Heartbleed Bug Breaks Internet Encryption, Steals Yahoo Passwords

Are you ready for the next massive vulnerability? ItEUs called Heartbleed and it could give hackers access to user passwords and even trick people into using fake versions of popular Web sites. Some are even reporting Yahoo passwords are being revealed.

According to the security engineers at Codenomicon who found the bug, the vulnerability is in the OpenSSL cryptographic software library. The weakness, they said, steals information typically protected by the SSL/TLS encryption used to secure the Internet.

Computer science student Mustafa Al-Bassam (formerly of the LulzSec hacker collective) has compiled a list of Web sites affected by the bug, which include Yahoo, Flickr, OKCupid, US Magazine, and Squidoo.

EUThe Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,EU according to the Web site dedicated to providing information about the bug. EUThis compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.EU

Blind Spot Revealed

We caught up with Dwayne Melancon, chief technology officer at Tripwire, to get his take on the Heartbleed bug. He told us one of the challenges with third-party source code is that there is often the assumption that it is secure because it is EUopenEU and easily reviewed by developers at large.

EUThis isnEUt always the case, as Heartbleed illustrates. The issue isnEUt because OpenSSL is open source,EU Melancon said. EUJust recently, we saw another long-present security flaw in AppleEUs source code that had been there for a very long time, and it was commercially developed and tested.EU

Fundamentally, he explained, security is not a simple proposition and any...

Comments are closed.