3 Important Things You Should Know About Heartbleed | Quick Heal Technologies Security Blog

 

3 Important Things You Should Know About Heartbleed

Password leaks and targeted attacks are nothing new and the latest security bug related to a massive loss of passwords across the world is ‘Heartbleed’. This bug has received a lot of media coverage over the last few days, so there is a lot of confusion about what it is and what one needs to do to fix the issue.

This blog post aims to help you better understand what Heartbleed really is and what you need to do in order to secure your presence online. Heartbleed has affected about 17% (close to 500,000) of the web servers across the world, so there is a high chance that you are affected by this too. With that in mind, here’s what you need to know now.

Fact # 1: What exactly is Heartbleed?

Heartbleed is a security bug that affects servers that use OpenSSL (Secure Sockets Layer) technology. When you log in to your email account, or make a financial transaction online, the server that hosts this activity is protected by the SSL technology, which is denoted by the symbol of the padlock near the address bar and the unmistakable presence of “HTTPS” as a prefix of the URL itself.

Heartbleed is a bug that afflicts this very protective measure and exposes information that SSL attempts to protect. What this means then, is that sensitive information like passwords, credit/debit card details and more are susceptible to this bug and can be stolen.

What this means is that there is nothing wrong with your PC or your antivirus software. This is an issue that needs to be dealt with by the people who run the websites that make use of SSL. Moreover, if you are surfing the Internet you will not be able to tell if a service you are using is affected by Hearbleed or not.

Fact # 2: Which websites and online services are affected?

While most of the sites that have been affected have taken corrective steps already, there are bound to be many more which are still working on it. If you use some of the following services then there is a high chance that your password and details may have been leaked.

Facebook

Gmail

Amazon

SoundCloud

Instagram

Yahoo Mail

Flickr

YouTube

Pinterest

Google

Minecraft

Wikipedia

Tumblr

GoDaddy

Netflix

Dropbox

As you can see, the list is huge. There are several more services that have been affected, so the potential damage here is substantial.

This online tool can also help you ascertain whether a particular URL is afflicted or not. If you carry out online banking transactions, then we highly recommend that you change your account passwords. Also, check this tool to see if your bank’s online portal is affected by Heartbleed or not.

Fact # 3: What do you need to do?

While there is nothing specific that you can do to combat Heartbleed, one major precaution you should take is change ALL your online passwords right away. This will ensure that if any of the services you use have been afflicted by Heartbleed, then at least your passwords will be safe. Apart from this, stay alert about any unusual activity on your accounts. If you feel something is out of the ordinary, take the necessary corrective steps as soon as possible. Moreover, spread the word about Heartbleed and inform your friends and family members as well.

WARNING: Be on the lookout for fake password reset emails

With such widespread activity occurring simultaneously with regards to password changes all over the world, this is bound to lead to several phishing emails about password resets. Be on the lookout for such emails and stay away from fake emails that ask you to change your passwords. Read here for some tips on how to recognize fake phishing emails.

3 Important Things You Should Know About Heartbleed | Quick Heal Technologies Security Blog

HeartBleed: Biggest Security Threat the Internet Has Ever Seen - CIO India News on | CIO.in

 

The Heartbleed bug has made headlines all around the world after it was discovered that potentially two thirds of the internet was vulnerable. The erroneous code has exposed encryption keys to would-be hackers, meaning most of our sensitive data is easily stolen. We look at what this means for the future.

On Monday April 7th an urgent warning was released by the OpenSSL project detailing an extremely dangerous bug called Heartbleed. News of the vulnerability spread like wildfire, as it potentially affected the encryption software used by up to two thirds of servers on the internet, with serious implications for user data security. Large sites such as Yahoo, Flickr, DuckDuckGo, Eventbrite, and imgur were revealed to be at risk, while countless smaller portals, alongside email and instant messaging services, had also been exposed by the problematic code.

See all security software reviews

The worst part was that the vulnerability had actually been active for nearly two years, and there was no way of knowing if anyone had used the exploit due to it leaving no trace.

As reports of the bug proliferated across the web and spilled into mainstream media, users were confused by exhortations from some to immediately change their passwords, while others warned that unless the site in question had fixed the problem first, any new passwords would be just as vulnerable.

Security researcher Ivan Ristic worked through the night to produce a simple webpage where concerned users could test to see if a particular site had been compromised, while Mashable contacted the major social media and email providers to see if they had been affected by Heartbleed. Facebook, Google, Instagram, Tumblr and Pinterest revealed that they had applied fixing patches before news broke publically, but had not found any signs of data being stolen.

The general advice though was that users should change their passwords on these sites just to be sure. Tumblr even posted a message on its blog encouraging exactly that. "This might be a good day to call in sick and take some time to change your passwords everywhere" the blog stated, "especially your high-security services like email, file storage, and banking, which may have been compromised by this bug".

The Canadian government even took the extraordinary step of taking its e-filing tax service offline during one of the busiest times of the year in response to the Heartbleed problem.

"As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold", the Canada Revenue Agency said in a statement.

