4/10/2014

View of the Week: On the Latest Scare On the Web// Hearbleed :-(

The internet is truly the "Wild Wild West".    This was proven as one of the most critical  events that has befallen us.    The Sydney Morning Herald's Ben Grubb noted this in his online April 10, 2014 column:

The Heartbleed flaw is a bug that was found in some of the latest versions of an open source cryptography library used by millions of websites globally, called OpenSSL. Many websites use OpenSSL when implementing that golden "lock" and "https" in the URL of a web browser. When people see these in a browser, they tend to feel a website is safe as they know their data is supposedly being encrypted between them and the website.
But the flaw that was discovered by Google security engineer Neel Mehta and by staff at a security firm called Codenomicon showed this was not always the case. They found a bug in the code of OpenSSL that allowed a malicious person to extract from a website's server 64 kilobytes of its internal memory at any one time.


If this data was extracted enough times, the researchers found that an attacker would have been able to steal usernames, passwords and financial information – basically any piece of information being pushed through a server's memory. They also found that a server's private key – the key only it is supposed to have and what it uses to encrypt communications – was able to be extracted by a malicious person. With this key, an attacker can impersonate a website and sit in the middle of a victim's internet connection and a "secured" website to access encrypted data and decrypt it. 

The need to be ever so vigilant has never been clearer.   The latest I received was from the folks @ Bitcasa underscoring the depth of the problem:

[B]On April 7th, a Security Advisory was issued by the OpenSSL project notifying the public of a serious vulnerability in the encryption software used by a majority of websites on the Internet. At Bitcasa, we pride ourselves on security and take it very seriously.


We want you to know that your account and our service is completely safe. Nevertheless, to ensure your account is protected from this vulnerability, we have logged you out of all your devices, with the exception of the desktop app, and you will need to log back in.


In an effort to ensure there is no additional risk, we strongly encourage you to change your password and update your security questions.


If you have any questions or concerns, please email security@bitcasa.com.


Also, please reference our Security Update to understand how we’ve kept your account safe. For additional information regarding this vulnerability, please visit: http://heartbleed.com/


- The Bitcasa Team[/B]

The basic message is clear :  Be careful and Be ever so vigilant.

No comments: