Heartbleed | KitGuru https://www.kitguru.net KitGuru.net - Tech News | Hardware News | Hardware Reviews | IOS | Mobile | Gaming | Graphics Cards Thu, 25 Sep 2014 13:38:17 +0000 en-US hourly 1 https://wordpress.org/?v=6.4.3 https://www.kitguru.net/wp-content/uploads/2021/06/cropped-KITGURU-Light-Background-SQUARE2-32x32.png Heartbleed | KitGuru https://www.kitguru.net 32 32 New OS X and Linux bug could be worse than Heartbleed https://www.kitguru.net/gaming/security-software/matthew-wilson/new-os-x-and-linux-bug-could-be-worse-than-heartbleed/ https://www.kitguru.net/gaming/security-software/matthew-wilson/new-os-x-and-linux-bug-could-be-worse-than-heartbleed/#comments Thu, 25 Sep 2014 13:32:37 +0000 http://www.kitguru.net/?p=213532 A new exploit has been discovered for Unix-based systems that some experts are claiming could be more harmful than the SSL bug, Heartbleed, which was discovered earlier this year. This new exploit is called ‘the bash bug' and allows users to take control of Bourne Again Shell (Bash), the software used to control the Unix command …

The post New OS X and Linux bug could be worse than Heartbleed first appeared on KitGuru.]]>
A new exploit has been discovered for Unix-based systems that some experts are claiming could be more harmful than the SSL bug, Heartbleed, which was discovered earlier this year. This new exploit is called ‘the bash bug' and allows users to take control of Bourne Again Shell (Bash), the software used to control the Unix command prompt on some systems.

This bug means that all systems using Mac OS X or Linux are potentially susceptible, the thing that makes the bash bug so dangerous though is that it only requires the user to copy and paste a single line of code in order for it to work. Afterwards, hackers can run their own malicious code and could potentially take complete control of your system.

Bash Bug security KitGuru

Fire Eye Director of Threat Research, Darien Kindlund, briefly explained why the bash bug is so dangerous:

“This bug is horrible. It's worse than Heartbleed, in that it affects servers that help manage huge volumes of Internet traffic. Conservatively, the impact is anywhere from 20 to 50 per cent of global servers supporting web pages. Specifically, this issue affects web servers using GNU bash to process traffic from the Internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the Internet.”

Patches for many software distros are already being sent out but the Department of Homeland Security has issued an advisory warning just in-case some users fail to take proper precautions.

According to Professor Alan Woodward from the University of Surrey, 50 per cent of active websites run on a web server called Apache, which in turn runs on Unix, making these sites potentially vulnerable. This means around 500 million active sites could potentially face problems, which is a lot worse than the 500,000 sites susceptible to the Heartbleed SSL bug.

He continued to say that while vendors are rushing out patches, it assumes that system owners know about the vulnerability, rather than prompting them to update. Many system owners may not even know that a version of Linux is running in the background, meaning that many home WiFi routers could remain exploitative.

Right now it is unknown as to just how many systems are affected overall but scans are already taking place in order to gain key statistics.

Discuss on our Facebook page, HERE.

KitGuru Says: Two horrible bug discoveries only months apart from each other. Hopefully this doesn't become a huge problem and can be contained relatively quickly. 

Source: The Inquirer

The post New OS X and Linux bug could be worse than Heartbleed first appeared on KitGuru.]]>
https://www.kitguru.net/gaming/security-software/matthew-wilson/new-os-x-and-linux-bug-could-be-worse-than-heartbleed/feed/ 61
Over 300,000 servers still vulnerable to Heartbleed bug https://www.kitguru.net/gaming/security-software/matthew-wilson/over-300000-servers-still-vulnerable-to-heartbleed-bug/ https://www.kitguru.net/gaming/security-software/matthew-wilson/over-300000-servers-still-vulnerable-to-heartbleed-bug/#respond Mon, 23 Jun 2014 13:52:52 +0000 http://www.kitguru.net/?p=199703 More than 300,000 servers are still vulnerable to the Heartbleed bug as websites aren't bothering to patch it up. So far, only 9000 servers were patched last month, leaving behind plenty of vulnerable servers. We've known about Heartbleed for a while now, since security researcher, Robert David Graham, warned the Internet about the flaw. At first …

The post Over 300,000 servers still vulnerable to Heartbleed bug first appeared on KitGuru.]]>
More than 300,000 servers are still vulnerable to the Heartbleed bug as websites aren't bothering to patch it up. So far, only 9000 servers were patched last month, leaving behind plenty of vulnerable servers. We've known about Heartbleed for a while now, since security researcher, Robert David Graham, warned the Internet about the flaw.

At first Graham warned that 600,000 servers could be affected, just under half of those were patched, leaving behind 318,239 vulnerable systems. Graham checked in again over the weekend and found that at least 390,197 servers have still yet to be patched.

heartbleed

The security researcher is worried that this slow patching rate is a sign that smaller websites aren't bothering to fix the problem: “This indicates people have stopped even trying to patch. We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable.”

Progress will be tracked again next month and then again at the six month mark. After that, yearly checks will be made to see how many servers still need to update. We reported on Heartbleed last month and since then, we have also reported on the very first hacker to be arrested for exploiting the bug.

Discuss on our Facebook page, HERE.

KitGuru Says: Heartbleed is a big problem that opens up a lot of websites to exploitation. The worst part is that it was around for two years prior to the discovery and nobody said anything about it. However, that could also mean that not many hackers are even attempting to exploit the bug. 

Source: The Inquirer

The post Over 300,000 servers still vulnerable to Heartbleed bug first appeared on KitGuru.]]>
https://www.kitguru.net/gaming/security-software/matthew-wilson/over-300000-servers-still-vulnerable-to-heartbleed-bug/feed/ 0
The first Heartbleed hacker has been arrested https://www.kitguru.net/gaming/security-software/matthew-wilson/the-first-heartbleed-hacker-has-been-arrested/ https://www.kitguru.net/gaming/security-software/matthew-wilson/the-first-heartbleed-hacker-has-been-arrested/#comments Thu, 17 Apr 2014 09:14:24 +0000 http://www.kitguru.net/?p=187806 The Heartbleed bug has been around for a couple of years but it caused quite a stir when it was publicly revealed last week. However, there had been no reports of people abusing the bug until now, a Canadian hacker has become the first person to get arrested for abusing the Heartbleed bug. The Canadian …

The post The first Heartbleed hacker has been arrested first appeared on KitGuru.]]>
The Heartbleed bug has been around for a couple of years but it caused quite a stir when it was publicly revealed last week. However, there had been no reports of people abusing the bug until now, a Canadian hacker has become the first person to get arrested for abusing the Heartbleed bug.

The Canadian used the bug to steal information from the government's tax website, during the attack he managed to get his hands on 900 social security numbers as well as other tax payer information. CRA Commissioner, Andrew Treusch, gave a statement: “The CRA worked around the clock to implement a ‘patch' for the bug, vigorously test all systems to ensure they were safe and secure, and re-launch our online services. The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls.”

heartbleed

Stephen Solis-Reyes is just 19 years old, he was taken in to custody yesterday. His computer equipment was seized and he currently faces criminal charges of unauthorized use of computer and mischief in relation to data. Around 500,000 websites were open to exploitation thanks to the Heartbleed bug, however, most websites, especially the big ones like Google, have patched the hole.

Discuss on our Facebook page, HERE.

KitGuru Says: We don't know if Stephen Solis-Reyes did anything with the information he obtained but we will likely find out soon. 

Source: BBC, Cnet

The post The first Heartbleed hacker has been arrested first appeared on KitGuru.]]>
https://www.kitguru.net/gaming/security-software/matthew-wilson/the-first-heartbleed-hacker-has-been-arrested/feed/ 1
Heartbleed is a big problem, but don’t knee jerk react https://www.kitguru.net/gaming/security-software/jon-martindale/heartbleed-is-a-big-problem-but-dont-knee-jerk-react/ https://www.kitguru.net/gaming/security-software/jon-martindale/heartbleed-is-a-big-problem-but-dont-knee-jerk-react/#respond Thu, 10 Apr 2014 08:59:42 +0000 http://www.kitguru.net/?p=186854 Heartbleed is bad. For those that haven't heard yet, it's a security flaw that's potentially opened up as many as two thirds of the world's websites to digital thieves and the worst part is that the flaw has existed for over two years. However, while many parts of the web are screaming for users to …

The post Heartbleed is a big problem, but don’t knee jerk react first appeared on KitGuru.]]>
Heartbleed is bad. For those that haven't heard yet, it's a security flaw that's potentially opened up as many as two thirds of the world's websites to digital thieves and the worst part is that the flaw has existed for over two years. However, while many parts of the web are screaming for users to change their passwords wherever possible, it's important not to dive right in, because unless the site owner has updated OpenSLL and their SSL certificate, hackers could just steal your password again.

When it comes to vulnerabilities, Heartbleed isn't the easiest to understand, though I'm sure for some it's a cake walk. For a great rundown, have a look at Vox's explanation here, but if you want my summary, here you go:

Heartbleed is a vulnerability that affects the digital discussion between two PCs that are communicating using SSL encryption. It is able to replicate a “heartbeat” message, which is designed to tell each computer that the other is still connected, which can possibly lead to the tricked server sending back real information, like the contents of its RAM. This has the potential to give up very secretive data, like user passwords, credit card details and even the site's own private encryption key, which opens it up to even more snooping.

While this is a nasty flaw, it's the fact that its in a standard used by so many sites and has been around for so long, that makes it truly problematic.

heartbleed
Someone actually made an image for it, it's that serious

The good news in this whole situation is that someone discovered the flaw: a team of researchers at Codenomicon and Google Security in-fact and they informed the OpenSSL team who have now patched the hole. The question is, how long will every site owner take to update things at their end?

Of course most of the big names have gotten on it pretty speedily, with Google announcing that most of its services, including Youtube, Gmail, Google Play, Chrome and Chrome OS among others, have all been updated, though a few of its other services need some work.

So those sites are good to go on a password change if you want to eliminate the risk that someone stole your password as part of the hack, especially if you use that same password somewhere else. However, the best recommendation at this point is not to change it on any site that may not have updated its SSL yet, since doing so could just serve up your newly remembered password to whoever was taking advantage of the flaw (if anyone) any way.

If you have a favourite site but aren't sure if it's updated its SSL yet, you can run it through a checker tool here.

KitGuru Says: This is a pretty nasty one, but no one has publicly stated that they're sitting on a load of passwords. That's not necessarily proof that no one is, but it's a bit of circumstantial evidence. That's about the best we'll ever have I imagine. 

The post Heartbleed is a big problem, but don’t knee jerk react first appeared on KitGuru.]]>
https://www.kitguru.net/gaming/security-software/jon-martindale/heartbleed-is-a-big-problem-but-dont-knee-jerk-react/feed/ 0