It was revealed this morning by CNET that a cyber- attack upon your RAM ( memory) and data could be hacked. The bug that can deceive an Internet user into following a fake Web site is called Heartbleed.
It can weaken secure protocols ‘https’ and it has been known since 2011. However, there are no known use of the Heartbleed flaw and no known attacks have been revealed. It starts with version 1.0.1 and 1.0.2-beta releases of OpenSSL.
Once someone allows a fake Web Site to enter, Heartbleed can gain access to memory storage and steal financial data of credit card numbers and other sensitive information. It compromises passwords and has stolen some Yahoo passwords reported yesterday on CNET site this morning.
If the estimate of 50% of internet servers which use some form of OpenSSL are accurate, then over half of the internet’s sensitive date has been exposed and allowing cyber thieves to see up to 64 kilobytes of data at a time. It gives cyber-thieves enough to develop a library of keys to access a system’s secret keys. Those keys are the entry to encrypt and decrypt sensitive traffic and identify service providers.
It can once after it fools you into using a false Web site and obtain the server's digital keys, continue with falsifying servers to decrypt communications from the past or potentially the future with the chain of events through the password theft.
Because Heartbleed is at the heart of breaking into encryption it requires significant change at Web sites, which requires a new site. Anyone attacked would change passwords because they are now useless for security. Anyone who has not changed passwords from one Web site to the next site will be completely at risk and will need to change all passwords at all Web sites.
There is a tool that checks for the Heartbleed bug from Filippo Valsorda. The tool has shown that Yahoo is affected while the other major sites such as Google, Twitter, Facebook, Dropbox and other sites are unaffected. Valsorda has posted open-source code for the test on GitHub.
The security firm, Codenomicon and Google expert researcher Neel Mehta discovered the bug and its official name is CVE-2014-0160. Heartbleed is appropriate to describe the sorrow it causes it loss of private data.
OpenSSL has released 1.01 to fix the bug but that still requires Web site operators to check and update software immediately. All security must be redone.
Web Sites that utilize ‘perfect forward secrecy’, which changes security keys so fast that future traffic can't be decrypted even if security is breached, is used by Twitter. Other major social media and big ‘Net’ companies installed this 'scrambled' enabled software last year. They have not announced any negative effect as a result of their move to the encrypted system last year.
Bitcoin exchanges need to be aware of this as many security threats are not always investigated as are traditional online financial sites.
Valsorda’s site showed that major Bitcoin sites showed were immune to Heartbleed but that the world’s most popular exchange, Bitstamp, was vulnerable.
Regarding Bitcoin exchange sites, Valsorda stated to Coin Desk: ‘It’s fundamental to tell everyone to check all their servers and update ASAP [...] I can’t obviously be positive about it, but bitcoin-specific software (local wallets, etc.) should not be affected even if they use OpenSSL, since the bug is only triggerable in live TLS connections.’
Blockchain and many of the Bitcoin sites have left messages on Twitter that they addressed the situation weeks ago and none of the major sites have released any other concerns at this point.
To find more information about Cyber Security and recent events view the list below in the Author’s suggestions and view the picture above with Google in Dubai for the Internet event and the video atop this article with the WSJ interview with Ted Schlein, Cyber Security expert.
Twitter Victoria Wagner@victoriaross888