A vulnerability in OpenSSL has potentially exposed millions of websites, including popular social networks, to data theft say researchers. According to an advisory by vulnerability defence firm, Codenomicon Defensics (one of the discoverers of this vulnerability), this allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
The vulnerability or bug has been given the name Heartbleed, though the official designation is CVE-2014-0160. First discovered earlierlast week, researchers estimate that the bug has been present since 2011. What this means is that users of websites with OpenSSL encryption (and these number in the millions) were potentially open to data theft for more than three years. It is still not clear whether anyone has actually been able to exploit this vulnerability, though one report claimed that anyone with a basic knowledge of programming could be in a position to abuse this vulnerability.
Heartbleed has affected all kinds of websites, from e-commerce stores to banking sites and even popular social media platforms. Yahoo has already released patches as protection against the vulnerability. Google, in an official blog post said that patches have been applied to Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine, while Google Chrome and Chrome OS are not affected. “We are still working to patch some other Google services,” the statement further read. A Facebook India spokesperson told us that protections had been added for Facebook’s implementations of OpenSSL before this issue was publicly disclosed. The spokesperson further added that the company has not detected any signs of suspicious activity on people’s accounts. Twitter’s India team did not reply when approached.However, an official post by the company said, “We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability. We are continuing to monitor the situation.”
What Is OpenSSL and how does the Heartbleedvulnerability work?
OpenSSL is a popular web encryption technology used to safeguard sensitive data like passwords over the internet. It is an open source implementation of SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols, which are used to provide security to communications. On a website (for example, Gmail) it is denoted by a green lock icon next to the URL. It is deployed in many scenarios such as within email servers and VPN (virtual private network) systems and can be embedded within operating systems.
What the Heartbleed vulnerability means is that a malicious party could potentially trick the SSL protocol through its ‘heartbeat’ option. This ‘heartbeat’ feature allows two computers to communicate via a short message to check whether both are online. Due to the bug, it is possible to send a disguised heartbeat message that tricks the computer at one end into divulging information stored in the server memory. OpenSSL.org estimates that up to 64kB of memory could be revealed to a connected client or server. However, the organization assures that the vulnerability does not affect versions of OpenSSL prior to 1.01.
What are the ramifications?
It is still not clear if anyone has actually been able to exploit this vulnerability in the last two to three years it has been present. With most of the top internet companies and social platforms having already released patches and fixes, it seems user data is safe for now. However, users are still being advised to change their password for added security. Though, how useful doing this will be is still debatable. Web security experts we spoke to said it would take more time to analyse and understand all the implications of Heartbleed. Websense, a security firm, stated that 600 of the top 10,000 websites (as ranked by Alexa) are still vulnerable.The company said in a blog post, “It is understood that web server logs will not show whether the vulnerability has been used, thus making an attack difficult to detect from that perspective.”
Keep following this space for more updates and developments.
Our typical marketing budget is usually 10 per cent of the topline spend
There are some forces impacting the way our business works. The IT/ITeS sector has changed tremendously. Platforms like Twitter have made everyone journalists. Smartphones have made everyone a photographer. The trend that we are seeing is one of hyperdigitalization, which is causing the lines between product and services to blur. For example, <a href=http://www.exchange4media.com/company/news/amaz...
The OOH sector is among the fastest growing, globally. Brands and marketers have realized its potential and impact and begun to craft medium-specific adverts. Self-regulation is not only necessary but also essential to growth of the sector. The industry needs to exercise a certain level of this self-restraint to prove its commitment to maintaining the best standards in advertising.
<b>Clients are looking for experiential solutions beyond radio or print: Abraham Thomas, Radio City 91.1 FM</b><br><br> From entering new markets to launching large format events, Radio City 91.1FM has been on a roll. The radio channel recently announced the launch of India’s biggest singing talent hunt-Radio City Super Singer Season 8. Earlier this year, the channel set up its own creative-cum...
The interesting animated rap music video encapsulates Droom’s ecosystem tools and their role in facilitating second-hand automobile transactions
Perfumes are invisible and these new ads from Skinn create a story out of this
New campaign aims at first-time users by providing ‘first-night free’ – a first-ever offering by the brand on online hotels booking