|
Collective Recommendations from ESET Researchers and White Hat Hackers on Handling Heartbleed Menace
Share This!
   
BANGALORE / MUMBAI, India - April 22, 2014
ESET,
global provider of security solutions for businesses and consumers,
warned that Heartbleed bug causing widespread alarm on affecting more
than feared and could affect billions of users like websites, internet
users, and smartphone users. Heartbleed Bug is used to extract private
SSL Keys and it allow Malicious Individuals to extract Information
invisibly during an Encryption process. It affects the
open-source encryption software OpenSSL - which is used on millions of
web servers which has been undiscovered for more than two years.
Two
white-hat hackers were able to extract keys and were able to use
Heartbleed to extract private keys in a competition set up by data
security company CloudFlare. The source of the bug, which has been
active for at least two years, was errors introduced by a PhD student
writing for the open-source company OpenSSL.
Heartbleed
bug has affected at least 500,000 sites and millions of users by the
small programming error did by the student, who has spoken of his regret
at the incident. Any smartphone not protected by "enterprise grade"
security may be at risk due to apps.
The
ability to steal private keys raised the scope of Heartlbeed
considerably. Having access to these private keys means hackers can
return even after the Heartbleed exploit has been removed through the
window. Hackers can only cease to have access to these keys once the
server's security certificates are all updated. It means fixing the bug
may not solve the problems Heartbleed has created. Anyone possessing
the private key can use it to host an impostor site that is virtually
impossible for most end users to detect.
Collective Recommendations from ESET Researchers, White Hat Hackers:
- Upgrade your OpenSSL servers to 1.0.1g or recompile -DOPENSSL_NO_HEARTBEATS
- Update your Server's security certificates
- Embedded devices using OpenSSl should also upgrade to newer versions
- Always check servers logs to have a check on Heartbleed exploits
- Change
passwords consequently of all the online services you use (Please note:
This bug could steal passwords, credit card details and even encryption
keys, without trace)
- Change your password and don't use 'password' as your new password
- Note
that, Vulnerabilities for consumers using "desktop" browsers are more
on their visit of websites that may be running bogus server code
- Download smartphone applications from authorized websites as some of the apps were vulnerable to Heartbleed bug
- Last but most important thing is that, everyone should reissue and revoke your private keys
# # #
About ESET
Founded
in 1992, ESET is a global provider of security solutions for businesses
and consumers. ESET's flagship products ESET NOD32 Antivirus, ESET
Smart Security and ESET Cyber security for Mac are trusted by millions
of global users. ESET NOD32 Antivirus holds the world record for the
number of Virus Bulletin VB100 Awards, and has never missed a single
"In-the-Wild" worm or virus since the inception of testing in 1998.
The
Company has global headquarters in Bratislava (Slovakia), with regional
distribution headquarters in San Diego (U.S.), Buenos Aires
(Argentina), and Singapore. ESET has malware research centers in
Bratislava, San Diego, Buenos Aires, Prague (Czech Republic), Krakow
(Poland), Montreal (Canada), Moscow (Russia), and an extensive partner
network in 180 countries.
In
India ESET products are exclusively supplied and supported by "ESS
Distribution Pvt Ltd". The sales of ESET products are executed through
the Channel Partners across India. Website: www.esetindia.com/
|
No comments:
Post a Comment