Wednesday, April 9, 2014

Heartbleed Open SSL vulnerability and first possible attack Updates for April 9 , 2014 , Bitcoin news of note also for April 9 , 2014 ....National Australia Bank Turns Back on Bitcoin, Closes Accounts ......... Bitcoin industry reacts to Heartbleed vulnerability as patches have been implemented in hours .......Regulation efforts / updates / commentaries pertaining to the US , Brazil and Japan ...... Mt Gox Updates.....

HEARTBLEED......


Heartbleed: Moving Toward Government Control of the Internet

  •  The Alex Jones ChannelAlex Jones Show podcastPrison Planet TVInfowars.com TwitterAlex Jones' FacebookInfowars store
Company that found bug has connections to Google, Obama, DHS, and FBI
Kurt Nimmo
Infowars.com
April 9, 2013
Dire warnings about Heartbleed, a serious internet security risk affecting millions of websites, is echoing across the internet today. Described as a flaw in OpenSSL, the open source encryption technology used by the vast majority of web servers, Heartbleed is said to put HTTPS e-commerce websites at risk.
Heartbleed explained.
The bug “can give hackers access to personal data like credit card numbers, usernames, passwords, and, perhaps most importantly, cryptographic keys—which can allow hackers to impersonate or monitor a server,” writes Lily Hay Newman.
The risk was discovered by a Google researcher at Codenomicon, a Finnish company specializing in the development of “fuzzing tools” to ensure computer network security. The Codenomicon client base includes government and the defense industry and, as noted below, has suspicious connections to Obama, DHS, and the FBI.
The current buzz about Heartbleed plays into an ongoing government propaganda campaign to forge a public-private cybersecurity infrastructure.
The latest warning came from the Communications Director for Willis Global Energy Practice during a seminar held in London. He said the “energy industry is sitting on an unexploded bomb from uninsured cyber attacks” due, in large part, to web-based control systems which are routinely insecure.
In 2010, the effort to portray the internet as vulnerable and in need of government protection took the shape of a simulated cyber attack. The war game was organized by the Bipartisan Policy Center, an insider think tank, and sponsored by “companies with financial stakes in the future of cyber defense — General Dynamics is one — but also companies whose transactions are the lifeblood to the American economy, and who want to foster a greater sense of urgency among the public and policymakers,” according to  Marc Ambinder of The Atlantic.
Cyber attacks often seem timed to underscore government cybersecurity talking points and proposed legislation. For instance, in February, an unprecedented denial of service attack occurred several days after the National Cybersecurity and Critical Infrastructure Protection Act found its way to the House floor. The legislation, supported by Republicans and Democrats, codifies “an equal partnership between private industry and DHS.”
The government considers this merging of government and corporate operations – basically corporatism, as Mussolini defined it – so essential Senator Jay Rockefeller tried to get the Cybersecurity Act of 2013 added as an amendment to the National Defense Authorization Act.

Takeaway from Heartbleed: Live every day as if you'll lose your SSL private keys tomorrow. Use forward secrecy. https://eff.org/r.q7av 




and....




First Heartbleed Theft - at BTCJam ?

Crypto-Coin News ...




BTC Stolen From BTCJam In Ongoing Heist; 

Hacker Has Been Identified… Heartbleed Might Be 

Involved



Posted 19 hours ago 

Update 10:44 (UTC-06:00): BTCJam releases statement as promised.

The Bitcoins have moved to 1687v9NexfUC6U6G1xBrEkLWYi3WSDn4qL and are being sent through Shared Coin into cold storage.BTCJam has gone offline for security updates with our servers.
Email from BTCJam’s Alexis Ajono:
“If you guys believe your accounts were hacked, please send me an email at alexis@btcjam.com. We are currently looking into this, and I am comprising a list of claims. Thank you, and please stand by for an official statement later on today.”

