Thursday, May 1, 2014

Many US internet users believe they were hit by Heartbleed

Many Americans scrambled to protect their personal information online after learning of the Heartbleed internet flaw, and some believe their data was stolen, a survey showed Wednesday.

The Pew Research Center report found 39% of US internet users took steps to protect their data such as changing passwords or cancelling accounts.

Six percent of the online users said they believed they lost data as a result of Heartbleed, Pew found.

The Heartbleed flaw, which was undetected for more than two years, allowed hackers snatch packets of data from working memory in computers, creating the potential for them to steal passwords, encryption keys or other valuable information.

Most websites patched the flaw as part of a rush to allay concerns about the security of online information.

The Pew survey found mixed views on security of personal information online:

Roughly half —46% — said they believe their information is "somewhat secure," while 23% said their data was "very secure" and 26% not too secure" or "not at all secure."

The survey found 60% of the American public had heard at least a little about Heartbleed, including 64% of internet users.

Where’s the next Heartbleed Bug lurking? OpenSSL | Linux Foundation | Intel | Insurability

After causing widespread panic and changing of passwords, the Heartbleed bug has largely disappeared from the news. Yet the implications of the discovery are still being debated across the computer industry. The biggest concern for security experts is how to preempt other flaws lurking in the Internet.

The Heartbleed bug was discovered earlier this month in a piece of software called OpenSSL that is widely used to establish a secure connection between Web browsers and servers by managing the cryptographic keys involved. OpenSSL is an "open source" project, meaning that the underlying code is published along with the software. It is maintained by a small group of volunteer programmers. The problem is being recognised by big software companies that rely on efforts like OpenSSL.

Last week, the Linux Foundation, which provides support for the popular Linux operating system, launched an effort called the Core Infrastructure Initiative to support small open-source projects. Companies including Google, Amazon, Facebook, IBM, Intel, Cisco, and Dell have so far committed more than $3 million to the effort. A steering committee will try to identify the open-source projects that most need financial support.

"The problem with open source is that you have the 'free rider' problem," says Chris Wysopal, a well-known computer security expert and chief technology officer and cofounder of Veracode, an application-security assessment firm. "People and companies who are using it, and getting huge value out of it, are not giving a lot of money to keep it going."

Even three weeks after the bug was discovered, some laggard businesses are still updating servers, installing new cryptographic certificates, and directing users to reset their passwords. More troubling for experts like Wysopal is that other foundational components of the Internet are, like OpenSSL, small open-source projects.

And it can be difficult to tell which may lack the resources needed to rigorously check their code for security vulnerabilities. Before the Heartbleed bug was discovered, few had heard of OpenSSL or the 11 developers who donate much of their time to the project. The OpenSSL Software Foundation, which handles the commercial contracting for the organisation, employs just a single full-time developer. It received a grand total of $2,000 in donations last year, and it has never taken in more than $1 ..

"There should be at least a half dozen full-time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work," wrote Steve Marquess, the official fundraiser and business contact for the OpenSSL Software Foundation, in a blog post shortly after Heartbleed was disclosed. "If you're a corporate or government decision maker in a position to do something about it, give it some thought. Please."

Marc Maiffret, chief technology officer at Beyond Trust, a security software firm, says other open-source projects face a similar problem. "People assume that just because something is open source there is this magical effort that goes on to find bugs and make it secure. But it usually starts with a couple of people, perhaps it gets popular, and then ends... with a couple of people."

Wysopal of Veracode says the key problem is that there is no way to gauge the importance of different pieces of Internet infrastructure: "If someone wanted to do widespread attacking of lots of sites, which components are on the front of the attack surface?" The challenge of predicting where big vulnerabilities may emerge is compounded by the fact that Internet programmers increasingly build their code using a range of different tools.

