10-04-2014, 20:20 #1
[EN] Heartbleed bug found in Cisco routers, Juniper gearBy
Updated April 10, 2014 6:10 p.m. ET
The encryption bug that has the Internet on high alert also affects the equipment that connects the Web.
Cisco Systems Inc. and Juniper Networks Inc., two of the largest manufacturers of network equipment, said Thursday that some of their products contain the "Heartbleed" bug, meaning hackers might be able to capture user names, passwords and other sensitive information as it moves across corporate networks, home networks and the Internet.
Many websites—including those run by Yahoo Inc., Amazon.com Inc. and Netflix Inc.—quickly fixed the hole after it was disclosed Monday. But Cisco and Juniper said the security flaw affects routers, switches and firewalls used in businesses and at home.
These devices likely will be more difficult to fix. The process involves more steps and businesses are less likely to check the status of network equipment, security experts said.
Bruce Schneier, a cybersecurity researcher and cryptographer, said, "The upgrade path is going to involve a trash can, a credit card, and a trip to Best Buy."
But that may not yet be an option: the products available at retail stores now likely were shipped before the bug was revealed on Monday. So they may also contain the defective software, from an encryption code known as OpenSSL.
Companies often use firewalls and virtual private networks to protect their computer systems. But if the machines that run the firewalls and virtual private networks are affected by the Heartbleed bug, attackers could use them to infiltrate a network, said Matthew Green, an encryption expert at Johns Hopkins University.
"It's pretty bad," Mr. Green said. "Lots and lots of people connect to these things."
Mr. Green and others said the bug likely affects some home-networking equipment, such as wireless routers.
In a customer bulletin updated Thursday, Cisco told clients that dozens of products are "affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve" potentially sensitive information. In the bulletin, it said 65 products were under investigation and another 16 had been confirmed vulnerable.
Cisco said it would update customers when it has software patches. In the meantime, its security researchers offered users software that it said would detect hackers exploiting the bug. A Cisco spokesman referred a query to the bulletin on its website.
Juniper said the process of updating its equipment might be lengthy. "It doesn't sound like a flip the switch sort of thing," said Corey Olfert, a Juniper spokesman. "I don't know how quickly they can be resolved."
To keep prying eyes out, websites and network equipment use encryption to turn sensitive information into a jumble or unreadable text. Since writing encryption code is complex, developers often use a free, open-source version called OpenSSL. It's a barebones project managed by four European coders.
The Heartbleed bug—first introduced into OpenSSL two years ago—allows hackers to grab bits of data from servers and equipment after it has been decrypted.
Última edição por 5ms; 10-04-2014 às 20:23.
10-04-2014, 21:28 #2
- Data de Ingresso
- Sep 2010
isso esta cada vez melhor....
10-04-2014, 21:49 #3
Esse assunto está esquisito. Uma coisa é um sistema meia-boca usar um pacote meia-boca alegadamente mantido por 5 caras (um deles supostamente ligado ao Depto. de Defesa dos EUA). Outra, é empresas de bilhões de dolares que tem como atividade fim desenvolvimento de software e que possuem equipes imensas, usar esse código "open" alegadamente de péssima qualidade, porém vital. Não faz sentido.
OpenSSL is managed by four core European programmers, only one of whom counts it as his full-time job.
Steve Marquess, president of the OpenSSL Software Foundation, a separate entity that solicits funding for the team that manages the code, said its 2013 budget was less than $1 million.
"There's no question more effectively applied manpower would be a good thing," said Mr. Marquess, 59 years old. "Formal code audits would be a good thing."
Mr. Marquess, a former Defense Department consultant who works in Maryland, is the project's only U.S. resident. The other coders are based in Europe to avoid export laws for advanced encryption.
Still, OpenSSL has become synonymous with online encryption. The Defense Department and Department of Homeland Security use OpenSSL, Mr. Marquess said.
Última edição por 5ms; 10-04-2014 às 22:04.
11-04-2014, 00:28 #4
11-04-2014, 09:38 #5
Indústria é? Deve ser no sentido de "indústria da seca", "indústria das enchentes": soluções mediocres, projetos mal elaborados, obras de má qualidade e inacabadas, politicos e espertalhões se autopromovendo na imprensa, ataques à empresas privadas, mamatas com dinheiro público, promessas jamais cumpridas, cargos no governo, ONGs e fundações fazendo a farra. Faz sentido.
Aliás, fiquei comovido com a penúria da Fundação OpenSSL: o presidente choramingou ter arrecadado apenas US$ 1 milhão em 2013. Mal dá para pagar o único programador tempo integral que trabalha na fundação, não é? Um exemplo de dedicação e desinteresse do ex-consultor do DoD.
Última edição por 5ms; 11-04-2014 às 09:42.
11-04-2014, 13:25 #6
German programmer, working for Deutsche Telekom: I created the Heartbleed bug Acciden
Man Says He Was Trying to Improve Open-Source Software
The German programmer who has taken responsibility for Heartbleed—an encryption bug affecting millions of passwords—said on Friday that he accidentally inserted the bug into open-source coding that he was trying to improve.
Robin Seggelmann, a German national who now works for T-Systems, a unit of Deutsche Telekom AG, said on a blog entry posted by the company that the problem occurred while he was working on bug fixes for OpenSSL, a popular open-source software that helps encrypt data exchanges.
Deutsche Telekom didn't disclose the programmer's identity in the blog post. However, Alexia Sailer, a Deutsche Telekom spokeswoman, confirmed the engineer was Mr. Seggelmann, who still works at T-Systems but had worked on OpenSSL while studying at a technical university in Münster.
Última edição por 5ms; 11-04-2014 às 13:35.
11-04-2014, 13:30 #7
‘Heartbleed’ developer talks about the error in OpenSSL programmingRead one of the latest posts (German-language) from our Security Special to find out what steps Deutsche Telekom has taken to close the Heartbleed gap on its servers and for advice from our experts to help customers stay safe when it comes to e-mails, virus protection and passwords.
This topic is currently making headlines across the world’s media, with some articles calling it the most serious security incident in the history of the Internet. The Guardian has an interesting article on what customers need to do to stay safe.
Germany’s news portal Spiegel Online reported that the individual who wrote the faulty software is now a DT employee. Our colleague - who is now the subject of absurd conspiracy theories - has given us his side of the story, which we would like to publish here. With respect for his privacy, however, we will not reveal his name.
"I was working on a research project at the University of Münster using the OpenSSL encryption library and releasing bug fixes and new features that were developed as part of my work on the OpenSSL project. The various changes were checked by a member of the OpenSSL development team and then incorporated into the official code. In connection with one extension, the TLS/DTLS Heartbeat extension, I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug, called Heartbleed after the extension. Unfortunately, the OpenSSL developer who reviewed the code also did not notice that a mistake had been made when carrying out the check. As a result, the faulty code was incorporated into the development version, which was later officially released.
Because no plausibility check had been carried out on the length, by entering invalid values it was possible to read more memory than intended. This meant it was possible to access security-related data, turning a simple mistake into one with massive consequences.
“It is impossible to say whether the vulnerability, which has since been identified and removed, has been exploited by intelligence services or other parties.
“It is imperative that critical, security-related software is monitored as often as possible in order to prevent errors like this happening again in future - or, at least, to reduce the likelihood of problems on this scale remaining undiscovered for so long. That is one of the major advantages of Open Source Software, which is available to everyone who wants to be a part of it. But OpenSSL in particular still lacks the support it needs, despite being extremely widely available and used by millions. Although there are plenty of users, there are very few actively involved in the project."
11-04-2014, 13:49 #8Seggelmann wrote his doctoral thesis on "Strategies to Secure End-to-End Communication" in 2012. He earned his Ph.D. from the University of Duisburg-Essen. Business Insider notes "Seggelmann worked on the OpenSSL project during his PhD studies, from 2008 to 2012, but isn't involved with the project any more."According to MarketWatch, the Heartbleed flaw went live just before midnight on December 31, 2011. Since the flaw happened on New Year's Eve, many have assumed that alcohol was a factor in the bug's creation, or at the very least, a factor that explains why the bug went undiscovered by other members of the OpenSSL team. MarketWatch quotes Seggelmann, who says, “It’s only a coincidence that it [Heartbleed] was submitted during the holiday season.”