 Original Story
Check out this Bitcoin Address: 1JBBbQkwR6qVmxyPq22VsfygeLdFYgqhmP.
Over the last hour, Bitcoin has been pouring into that address.  The address first came to the public’s attention in a private BTCJam group on Facebook that confirmed the ongoing heist.  It seems that individual BTCJam accounts are being emptied into that Bitcoin address.  News of the heist started spreading while it was still in progress; redditors have gathered to discuss this matter.  What is clear in this incident is this: 2fa prevents your account from being hacked.  The hacker is moving through accounts one at a time, highly suggesting that he only has access to login information and passwords directly from BTCJam’s servers.  This theory is further corroborated by the fact that some of the exploited accounts temporarily created new loan requests in an attempt to steal even more Bitcoins.  There are even reports from the Facebook BTCJam group of a gentleman that noticed his withdraw address being changed, and was able to enable 2FA before the withdrawal request was made.
btcjamm
Who Is This Hacker?
It isn’t often that a simple Google search yields so much… But today it has.  A simple Google search of the address that all the stolen Bitcoins are being sent to reveals that the same address is used as the donation address for this page: ppp.cryptoanarchic.me.  The site was created by qwertyoruiop, and the donation address is under his control.
There also exists a Twitter account under the handle qwertyoruoip.
4 hours ago, he posted this:
The heartbleed bug is serious shit. I just dumped the private keys of multiple XMPP services.













Coin Desk



National Australia Bank Turns Back on Bitcoin, Closes Accounts

 (@southtopia) | Published on April 9, 2014 at 14:39 BST | AustralasiaNews
Share8


National Australia Bank (NAB) has decided to dissociate itself from bitcoin, informing bitcoin-related customers it will be closing their accounts next month.
The news is significant as NAB was previously Australia’s most bitcoin-friendly bank, with their representatives actively seeking to build relationships with bitcoin businesses and working with them to understand digital currency issues like fraud prevention.
An Australian trader who operates through LocalBitcoins.com received a letter today informing him of the change in direction. It reads:
“NAB has a responsibility and commitment to continually review its risk profile and the businesses we bank, ensuring that those businesses do not pose risks to NAB.
NAB has recently conducted a review of businesses that trade in digital currencies and has determined that digital currency providers pose an unacceptable level of risk, both to our business and reputation.
As a result of this review, NAB has decided to stop providing banking services to you and will close your accounts, effective 2nd May 2014.”
The letter, which bears a signature but no typed name, said it would return any remaining funds with a bank check and provided a free customer support number to call with any questions.
The customer, ‘Yo Shima,’ who trades bitcoins face-to-face as AusBitcoins, said he was in good standing and there had never been any hint of fraudulent or other untoward behavior associated with his business or bank account. He is currently one of Australia’s most active over-the-counter bitcoin traders, buying and selling about AU$50,000 worth per week on average since he began almost a year ago.
Other bitcoin-related businesses in Australia confirmed they had also been informed NAB was turning its back on bitcoin, and were currently working with other financial institutions to establish a more reliable relationship.

Banks and bitcoins

Australia’s banking industry is dominated by the ‘Big Four’ corporate banking groups: NAB, ANZ, the Commonwealth Bank and Westpac. Of the four, Commonwealth had previously been the one most hostile to bitcoin, while ANZ reportedly works with digital currency businesses on a case-by-case basis. Westpac’s policy remains unknown.
NAB produced a report on bitcoin for its currency traders last December, where it compared bitcoin and digital currencies with existing national currencies. The report was generally curious and neutral in tone, but said bitcoin would take a few more years to achieve mainstream acceptance.
The bank did not give a reason for its policy change, however Mizuho, one of Japan’s largest banks, may have spooked other large banks around the world when it was named as a defendant in the US class action lawsuit against departed exchange Mt. Gox. The complaint stated that by continuing to provide banking services to Mt. Gox, Mizuho “profited from the fraud”.















Bitcoin Core Version 0.9.1 Fixes Heartbleed Vulnerability

 | Published on April 9, 2014 at 11:50 BST | Bitcoin protocolTechnology
Share1


Bitcoin Core Version 0.9.1 is out and it has addressed the Heartbleed OpenSSL vulnerability, also known as CVE-2014-0160. The vulnerability has been patched by major bitcoin exchanges in a matter of hours.
In case you missed it, Heartbleed is a pretty big deal in the security community. The crypto bug in OpenSSL (an open-source implementation of the SSL and TLS internet security protocols that encrypt and secure internet traffic) has opened up two thirds of the web to eavesdropping. It was uncovered earlier this week and many observers described it as nothing short of catastrophic.

