New(ish) Internet Virus...Heartbleed...
Options
A1000MILES
Members, Writer Posts: 13,287 ✭✭✭✭✭
http://motherboard.vice.com/read/tor-if-you-want-privacy-or-anonymity-stay-off-the-internet-this-week
"Security holes are par for the course on the web today, but a new, massive bug dubbed "Heartbleed” is particularly nasty, and widespread: Experts say that two-thirds of websites and nearly everyone that’s used the internet in the last two years could be affected to some extent.
The irony is, those who have put the most effort into privacy and security are the most vulnerable.
The bug exposes the popular cryptographic software, OpenSSL, a mainstay web encryption. Heartbleed makes it possible for anyone to eavesdrop on encrypted sites and access the sensitive data they’re supposed to be protecting, all without leaving any trace on the site’s server. Even worse, attackers can also retrieve cryptographic keys and passwords and use that info to decrypt any past or future web traffic.
The bug was introduced in the 1.01 version of OpenSSL in 2012, which means for two years attackers exploiting the bug could have exposed VPNs and anonymity services, revealing users’ emails, instant messages, and browsing activity.
The lion's share of websites that use the HTTPS secure communications protocol run OpenSSL, and of course sites specifically designed to hide users' identity are at risk, including the Tor onion network.
The Tor Project wrote in a blog post yesterday that its clients, relays, and hidden services were all vulnerable to the Heartbleed bug. In theory, anyone that had been using Tor—be it to buy drugs on the black market or protect themselves from oppressive governments or anything in between—may have had their activity monitored and encryption keys stolen.
"If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle," the Tor Project wrote.
The bug's reach goes far beyond the clandestine corners of the web. A recent survey from the internet security firm Netcraft showed that 66 percent of websites run on the open source web servers Apache and Nginx, which use OpenSSL by default. So do many other operating systems and applications, like Ubuntu, CENTOS, Fedora, OpenBSD, FreeBSD, and OpenSUSE distributions of Linux, Ars Technica reported.
The researchers that discovered Heartbleed, from Google and the security firm Codenomicon, wrote yesterday that large consumer sites are often using older, uncompromised versions of OpenSSL, and so "ironically, smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most."
"Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously" they wrote.
A couple tools and tip sheets are now floating around that let you test to see which websites are vulnerable to Heartbleed (the technical name is CVE-2014-0160). Of the Silicon Valley web giants, it showed Google, Microsoft, Twitter, Facebook, Dropbox were safe, but Yahoo was vulnerable—though it's worth noting there’s no knowing for sure how accurate that
"If the NSA had their hands on this, they have had two years to basically pull data out of every SSL-protected website or service, which gives them a pretty good chance of gaining access to a whole bunch of encrypted keys, usernames and passwords," Ty Miller, a security researcher at Threat Intelligence told The Age.
Researchers released a reportedly fixed version of OpenSSL yesterday and recommended all sites using the software upgrade to the new version. To be super safe, they also suggest changing any passwords and crypto keys used over the last two years and updating your security certificate. Or, if you’re really worried, you can take the Tor Project’s advice and get off the web altogether for a while. It might be a good time to pick up that novel you’ve been meaning to finish."...
"Security holes are par for the course on the web today, but a new, massive bug dubbed "Heartbleed” is particularly nasty, and widespread: Experts say that two-thirds of websites and nearly everyone that’s used the internet in the last two years could be affected to some extent.
The irony is, those who have put the most effort into privacy and security are the most vulnerable.
The bug exposes the popular cryptographic software, OpenSSL, a mainstay web encryption. Heartbleed makes it possible for anyone to eavesdrop on encrypted sites and access the sensitive data they’re supposed to be protecting, all without leaving any trace on the site’s server. Even worse, attackers can also retrieve cryptographic keys and passwords and use that info to decrypt any past or future web traffic.
The bug was introduced in the 1.01 version of OpenSSL in 2012, which means for two years attackers exploiting the bug could have exposed VPNs and anonymity services, revealing users’ emails, instant messages, and browsing activity.
The lion's share of websites that use the HTTPS secure communications protocol run OpenSSL, and of course sites specifically designed to hide users' identity are at risk, including the Tor onion network.
The Tor Project wrote in a blog post yesterday that its clients, relays, and hidden services were all vulnerable to the Heartbleed bug. In theory, anyone that had been using Tor—be it to buy drugs on the black market or protect themselves from oppressive governments or anything in between—may have had their activity monitored and encryption keys stolen.
"If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle," the Tor Project wrote.
The bug's reach goes far beyond the clandestine corners of the web. A recent survey from the internet security firm Netcraft showed that 66 percent of websites run on the open source web servers Apache and Nginx, which use OpenSSL by default. So do many other operating systems and applications, like Ubuntu, CENTOS, Fedora, OpenBSD, FreeBSD, and OpenSUSE distributions of Linux, Ars Technica reported.
The researchers that discovered Heartbleed, from Google and the security firm Codenomicon, wrote yesterday that large consumer sites are often using older, uncompromised versions of OpenSSL, and so "ironically, smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most."
"Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously" they wrote.
A couple tools and tip sheets are now floating around that let you test to see which websites are vulnerable to Heartbleed (the technical name is CVE-2014-0160). Of the Silicon Valley web giants, it showed Google, Microsoft, Twitter, Facebook, Dropbox were safe, but Yahoo was vulnerable—though it's worth noting there’s no knowing for sure how accurate that
"If the NSA had their hands on this, they have had two years to basically pull data out of every SSL-protected website or service, which gives them a pretty good chance of gaining access to a whole bunch of encrypted keys, usernames and passwords," Ty Miller, a security researcher at Threat Intelligence told The Age.
Researchers released a reportedly fixed version of OpenSSL yesterday and recommended all sites using the software upgrade to the new version. To be super safe, they also suggest changing any passwords and crypto keys used over the last two years and updating your security certificate. Or, if you’re really worried, you can take the Tor Project’s advice and get off the web altogether for a while. It might be a good time to pick up that novel you’ve been meaning to finish."...
Comments
-
-
So basically every time i've been using a proxy or tor i've been wasting my time cause it's a good chance my info isn't being hidden
Guarantee there's people making big money off this
