Posts Tagged ‘heartbleed’

300,000+ Servers Still Vulnerable to Heartbleed |

Monday, June 23rd, 2014

Almost three months, and thousands of fixes later, more than 300,000 systems are still vulnerable to the Heartbleed bug.Robert Graham of Errata Security revealed on Saturday that a recent scan found that 309,197 servers are still exposed."This indicated people have stopped even trying to patch," Graham wrote in a blog post.Following the April discovery of the OpenSSL bug—which leaves encrypted data open to scammers—panic ensued as websites around the world patched their systems to avoid a breach.At the time of the Heartbleed announcement, Errata found 600,000 vulnerable systems, which dwindled to half that number within the first month. But now, almost three months after the announcement, at least 300,000 sites are still at risk."We should see a slow decrease over the next decade as older systems are slowly replaced," according to Graham, though he’s not confident that all 309,000 will be patched."Even a decade from now, I still expect to find thousands of systems, including critical ones, still vulnerable," he said.

via 300K Servers Still Vulnerable to Heartbleed | News & Opinion |

Internet security researchers use Heartbleed bug to target hackers | Fox News

Wednesday, April 30th, 2014

Anti-malware researchers have turned the tables on cyber criminals by using the Heartbleed bug to gain access to online forums where hackers congregate.

The bug is a flaw in a key piece of security technology used by more than 500,000 websites had been exposing online passwords and other sensitive data to potential theft for more than two years.

Among the websites affected by the bug were private, password-protected hacker forums, Steven K, a French anti-malware researcher, told the BBC. The researcher said he was able to gain access to the sites by using specially-written tools to target them.

“Not many people have the ability to monitor this forum, but Heartbleed exposed everything,” Steven K added, referring to one such website.

Researchers can use the bug to grab conversations from chatrooms where hackers share data, but run the risk of facing criminal charges for malicious hacking, the BBC reports.

“This work just goes to show how serious Heartbleed is,” said Charlie Svensson, a computer security researcher at Sentor. “You can get the keys to the kingdom, all thanks to a nice little heartbeat query.”

Meanwhile, a new poll released Wednesday by the Pew Research Center said most Americans have been trying to protect themselves from the bug, but a group nearly as large is unaware of the threat.

via Internet security researchers use Heartbleed bug to target hackers | Fox News.

App and Browser Plugin – Runs Check for Heartbleed –

Saturday, April 19th, 2014

Most major websites have patched the gaping security hole called the Heartbleed bug, which at one point affected up to two thirds of the Internet. However, there are still some stragglers. A new free browser plugin and Android app from cloud security company Trend Micro can help check that the sites you visit and Android apps you download are Heartbleed-free.

The Heartbleed bug exists in a version of OpenSSL, a type of software used to encrypt data in transit, such as between your computer and the server of a webpage you’re visiting, or between your smartphone and the server of an app you have installed. Trend Micro’s browser plugin and app can help users feel a bit more secure on the Internet.

via App and Browser Plugin Check for Heartbleed.

Heartbleed OpenSSL – Leaked Exploit POC

Saturday, April 19th, 2014


* CVE-2014-0160 heartbleed OpenSSL information leak exploit

* =========================================================
* This exploit uses OpenSSL to create an encrypted connection
* and trigger the heartbleed leak. The leaked information is
* returned within encrypted SSL packets and is then decrypted
* and wrote to a file to annoy IDS/forensics. The exploit can
* set heartbeat payload length arbitrarily or use two preset
* values for NULL and MAX length. The vulnerability occurs due
* to bounds checking not being performed on a heap value which
* is user supplied and returned to the user as part of DTLS/TLS
* heartbeat SSL extension. All versions of OpenSSL 1.0.1 to
* 1.0.1f are known affected. You must run this against a target
* which is linked to a vulnerable OpenSSL library using DTLS/TLS.
* This exploit leaks upto 65532 bytes of remote heap each request
* and can be run in a loop until the connected peer ends connection.
* The data leaked contains 16 bytes of random padding at the end.
* The exploit can be used against a connecting client or server,
* it can also send pre_cmd’s to plain-text services to establish
* an SSL session such as with STARTTLS on SMTP/IMAP/POP3. Clients
* will often forcefully close the connection during large leak
* requests so try to lower your payload request size.
* Compiled on ArchLinux x86_64 gcc 4.8.2 20140206 w/OpenSSL 1.0.1g
* E.g.
* $ gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed
* $ ./heartbleed -s -p 443 -f out -t 1
* [ heartbleed – CVE-2014-0160 – OpenSSL information leak exploit
* [ =============================================================

via Heartbleed OpenSSL – Information Leak Exploit.

Tor anonymity network to shrink due to Heartbleed flaw | [PCWorld]

Friday, April 18th, 2014

The Tor Project has flagged 380 Tor relays vulnerable to the critical Heartbleed flaw to be rejected from the Tor anonymity network, reducing the network’s entry and exit capacity.


The decision has already been implemented on a Tor directory authority—a server that maintains a list of Tor relays—controlled by Roger Dingledine, the Tor Project leader, and is likely to be followed by other directory authority operators.

The 380 relays flagged for rejection are trusted entry relays, also known as guards, and exit relays. As a result, the immediate impact of this decision would be a 12 percent reduction in the network’s guard and exit capacity, Dingledine said Wednesday in an email sent to the tor-relays mailing list.

Traffic from clients typically flows through the Tor network in three hops. The first hop is through a guard relay and the final hop, before the traffic is returned on the Internet to reach its intended destination, is through an exit relay.

Twelve percent might not sound like much, but guard and exit relays play an important role on the network and are not easy to replace. Many relays are run by volunteers, but they need to be trusted and need to have enough bandwidth at their disposal to handle traffic from multiple clients.

“I thought for a while about taking away their Valid flag rather than rejecting them outright, but this way they’ll get notices in their logs,” Dingledine said.

Tardy patches seem to be the reason

It seems that the ban might be permanent. Dingledine said that he wouldn’t want those relays back on the Tor network even if they upgraded their versions of OpenSSL because their operators didn’t patch the flaw in a timely manner.

The Heartbleed vulnerability was announced on Apr. 7 and affects versions 1.0.1 through 1.0.1f of OpenSSL, a library that implements the TLS (Transport Layer Security) encrypted communication protocol and which is used by many operating systems, web servers, browsers and other desktop and mobile applications.

via Tor anonymity network to shrink as a result of Heartbleed flaw | PCWorld.

Billions of Smartphone Users affected by Heartbleed Vulnerability – The Hacker News

Monday, April 14th, 2014

Billions of Smartphone Users affected by Heartbleed Vulnerability

Heartbleed has left a worst impression worldwide affecting millions of websites and is also supposed to put millions of Smartphones and tablets users at a great risk.

Android blackberry apple iphone heartbleed

Heartbleed is a critical bug (CVE-2014-0160) in the popular OpenSSL cryptographic software library, that actually resides in the OpenSSL’s implementation of the TLS/DTLS heartbeat extension, which allows attackers to read portions of the affected server’s memory, potentially revealing users data such as usernames, passwords, and credit card numbers, that the server did not intend to reveal.

via Billions of Smartphone Users affected by Heartbleed Vulnerability – The Hacker News.

Millions of Android Devices Vulnerable to Heartbleed Bug – Bloomberg

Friday, April 11th, 2014

Security researchers said that version of Android is still used in millions of smartphones and tablets, including popular models made by Samsung Electronics Co., HTC Corp. and other manufacturers. Google statistics show that 34 percent of Android devices use variations of the 4.1 software and the company has said more than 900 million Android devices have been activated worldwide.

via Millions of Android Devices Vulnerable to Heartbleed Bug – Bloomberg.