So what exactly is Heartbleed, and how can it be so widespread? The main problem with the bug is that it was contained in the OpenSSL cryptographic software library, which is the most popular form of security protocols used on the web. This meant the very code that was implemented to ensure communications remained secure and private, could actually be the biggest threat to these goals.

When you connect to a secure website or service, a private connection is established between your browser and the web server. You can usually see this by the padlock icon and https text that appears at the start of the website address in your browser's address bar.

This connection is validated by a certificate that the server issues to let your browser know that it is who it claims to be. Data transferred between the two is then encrypted via Secure Socket Layer (SSL), or its successor Transport Layer Security (TLS), which uses a mixture of public, private and symmetric keys that ensure only your computer and the web server can decrypt and read the sensitive information.

Once the session ends the keys are made redundant and discarded, as new ones are created the next time you log on. At least that's the way it's meant to work. Unfortunately a modification in the OpenSSL code called Heartbeat left a very serious hole in this supposedly secure process. It was discovered that by using a simple technique it was possible for hackers to download packets of data from previous secure sessions on servers running the code. This could include personal information and, more importantly, the actual keys used to protect them.

"Basically, an attacker can grab 64K of memory from a server" wrote security expert Bruce Schneier on his blog. "The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. 'Catastrophic' is the right word. On the scale of 1 to 10, this is an 11."

Steve Gibson, co-host of the Security Now podcast, also commented on his show about the further capabilities of the bug, stating "It is a bidirectional exploit. So if the client had this then something you've connected to could come and get memory from you as well."

The bug was initially discovered by Finnish security company Codenomicon, with Google engineer Neel Mehta also being credited. While testing a new variant of its Safeguard software, engineers at Codenomicon found worrying errors relating to OpenSSL. To further explore the bug the engineers decided to hack their own site.

"We have tested some of our own services from [an] attacker's perspective", the company revealed on its hastily assembled Heartbleed website. "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

"These are the crown jewels", said the company. "The encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption."

In this post-Snowden world, some commentators began to wonder whether this erroneous code, along with the high profile GoToFail bug recently found in Apple software, might not be a mistake at all.

"At this point," Bruce Schneier wrote, "the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof."

How much damage the Heartbleed bug has caused is almost impossible to gauge at the moment. Companies have scrambled to patch the code, while certificate issuing services are struggling heroically to meet the demands that this revelation has created. Whether anyone stumbled across the vulnerability during its two years in the wild is anyone's guess, but the dangers can't just be shrugged off. Although there isn't much you can do about the past, Tumblr's suggestion to take the day off and change all of your passwords is definitely a good idea. While you're at it turn on two-step verification on as many devices and services as you can. It won't protect you against Heartbleed as such, but it's only a matter of time before the next big threat arrives, so we might as well get ready.

HeartBleed: Biggest Security Threat the Internet Has Ever Seen - CIO India News on | CIO.in

How to Support Windows XP Now That Microsoft Isn't | CIO.in

 

How to Support Windows XP Now That Microsoft Isn't

Added 8th Apr 2014

Paul Rubens

Millions of PCs running Windows XP face a tsunami of hacker attacks starting tomorrow, when Microsoft ceases support for the aging, still-popular, operating system

After tomorrow, there will be no more security updates, so it's likely that black hats will release a torrent of stockpiled malware to exploit vulnerabilities that Microsoft will no longer patch. "Some hackers are bound to be hanging on to exploits and waiting for support to end, says Chris Sherman, a security analyst at Forrester Research. "If you knew of a vulnerability, why wouldn't you?"

Hackers will also be able to examine Microsoft's future Windows Vista and Windows 7 security updates to gain insights into the underlying vulnerabilities they patch and apply that knowledge to exploit similar vulnerabilities that will exist in Windows XP.

[ Feature: Looking Back At the Windows XP Era ]

The end of Windows XP is a potential problem for companies because of the sheer number of XP machines out there. Forrester estimates that 20 percent of business endpoints run XP, with as many as 23 percent in the public and healthcare sectors; retailers are also at risk. Research by Fiberlink, an IBM-owned mobile device management company, likewise found that up to 20 percent of the endpoints it surveyed run XP - and that excludes a few large financial companies that are very heavy XP users.

If Windows XP Support Is Ending, Why Are Companies Still Using It?

A good question to ask is why these systems haven't been migrated to a more modern operating system. After all, Microsoft announced the date for the end of support for Windows XP back in April 2012.

"Some organizations have underestimated migration times, some thought that the issue was not important, and it's possible that some IT departments didn't get the funding to carry out a migration," says Michael Silver, a research vice president at Gartner. He adds that some organizations didn't take the end of support date seriously or are content to upgrade to a newer version of Windows as they go through their hardware refresh cycles.

In addition, plenty of organizations use legacy applications that can be run only on XP because they are incompatible with later versions of Windows. Others are unwilling to upgrade because drivers are unavailable for expensive pieces of equipment that they use, such as medical devices.