Bitcoin players quick to address Heartbleed

Luckily the news quickly translated into industry-wide action: patches are being implemented across the world as we speak.
Bitcoin exchanges and wallets are targeted by hackers on a daily basis, so serious bitcoin outfits keep track of zero day exploits, new attack vectors and a host of other vulnerabilities.
The Bitcoin Core team says version 0.9.1 is a maintenance release to fix an urgent vulnerability (ie Heartbleed), and all users should upgrade as soon as possible. Most have heeded the call and as a result the vast majority of major bitcoin sites and exchanges have implemented the fix.

What is Heartbleed all about?

OpenSSL is the most popular code library for HTTPS encryption. It is not used by Microsoft IIS, so Windows-based systems cannot be directly affected.
While this is good news for most desktop users out there, IT departments would rather have it the other way around. OpenSSL is used on Linux, BSD and numerous custom server platforms. Mac OS X is affected, too. The bug does not affect all versions of OpenSSL, either. Some major banks like Chase and Schwab rely on Microsoft IIS. Others rely on Linux/Apache, Java and other systems.
Ars Technica reports the bug is the result of a “mundane coding error” in OpenSSL. The bug essentially allows attackers to gain access to chunks of private computer memory that handles the OpenSSL process.
The contents of said memory chunks may include authentication credentials or even private keys that can undermine the website’s entire cryptographic certificate.
Hence, website operators need to patch their servers with OpenSSL version 1.0.1g and update their security certificates. The problem is that the OpenSSL patch is just the first step. Users need to think about replacing their X.509 certificates once they apply the OpenSSL update.
All admins and users are advised to change their passwords as a precaution as activity is traceless, and this scale of vulnerability is unprecedented in OpenSSL.

Russia Today....

​Major encryption security bug ‘Heartbleed’ impacts two-thirds of the web

Published time: April 09, 2014 03:03
Tens of millions of servers were exposed to a security vulnerability called “Heartbleed” in OpenSSL, software used to encrypt much of the internet. While an emergency patch has been released, sites like Yahoo have raced to fortify security.
On Monday afternoon, the open-source OpenSSL project released an emergency security advisory warning of Heartbleed,” a bug pulls in private keys to a server using vulnerable software, allowing operators to suck in data traffic and even impersonate the server.
As described by the Verge, Heartbleed “allows an attacker to pull 64k at random from a given server's working memory. It's a bit like fishing — attackers don't know what usable data will be in the haul — but since it can be performed over and over again, there's the potential for a lot of sensitive data to be exposed. The server's private encryption keys are a particular target, since they're necessarily kept in working memory and are easily identifiable among the data. That would allow attackers to eavesdrop on traffic to and from the service, and potentially decrypt any past traffic that had been stored in encrypted form.”
OpenSSL is used by around 66 percent of the web to encrypt data, according to LifeHacker. The software is used to protect usernames, passwords, and any sensitive information on secure websites.
According to reports, sites need to install updated, non-compromised software to vanquish further exposure to the bug’s vulnerabilities. Tens of millions of servers were exposed to Heartbleed, according to Verge.
"It is catastrophically bad, just a hugely damaging bug," said International Computer Science Institute security researcher Nicholas Weaver.
Yahoo may have been the largest entity whose sites were exposed to Heartbleed, which is actually two years old but is only now gaining the attention of the broader public after detection by Google researcher Neel Mehta.
Yahoo said it has successfully updated its servers.
"Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the fix across the rest of our sites right now,” Yahoo said in a statement.
As a result of Heartbleed, Yahoo reportedly leaked user information for most of the day. Any servers running OpenSSL on Apache or Nginx were also affected, implicating a multitude of common websites and services, according to The Verge.
Apple, Google, Microsoft, and major e-banking services do not appear affected.
The Tor Project said that "if you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle."
Yet experts have also suggested that even if a server is patched, private keys may have been compromised before the fix, allowing vulnerabilities to linger.
"I bet that there will be a lot of vulnerable servers a year from now," Weaver said. "This won't get fixed."

People in this reddit thread claim to have reliable exploit code against Yahoo mail, banks, other sites: http://www.reddit.com/r/programming/comments/22ghj1/the_heartbleed_bug/cgn056z