Australian businesses exposed to 'heart bleed' bug

Australian businesses exposed to 'heart bleed' bug

Patching the bug is just the start, it seems...

Twenty of Australia's ASX top 200 organisations have been exposed to the dangerous 'heart bleed' vulnerability in OpenSSL, which was revealed yesterday.
 
OpenSSL, an open-source implementation of the SSL and TLS protocols, contains a bug in its heartbeat extension that validates site connections.
 
Attackers could exploit the read-overrun bug to quietly connect to vulnerable servers which would leak memory that could include usernames and passwords and even the SSL server's private key. 
 
Those with access to the key could use it to impersonate a site even after the bug has been fixed, and likely crawl over and decrypt encrypted data. Man in the middle attacks could be performed by those with private keys in hand.
 
Scores of insecure sites have been detected and some of the biggest websites including Amazon and Wordpress have rushed to apply a patch for the two-year old vulnerability.
 
Yahoo! has also plugged the hole but failed to act on early advice from Google and Codenomicon researchers who tipped off some sites ahead of the disclosure yesterday. That led to the exposure of usernames and passwords for users of its email service.
 
Credit: @markloman
Yahoo passwords exposed
 
Statistics from metrics company Netcraft show that 66 percent of websites run open source web servers Apache and nginx which use OpenSSL as the default encryption system. 
 
HackLabs director Chris Gatford ran quick tests of the ASX top 200 organisations and found 20 which were still exposed.
 
He said applying the fix would be painful for some organisations but necessary and said attackers may target the bug for a long time.
 
Scores more sites have been found by researchers and attackers by using simple scripts and online tools.
 
Security researchers have also posted proof of concept scripts to find and hijack user sessions from vulnerable servers en masse.
 
But Google researcher Neel Mehta who helped discover the bug said exposure of private keys was unlikely due to memory allocation patterns.
 
While it remained critical that organisations apply the OpenSSL patch, doing so mitigated only one part of the threat.
 
Web administrators concerned that their website was exploited in the two years the bug existed under the radar should obtain new digital certificates. 
 
Those admins worried that attackers have gained access to private keys should join the few to deploy Perfect Forward Secrecy, a powerful tool to prevent attackers from decrypting data sent during the past two years.
 
Security boffins also advise that passwords should be changed, a step that some websites are already taking.
 
Organisations running the Snort security software should review a list of signatures for the platform which will detect successful attacks against heart bleed.

Source: Copyright © PC & Tech Authority. All rights reserved.

See more about:  infosec  |  security  |  heart bleed  |  organisations  |  private keys  |  google  |  asx top 200 organisations  |  chris gatford  |  heart  |  yahoo
 
 

Readers of this article also read...

The inherent flaws of GamerGate 

The inherent flaws of GamerGate

 
Hands-on Preview: The Sims 4 

Hands-on Preview: The Sims 4

 
Seagate drive teardown 

Seagate drive teardown

 
The very best of Dice Shaming 

The very best of Dice Shaming

 
Hands-on: Call of Duty: Advanced Warfare multiplayer 

Hands-on: Call of Duty: Advanced Warfare multiplayer

 
Latest articles on BIT Latest Articles from BIT
Looking for storage? Seagate has five new small business NAS devices
22 Aug 2014
Seagate has announced a new portfolio of Networked Attached Storage (NAS) solutions specifically ...
Run a small business in western Sydney?
15 Aug 2014
This event might be of interest if you're looking to meet other people with a similar interest ...
Panasonic launches new security cameras and recorders
14 Aug 2014
Panasonic has released seven new cameras that can record at high-speed and in HD - that's better ...
Does your business need a backup and recovery appliance?
14 Aug 2014
News that Netgear has added ReadyRECOVER to its ReadyDATA unified storage might be of interest ...
Need to share files securely using your phone?
12 Aug 2014
Accelion's kiteworks Team Starter costs $5 per month per person and is designed to help teams ...

Latest Comments

Latest Competitions

Experience The Evil Within at an exclusive VIP event! 

Experience The Evil Within at an exclusive VIP event!

10 VIPs will win a place at this exclusive event to get hands on time with Bethesda's upcoming horror title.
Win! Godzilla Prize Packs 

Win! Godzilla Prize Packs

STOMP ALL THE THINGS.
Win! Batman: Assault on Arkham 

Win! Batman: Assault on Arkham

Na na na na na na na WIN STUFF!
Win! Destiny 

Win! Destiny

We're giving away a copy of next great console shooter!
Win! 300 Rise of an Empire 

Win! 300 Rise of an Empire

We're giving away five awesome prize packs!
 

Latest Poll

What PC component are you planning to upgrade in the next six months










Ads by Google

From our Partners

PC & Tech Authority Downloads