In a report released last year, a company called Aspect Security found that 26 percent of the libraries downloaded for use in applications had known vulnerabilities. "The problem is there are so many components that the software stack depends on," says Jeff Williams, cofounder and CTO of Aspect. "The Internet is a haystack full of needles."

Wednesday, April 30, 2014

Study: Only 39% of Web users changed passwords due to Heartbleed bug

It appears Heatbleed, the massive OpenSSL security flaw, never really mattered much to the masses.

According to a study by Pew Internet, 39 percent of Internet users surveyed “took steps to protect their online accounts” after learning about Heartbleed security risks. As for the majority 61 percent, they apparently didn’t take any steps “to protect their online accounts by doing such things as changing passwords or canceling accounts.”

For all the shouting from the tech and security industry, a large portion of Internet users remain entirely indifferent to the bug.

Later in its study, Pew claims “29 percent of Internet users believe their personal information was put at risk because of the Heartbleed bug,” while only 6 percent believe their personal data was stolen.

As with all studies, Pew’s research should be taken with a speck of sand. Studies such as these can successfully suggest trends, but the data within them shouldn’t be interpreted as hard fact.

It’s curious, however, to see that Heartbleed — a bug famous for striking mainstream fears — isn’t as widely cared about as techies may believe.

Internet security researchers use Heartbleed bug to target hackers

Anti-malware researchers have turned the tables on cyber criminals by using the Heartbleed bug to gain access to online forums where hackers congregate.

The bug is a flaw in a key piece of security technology used by more than 500,000 websites had been exposing online passwords and other sensitive data to potential theft for more than two years.

Among the websites affected by the bug were private, password-protected hacker forums, Steven K, a French anti-malware researcher, told the BBC. The researcher said he was able to gain access to the sites by using specially-written tools to target them.

"Not many people have the ability to monitor this forum, but Heartbleed exposed everything," Steven K added, referring to one such website.

Researchers can use the bug to grab conversations from chatrooms where hackers share data, but run the risk of facing criminal charges for malicious hacking, the BBC reports.

“This work just goes to show how serious Heartbleed is,” said Charlie Svensson, a computer security researcher at Sentor. “You can get the keys to the kingdom, all thanks to a nice little heartbeat query."

Meanwhile, a new poll released Wednesday by the Pew Research Center said most Americans have been trying to protect themselves from the bug, but a group nearly as large is unaware of the threat.

After word of the problem got out on April 7, affected websites began to close the Heartbleed loophole and security specialists recommended that Web surfers change their online passwords as a precaution.

That advice apparently resonated among those who read about in the extensive media coverage of the Heartbleed risks.

Passwords were changed or online accounts were closed by 39 percent of the Internet users in Pew's telephone survey of 1,501 adults taken in the U.S. from April 23-27.

But 36 percent of the Internet users participating in the survey hadn't heard about Heartbleed at all.

The almost equal division between people insulating themselves from Heartbleed and those unaware of the problem shows there is still a knowledge gap even as the Internet and mobile devices make it quicker and easier to find all kinds of information.

"There are some people who are pretty tuned in and are in an action frame of mind and then there others that don't know about the news that is breaking," said Lee Rainie, director of Pew Research's Internet Project.

Better educated and more affluent Internet users tended to pay the most attention to Heartbleed. Roughly three-fourths of the Internet users aware of Heartbleed had college educations and lived in households with annual incomes of at least $75,000, according to Pew.

Only 19 percent of the survey respondents said they had heard "a lot" about Heartbleed. By comparison, 46 percent said they had heard "a lot" about the escalating tensions between Russia and Ukraine.

Just 6 percent of the survey participants believed Heartbleed led to their online information being ripped off.

Tuesday, April 29, 2014

Just how big a threat is Heartbleed? Heartbleed initially posed a huge threat to internet security

Just how serious is this threat from the Heartbleed website security flaw? The only reason I ask is because there is so much conflicting advice about what I should do, regarding changing passwords and so on.

It could have been very serious indeed but the industry has moved quickly and virtually all of the major institutions and sites where it could have been a problem have been fixed. Even so, a lot of websites are still vulnerable. Visiting site’s home page to check its status is worth doing but there are other ways, but only if you are using the Firefox or Chrome browsers. Two plug-ins and an extension have been developed that check for the flaw, they are Foxbleed, Heartbleed-ext and Chromebleed

They indicate, using coloured, heart-shaped icons whether or not the site you are visiting has been patched. As a final precaution you can enter the web address in a Heartbleed Test website that also tells you if the site is safe. In the end, though, the best advice to stay safe on the web has not changed, and that is to use long, unguessable passwords, (i.e. no names or words), using a mixture of characters and punctuation marks. Use a different password for each site and change them on a regular basis.

NSA Admits to Keeping Some Heartbleed-like Bugs Secret

The NSA’s building is so big because it’s full of secrets even though the agency will never actually admit to even a portion of them.

In a rare move, however, the White House has chosen to disclose more about the way the NSA works and how it deals with bugs such as Heartbleed.

As you will probably remember, everyone guffawed when the NSA said it had no prior knowledge of Heartbleed a few weeks back, when the OpenSSL vulnerability was exposed. That’s because if there’s one thing that Edward Snowden’s leaks have taught us is that finding bugs of this size is one of the agency’s main jobs, especially given the widespread use of the affected OpenSSL versions.

Since Heartbleed had been around for two years, it was even harder to believe that the intelligence agency really had no idea about the issue. What made matters even worse was the idea that the spies did know about the bug, but chose not to share the information with the public.

“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area,” writes Michael Daniel, White House cybersecurity coordinator.

The decision to share more information about how the agency works came after Heartbleed was exposed, actually.

The agency said that it considered several things before deciding on whether to share the information it had on bugs and more specifically how the White House decided which vulnerabilities were withheld from the public.

Firstly, the agency analyzes how much the vulnerable system is used in the core Internet infrastructure, in other critical infrastructure systems, in the United States economy and in national security systems.

Then, they assess whether the vulnerability, if left unpatched brings significant risk and just how much harm could an adversary nation or criminal group do with the knowledge of the bug.
“How likely is it that we would know if someone else was exploiting it? How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it?” Daniel writes.

Other questions relate to whether or not the agency can exploit the bug for a short period before disclosing it and whether anyone else is likely to spill the beans before them.

“Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation. We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake,” Daniel wrote.

Basically, the White House and the NSA are once more playing “God” and deciding whether something should be known by the public or not even if their online safety is at risk. Even worse, the US government admits that it sometimes withholds information so it can exploit the bug on its own.

While the NSA has denied knowing about Heartbleed, it does seem likely that others have caught on the bug and exposed it while the intelligence agency was still exploiting it for information.

Microsoft grapples with IE security flaw - Scrambling Sunday to repair a security hole

Microsoft was scrambling Sunday to repair a security hole in its widely used Internet Explorer web browser, saying it had detected attempts to exploit the flaw.
The US software giant said that the coding problem affected versions six through 11 of its flagship browser, noting it was aware of “limited, targeted attacks” taking advantage of the newly discovered flaw.
Microsoft says that an attacker who successfully exploits the vulnerability could gain the same user rights as the official user.
“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” Microsoft said on its security website Saturday.
“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
Cybersecurity firm FireEye, which took credit for identifying the flaw, said hackers were exploiting the bug in a campaign nicknamed “Operation Clandestine Fox.”
Users still relying on Windows XP could be especially vulnerable because Microsoft stopped early this month supporting the older operating system with security patches and other software updates.
Earlier this month, the “Heartbleed” flaw in Internet security saw everyone from website operators and bank officials to casual Internet surfers and governments being told their data could be in danger.
Heartbleed allowed hackers to snatch packets of data from working memory in computers, creating the potential for them to steal passwords, encryption keys, or other valuable information.