Thursday, 10 April 2014

Serious flaw found in OpenSSL

Programmers create code and hackers find errors in it and use them. Discovered a hole in the most widespread cryptographic the OpenSSL could potentially lead to data theft almost all Internet users.

Seventh of April came security bulletin CVE-2014-0160, from which it became aware of the continued existence of a critical vulnerability in the cryptographic package OpenSSL.

Found that implementation algorithms TLS and SSL are used today in most versions of OpenSSL properly handle expansion packs Heartbeat (because of what the error was called HeartBleed). This allows hackers to gain remote access to confidential information from RAM active network process outside the buffer.

An error in the system has learned the Finnish-American company Codenomicon, what hastened to inform the world through a special website Heart Bleed - is the name given error experts, loosely translated it means "bleeding heart."

Such dramatic name was not chosen randomly. An error was detected in the package heartbeat (heart beat, heart rate) used for fault detection and resource management server cluster. The result was a play on words in the heart of the leak occurred.

Surprisingly, the critical vulnerability did not notice for two years. It affects all versions from 1.0.1 to OpenSSL 1.0.1f inclusive and 1.0.2-beta1.

As a result of that error in them is not checked  in the recording of the actual length of SSLv3. This allows you to read without authorization to 64 Kbytes of RAM process on the connected client or server for each request. In many cases this is enough to get the keys, passwords or other sensitive data. Vulnerable versions of OpenSSL cryptographic package from March 2012 are included in many distributions and BSD OS family of almost all branches of the Linux Debian, RedHat and Slackware. 

The first error affects servers Apache, nginx, project Tor (via the web server, as well as many websites that use the HTTPS, even if access to them is carried out by VPN.

Unlike all the other "helpers hackers» Heart Bleed intercepts encryption keys - the cornerstone of secure connections, which encrypts the data transmission between servers. By themselves, the captured data is not worth anything, because the same encrypted PIN bank card might look like, «dkgh # k87u». Without the key, which will allow to decipher the code, it's just a set of symbols. But if the key will be in the hands of criminals, then get the raw data for them there is no trouble.

The greatest danger lies in the fact that this hack does not leave absolutely no trace in the case of data theft is not possible to know about this.

It would seem, what's this, because such errors are almost every day. However encryption package OpenSSL - the most widespread in the world. It is used mostly in the Apache web server and nginx. According to research company Netcraft, on these architectures employ about 66% of all sites on the Internet. Thus, only every third site does not represent a potential threat in terms of data theft. Among the endangered sites include such popular services like Twitter, Dropbox, Yahoo!, Steam and others. OpenSSL packages are used to everything else for the operation of e-mail servers and diverse client software.

To determine the degree of risk of error Codenomicon tried to kidnap their own data as it would make professional hackers.

As a result, they managed to make an attack on their own servers, without leaving any traces. Using only a hole in the system, Codenomicon received encryption keys. Using them, experts have collected from servers usernames and passwords, correspondence employees through messengers and email, as well as confidential company records stored on your computer.

Of course, such a dangerous hole could not remain uncovered. As a result, on April 7 was released a new version of OpenSSL, in which the error is no longer present. However, a simple upgrade package is not enough. If criminals have stolen encryption keys, they can use them in the same way as in the previous version, and for security administrators need to get a new security certificates and to generate new keys.

Of course, for large projects should not worry, because the price of their negligence administrators too great. It can be assumed that the relevant work already done on the servers.

In Codenomicon even see the positive side of Heart Bleed: because administrators can not ignore the fact that hole detection, they have to update the system data encryption on their servers. Along with them are likely to be installed, and other updates that have been postponed for a certain period.

While common in the bulletin and news reports officially recommend the following steps:

  • Install a patched version of OpenSSL 1.0.1g or 1.0.2-beta2 or recompile OpenSSL package with key OPENSSL_NO_HEARTBEATS;
  • reissue the SSL-certificate;
  • lures (honeypot), simulating the presence of a vulnerable server package OpenSSL, and check to connect to them.

We recommend that if you do not use in public places WiFi network, then try to put this kind of functionality is temporarily closed.

Personal use of computers when not readily allow strangers remote control of their computer to prevent personal information from being stolen.

Once the leakage of information to remind consumers to timely remedy, keep relevant evidence, take the initiative to safeguard their rights.

No comments:

Post a Comment