Monthly Archives: April 2014

Heartbleed – OpenSSL Security Bug Revealed – Change Your Passwords Now

OpenSSL Heartbleed Security Bug

Thanks to the Heartbleed Bug, the OpenSSL Secure Padlock is not as secure as it looks.

OpenSSL is a cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers. You can see that it (or a rival product) is there because a padlock icon appears in your web browser. For years you’ve been told to trust the padlock icon and, if it’s there, you’re safe.

In conjunction with Codenomicon (a Finnish security company) Google Security revealed earlier this week that a flaw had existed in OpenSSL for more than two years, and that if criminals exploited this flaw they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.

To quote Ari Takanen, Codenomicon’s chief technology officer: “If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested.” Codenomicon has called the bug Heartbleed to reflect data leaking from computer servers

Bruce Schneier, a respected security blogger, summed it up thus: “Catastrophic is the right word. On the scale of one to 10, this is an 11.”

Ollie Whitehouse, associate director of NCC Group (a cybersecurity company that advises many members of the FTSE 250) described the situation as “Grave”.

And all this has been going on for 2 years before we were told about it, and before most server operators knew about it, with criminals potentially exploiting the bug throughout the entirety of that period. And now the knowledge is in the public domain, meaning that anybody with a Raspberry Pi and the skills to write some simple scripts can have a crack at any server that has not yet been patched.

If you think it’s just little sites that are affected, think again. More than 2/3 of the web’s active sites rely on Apache and Nginx, which both use OpenSSL. Even Canada’s Tax Collecting Agency halted online services “to safeguard the integrity of the information we hold”. The only good news is that servers running Microsoft’s Internet Information Services (IIS) web server software have not been affected.

Wow!

Probably the best advice we can give now is to change your passwords (which is good practice to do periodically anyway), but I wouldn’t rush into doing it right away as it obviously makes sense to ensure that the systems on which you are updating your passwords have been patched to remove their Heartbleed Bug First.

LinkedIn, little doubt mindful of its recent security failings, is already forcing users to change their passwords.

LinkedIn Email Addresses Revealed via SellHack

Millions of LinkedIn email addresses compromised via free SellHack plugin for Chrome browser

Millions of LinkedIn email addresses compromised via free SellHack plugin for Chrome browser

It seems that LinkedIn has suffered yet another security breach, this time courtesy of a free extension to the Chrome browser that reveals the email addresses behind LinkedIn profiles with a simple button click, even when not connected.

The powerful LinkedIn has issued a Cease & Desist notice to try and stop the much smaller SellHack company from giving away the extension. As is often the case the larger company, with the disproportionately bigger legal budget, will probably win the day. Indeed, SellHack has already disabled the plugin.

Certainly we don’t condone SellHack’s actions in making it so simple to access confidential LinkedIn data that even a 2 year old with an Android tablet could do it. That’s obviously wrong. However simply making something harder to do doesn’t make it secure: LinkedIn please take note.

To my mind then the real problem here is that LinkedIn has some major security flaws in its system as we revealed just 3 weeks ago. I personally think LinkedIn would do better to attend to its evident security problems, rather than pick on those who expose them (regardless of how inappropriate that method of exposure may be). I’m beginning to wonder what LinkedIn security vulnerability will be revealed next: Sweepstake anyone?

One lesson here is of course never to trust any system that views you as a content-generating commodity item, and to ensure that you use a disposable email address to communicate with it.