Tuesday, April 8, 2014

Bitcoin Updates - April 8 , 2014 -- Major Security Flaw ‘Heartbleed’ Puts Critical Services at Risk ...... Gavin Andresen Steps Down as Bitcoin’s Lead Developer ...... Bitfinex Passes Stefan Thomas’s Proof Of Solvency Audit

​Major encryption security bug ‘Heartbleed’ impacts two-thirds of the web

Published time: April 09, 2014 03:03
Tens of millions of servers were exposed to a security vulnerability called “Heartbleed” in OpenSSL, software used to encrypt much of the internet. While an emergency patch has been released, sites like Yahoo have raced to fortify security.
On Monday afternoon, the open-source OpenSSL project released an emergency security advisory warning of Heartbleed,” a bug pulls in private keys to a server using vulnerable software, allowing operators to suck in data traffic and even impersonate the server.
As described by the Verge, Heartbleed “allows an attacker to pull 64k at random from a given server's working memory. It's a bit like fishing — attackers don't know what usable data will be in the haul — but since it can be performed over and over again, there's the potential for a lot of sensitive data to be exposed. The server's private encryption keys are a particular target, since they're necessarily kept in working memory and are easily identifiable among the data. That would allow attackers to eavesdrop on traffic to and from the service, and potentially decrypt any past traffic that had been stored in encrypted form.”
OpenSSL is used by around 66 percent of the web to encrypt data, according to LifeHacker. The software is used to protect usernames, passwords, and any sensitive information on secure websites.
According to reports, sites need to install updated, non-compromised software to vanquish further exposure to the bug’s vulnerabilities. Tens of millions of servers were exposed to Heartbleed, according to Verge.
"It is catastrophically bad, just a hugely damaging bug," said International Computer Science Institute security researcher Nicholas Weaver.
Yahoo may have been the largest entity whose sites were exposed to Heartbleed, which is actually two years old but is only now gaining the attention of the broader public after detection by Google researcher Neel Mehta.
Yahoo said it has successfully updated its servers.
"Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the fix across the rest of our sites right now,” Yahoo said in a statement.
As a result of Heartbleed, Yahoo reportedly leaked user information for most of the day. Any servers running OpenSSL on Apache or Nginx were also affected, implicating a multitude of common websites and services, according to The Verge.
Apple, Google, Microsoft, and major e-banking services do not appear affected.
The Tor Project said that "if you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle."
Yet experts have also suggested that even if a server is patched, private keys may have been compromised before the fix, allowing vulnerabilities to linger.
"I bet that there will be a lot of vulnerable servers a year from now," Weaver said. "This won't get fixed."
People in this reddit thread claim to have reliable exploit code against Yahoo mail, banks, other sites: http://www.reddit.com/r/programming/comments/22ghj1/the_heartbleed_bug/cgn056z 


Major Security Flaw ‘Heartbleed’ 

Puts Critical Services at Risk

 (@southtopia) | Published on April 8, 2014 at 11:36 BST | ExchangesNewsTechnology,Wallets

Over half the internet could have been compromised by a two-year-old security flaw that also could affect a number of online bitcoin services, it was revealed today.
The vulnerability, named ‘Heartbleed’, affects versions of OpenSSL, an open-source implementation of the SSL and TLS internet security protocols that encrypt and secure internet traffic, including: passwords, messages, e-commerce and banking, and other sensitive data including Virtual Private Networks (VPNs). OpenSSL is the most popular software library used for this purpose.

Two years old

The Heartbleed flaw has reportedly been known to researchers since 2011, and even ‘black hat’ hackers since 2012, meaning critical data on a large portion of the internet has been openly available for years. There have been no confirmed reports of exploits, though attacks leave no trace.
Security admins around the world are now hurriedly applying a fix, and changing certificates and secret keys on the off-chance they could have been compromised.
Since it weakens any site using the ‘secure’ https protocol, the threat isn’t specifically to bitcoin services like wallets and exchanges. But given authorities’ tendency to ignore bitcoin thefts or inability to investigate them effectively, it could leave bitcoin services more vulnerable than ‘traditional’ online financial or other critical ones.

Test your services’ sites

Italian security expert Filippo Valsorda built a web-based test that allows anyone to enter a server’s hostname to see if it is affected or not. He also posted open-source code for the test on GitHub.
At the time of writing, entering major bitcoin services addresses on Valsorda’s site showed that Blockchain, Coinbase and BitPay were safe, but that the world’s most popular exchange, Bitstamp, remained vulnerable.
Valsorda too was more concerned about online bitcoin services than anything inherent in other implementations, saying it was “simple to exploit and not that quick to patch”.
“It’s fundamental to tell everyone to check all their servers and update ASAP [...] I can’t obviously be positive about it, but bitcoin-specific software (local wallets, etc.) should not be affected even if they use OpenSSL, since the bug is only triggerable in live TLS connections.”
“However almost everything public facing in the Bitcoin ecosystem is (rightly) secured with TLS (think all web wallets, exchanges but also APIs and Mail servers) and potentially (probably) affected.”

Rushing to patch software, rotate certs

It’s estimated over 50% of internet servers use some form of OpenSSL (and probably a lot more). The thought that over half the internet’s sensitive data could have been exposed for two years has left security departments sweating.
Exploiting Heartbleed, an attacker could access the RAM of affected systems, allowing them to see up to 64 kilobytes of data at a time – enough to build up enough knowledge to access a system’s secret keys. Those keys are used to encrypt and decrypt sensitive traffic and identify service providers.
Once secret keys are gained, attackers could read any traffic to and from a server openly or impersonate services and users.
Attacks on a vulnerable system do not require man-in-the-middle techniques and leave no trace, leaving sysadmins with no sure way to know if their systems have been compromised.
The extent of the potential damage left some reeling:
Heartbleed is a rare bug: a failure in a crypto library that leaks data beyond what it's protecting. So worse than no crypto at all.

No comments:

Post a Comment