Dr Seggelman, 31, from the small town of Oelde in north-west Germany, is a contributor to the Internet Engineering Task Force (IETF), a not-for-profit global group whose mission is to make the internet work better. He is attached to the Munster University of Applied Sciences in Germany, where, as research associate in the networking programming lab in the department of electrical engineering and computer science, he has published a number of papers, including his thesis on strategies to secure internet communications in 2012. He has been writing academic papers and giving talks on security matters since 2009, while still a PhD student.
According to his Xing profile, Dr Seggelman has worked for Deutsche Telekom IT services subsidiary T-Systems since 2012.
Is this a man who would purposefully leave a gaping hole in the internet, which the US National Security Agency could have been exploiting to spy on people's communications?
Dr Seggelman denied this in an interviewwith Fairfax Media on Thursday. He said: "It's tempting to assume that, after the disclosure of the spying activities of the NSA and other agencies, but in this case it was a simple programming error in a new feature, which unfortunately occurred in a security-relevant area.
"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project," he said.
OpenSSL is an open-source software project. Open-source projects are by their nature open to others to contribute. No one owns the code; no one is liable.Willy Susilo, director of the Centre for Computer and Information Security Research at the University of Wollongong, said computer science students are encouraged to contribute to open source and are taught the ethics of the movement. They are taught to take their role responsibly, with the pressure to get it right looming higher depending on the project they are working on. But they also know that someone else in the community will review their work.
In the case of Heartbleed, the reviewer, Dr Stephen Henson, a UK consultant on OpenSSL, also missed the mistake.
Professor Susilo said that is not unusual. "It was just a development mistake when creating the algorithm. It's a serious mistake but a normal mistake."
He points to another encryption coding mistake discovered in 2004 on a version of GNU Privacy Guard, itself a version of Pretty Good Privacy, a popular email encryption tool.
Phong Q. Nguyen, Author of the GNUPG paper Phong Q. Nguyen noted that "bad cryptography is much more frequent than good cryptography", and the "fact that a source code can be read does not imply that it is actually read, especially by cryptography experts".
Última edição por 5ms; 11-04-2014 às 14:02.
11-04-2014, 22:17 #9
Heartbleed also raises questions about whether so much of the Internet should rely on a single technology to keep secrets. "Anytime you have a monoculture, one bug is going to make everyone insecure," said Matthew Green, an encryption expert at Johns Hopkins University.
The OpenSSL Project counts a sole full-time developer: Stephen Henson, a 46-year-old British cryptographer with a Ph.D. in mathematics. Two other U.K. residents and a developer in Germany fill out the project's management team.
Associates describe Mr. Henson as brilliant but standoffish and overloaded with work. On his website, he lists encryption questions that are "welcome and not welcome" and compares his responsibilities to those of Bill Gates when he managed Microsoft. "Yes, oddly enough some people have actually met me," Mr. Henson writes.
Of companies asking for free advice on using OpenSSL, he asks, "Well, how would your company respond if I contacted them and demanded large amounts of free consultancy?"
Geoffrey Thorpe, an OpenSSL volunteer on the development team, said he has little time to spend on the project because of his day job at a hardware technology company.
"You might say that it's like sewerage processing in a way, messy, complicated and usually taken for granted right up until it goes wrong," said Mr. Thorpe, who lives in Quebec City.
Last decade, Steve Marquess, a former U.S. Defense Department consultant living in Maryland, started the OpenSSL Software Foundation to secure donations and consulting contracts for the group.
Esgoto é aproximadamente o que me veio à mente ...
Última edição por 5ms; 11-04-2014 às 22:21.
11-04-2014, 22:47 #10
- Data de Ingresso
- Sep 2010