mehta of Google Security.
Robin Seggelmann, a german based coder who inadvertently introduced the haeartbleed vulnerability to Open SSL has told The Guardian that it was an oversight.
"I am responsible for the error because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version", Seggelmann said.
Heartbeat is a simple function in the OpenSSL project which sends a random data packet with it's length to the server and the server replies back with the same data. But due to this bug, the client can lie about the length of data he sends. The client can send a 8 byte data but claim it to have sent a 128 bytes of data. The serer now replies with 128 bytes of data with any data that it has in its memory at that instant. The data can be usernames, passwords, or search queries, etc.
Seggelmann submitted this code in 2011.
"It's probably the worst bug the Internet has ever seen," said Matthew Prince, CEO of website-protecting service CloudFlare.
At the very least the Heartbleed bug exposes your username and password and also enables a hacker to pose as real websites and lures you to give your personal details. The most dangerous thing about this virus is that it leaves no traces. You will never know that you were hacked.
The bug has not only affected websites but a large number of devices we connect to internet.
Tech giants Cisco (CSCO, Fortune 500) and Juniper (JNPR) have identified about two dozen networking devices affected by Heartbleed, including servers, routers, switches, phones and video cameras used by small and large businesses everywhere. The companies are also reviewing dozens more devices to determine whether they're impacted by the bug as well.
Undoing the damage that has potentially already been done won't be easy. Websites are patching the hole, but the job won't be complete until all websites purge all the old keys they've been using to encrypt data.
The first public evidence of the bug appeared as an OpenSSL advisory on April 7 and warns of “A missing bounds check in the handling of the TLS heartbeat extension”. The bug was discovered and reported by Neel Mehta of Google Security.
Robin Seggelmann, a german based coder who inadvertently introduced the haeartbleed vulnerability to Open SSL has told The Guardian that it was an oversight.
"I am responsible for the error because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version", Seggelmann said.
Heartbeat is a simple function in the OpenSSL project which sends a random data packet with it's length to the server and the server replies back with the same data. But due to this bug, the client can lie about the length of data he sends. The client can send a 8 byte data but claim it to have sent a 128 bytes of data. The serer now replies with 128 bytes of data with any data that it has in its memory at that instant. The data can be usernames, passwords, or search queries, etc.
Seggelmann submitted this code in 2011.
"It's probably the worst bug the Internet has ever seen," said Matthew Prince, CEO of website-protecting service CloudFlare.
At the very least the Heartbleed bug exposes your username and password and also enables a hacker to pose as real websites and lures you to give your personal details. The most dangerous thing about this virus is that it leaves no traces. You will never know that you were hacked.
The bug has not only affected websites but a large number of devices we connect to internet.
Tech giants Cisco (CSCO, Fortune 500) and Juniper (JNPR) have identified about two dozen networking devices affected by Heartbleed, including servers, routers, switches, phones and video cameras used by small and large businesses everywhere. The companies are also reviewing dozens more devices to determine whether they're impacted by the bug as well.
Undoing the damage that has potentially already been done won't be easy. Websites are patching the hole, but the job won't be complete until all websites purge all the old keys they've been using to encrypt data.
0 comments:
Post a Comment