Items tagged with Heartbleed

Data security research player CrowdStrike is reporting a security flaw that could allow hackers to exploit and take over data centers from within. Given the nasty moniker "VENOM" (for "Virtualized Environment Neglected Operations Manipulation"), the vulnerability CrowdStrike uncovered is present in a common component — a legacy floppy drive controller — that is widely used in virtualization platforms and appliances. The seriousness of the VENOM vulnerability rests on how it circumvents an essential barrier used by cloud service providers to segregate customer data. Thus, infiltrators who are able... Read more...
When the OpenSSL vulnerability Heartbleed broke cover in April, it felt like it was the only thing that mattered for an entire week. Like many news outlets, we reported on the bug from a number of different angles, and it was all for good reason: It's a severe bug, and one that the world needs to know about. Given all of the attention Heartbleed received, it'd be easy to assume that the vulnerability would now be hard to spot out in the wild - but no. Far from it, actually. When we first learned of Heartbleed, it was estimated that at least half a million Web servers were vulnerable because of... Read more...
The Heartbleed Bug illustrated just how vulnerable our global communications structure really is, and now a glut of important tech companies in collaboration with the Linux Foundation are launching a new initiative called the Core Infrastructure Initiative to better support the open source projects and technologies that keep the Internet afloat. Image Source: Flickr (snoopsmaus) The first item on the docket is increased support for OpenSSL, which if you’ll recall was the source of the Heartbleed problem. OpenSSL “could receive fellowship funding for key developers as well as other resources... Read more...
As Seth covered earlier today, Bloomberg has accused the NSA of benefiting from the Heartbleed OpenSSL bug. The NSA denies this in fairly strong terms. I'd like to draw attention to a different facet of the topic -- first, by discussing the semantics of the NSA's denial and then the wider impact of how that denial is perceived and what it means for the tech community as a whole. The NSA's Denial is Surprisingly Straightforward For the past year, the NSA's responses to the Snowden leaks have followed the same strategy: Either the organization claims that its activities are legal or it denies engaging... Read more...
The news of two truly horrible security breaches broke this year; one was the NSA’s shadowy data grabbing and surveillance program, and the other was the Heartbleed bug that left about two-thirds of the Internet utterly exposed to any bad actor. According to a Bloomberg report, these two stories have merged, as “two people familiar with the matter” have told the outlet that the NSA has known about the Heartbleed bug for at least two years and has regularly exploited it to gather intelligence. In an emailed statement to Bloomberg, the Office of the Director of National Intelligence... Read more...
The discovery of a security vulnerability in OpenSSH, which is a set of programs that provide encrypted communication sessions using the SSH protocol for an estimated two-thirds of the web, challenged the notion that anyone can ever be truly safe on the Internet, regardless of how careful you surf. How so? Researchers discovered a major vulnerability in OpenSSH that could allow hackers to dig up your personal information, including usernames, passwords, credit card data, and much more. It's called Heartbleed, and it has the Internet community on high alert. There's a patch available, which many... Read more...