Automation Can Expedite Windows XP Migration

Migration is certainly time-consuming, but the actual time required depends on the amount of resources that a company has available. "You could migrate 20,000 machines over a weekend - if you have 20,000 technicians," Silver points out. The key to quick migration without using huge amounts of human resources is automation.

[ Survey: Windows XP Migration Worries Exaggerated by 'Dead' Applications ]

French academic institution EHESP is one organization that carried out such a migration is, switching 600 PCs running Windows XP to Windows 7 in one month using just three IT staff plus a consultant. It did so by partially automating the procedure using Dell's Migration Fast Forward Service, a master image from a pre-configured PC environment and a Dell KACE deployment appliance.

"After testing our software for compatibility, we migrated from old computers to new ones, and from Windows XP to Windows 7, at the rate of about 30 PCs per day," says Gwendal Rosiaux, EHESP's IT and Telecommunications Department Manager. "I am absolutely sure that this was quicker and cheaper than trying to migrate without automation."

Custom Support for Windows XP Worth Price of Compliance

Microsoft will in fact produce security patches for Windows XP after April 8, but these will only be available to companies willing to pay for custom support. There's no official price list for this service, but it's generally accepted that the cost is about $200 per machine for the first year, doubling every subsequent year.

[Related: U.S. Firms Struggling with Windows XP End of Life Deadline]

The high cost of custom support has put many organizations off pursuing this option, but Silver recommends that organizations think again. "We've seen the maximum price shifting," he says. "We're hearing of caps in total support costs which are lower than those in the past, so it is definitely worth talking to Microsoft about this."

Companies in regulated industries that don't take this approach could risk compliance problems, as they will be running an operating system that has not been patched for known vulnerabilities. "Ultimately it's up to the auditors, but there would be a lot of uncertainty in saying that a system is secure if it hasn't been patched," he warns.

[ Analysis: Windows XP Migration Window Closing Fast ]

Chuck Brown, a Fiberlink director, agrees. "On the U.S. Federal side, machines won't be compliant (if they are running XP)," he says. "And I'm surprised on the financial services side with the worldwide regulations that exist that they could think that (machines running XP) wouldn't be out of compliance."

Third-party Windows XP Security Controls Have Potential

There are other ways to try to secure XP machines beyond getting custom support from Microsoft. One option is implementing sufficient security controls to prevent exploits reaching them. That's the approach used by Arkoon+Netasq, a French company that offers a service called ExtendedXP. This combines a security agent running on each XP endpoint with a service that monitors the overall XP threat environment and suggests any measures that need to be taken to mitigate them.

Another option is to use virtualization to isolate individual applications - an approach taken by California-based security software vendor Bromium. The company's vSentry product creates hardware-isolated micro-virtual machines for each end user task. If an attack occurs within a hardware-isolated micro-VM, it automatically remains isolated from CPU, memory, storage, device access and network access. When the user task is terminated, any malware is automatically destroyed, the company claims.

[Slideshow: The Ultimate Windows XP Quiz]

"Sixty percent of malware uses PDF files as a vector, so these types of isolation products can offer valuable protection," Forrester's Sherman says. "The problem is that only some apps are supported."

He also suggests using application whitelisting technology to try to prevent unknown code being executed, although he points out that whitelisted applications can still be compromised.

Also Consider Privilege Management, the 'Zero Option'

Since most malware requires administrator rights, privilege management solutions - which allow the use of accounts with standard privileges, elevating them to administrator accounts only when necessary to perform certain tasks - can be an effective way to reducing risk.

A Microsoft vulnerabilities study carried out by Avecto, a privilege-management software vendor, found that 92 percent of the critical vulnerabilities highlighted in Microsoft's 2013 security bulletins would be mitigated by removing administrator rights. This included 96 percent of critical vulnerabilities affecting Windows and 91 percent of vulnerabilities affecting Microsoft Office.

[Related 3 Free Alternatives to Windows for Desktop PCs ]

Simple steps such as disabling Java and Flash and using a third-party browser such as Chrome, which will continue to be updated, can also improve a Windows XP machine's security posture.

There's also the "zero" option: Disconnecting XP machines them from the Internet to isolate them from Internet-borne threats. But Silver points out that there's still a risk of infection by malicious software (such as ransomware that encrypts data) introduced on a USB stick.

Luckily, Windows XP Risk Falls Over Time

The danger of running Windows XP machines is likely to increase over the next 12 months, as newer vulnerabilities that are patched in Windows Vista and Windows 7 are exploited in XP. The good news is that, ultimately the risk will go down, Silver believes.

That's because the installed base of Windows XP machines will fall to such a low level that it's no longer attractive for malware authors to target - as is the case with Linux and OS X machines.

"For the next year or so, the risk of running XP machines will be high. Beyond two or three years, there will be less risk," Silver says. 'But that is a long time for organizations running XP to have to ride out."

How to Support Windows XP Now That Microsoft Isn't | CIO.in

▶ How to keep your PC secure when Microsoft ends Windows XP support

▶ How to keep your PC secure when Microsoft ends Windows XP support | PCWorld