Tuesday, April 22, 2014

Collective Recommendations from ESET Researchers and White Hat Hackers on Handling Heartbleed Menace

Collective Recommendations from ESET Researchers and White Hat Hackers on Handling Heartbleed Menace

Share This!

BANGALORE / MUMBAI, India - April 22, 2014

ESET, global provider of security solutions for businesses and consumers, warned that Heartbleed bug causing widespread alarm on affecting more than feared and could affect billions of users like websites, internet users, and smartphone users. Heartbleed Bug is used to extract private SSL Keys and it allow Malicious Individuals to extract Information invisibly during an Encryption process. It affects the open-source encryption software OpenSSL - which is used on millions of web servers which has been undiscovered for more than two years.    

Two white-hat hackers were able to extract keys and were able to use Heartbleed to extract private keys in a competition set up by data security company CloudFlare. The source of the bug, which has been active for at least two years, was errors introduced by a PhD student writing for the open-source company OpenSSL.

Heartbleed bug has affected at least 500,000 sites and millions of users by the small programming error did by the student, who has spoken of his regret at the incident. Any smartphone not protected by "enterprise grade" security may be at risk due to apps.

The ability to steal private keys raised the scope of Heartlbeed considerably. Having access to these private keys means hackers can return even after the Heartbleed exploit has been removed through the window. Hackers can only cease to have access to these keys once the server's security certificates are all updated. It means fixing the bug may not solve the problems Heartbleed has created.  Anyone possessing the private key can use it to host an impostor site that is virtually impossible for most end users to detect.

Collective Recommendations from ESET Researchers, White Hat Hackers:
  • Upgrade your OpenSSL servers to 1.0.1g or recompile -DOPENSSL_NO_HEARTBEATS
  • Update your Server's security certificates
  • Embedded devices using OpenSSl should also upgrade to newer versions
  • Always check servers logs to have a check on Heartbleed exploits
  • Change passwords consequently of all the online services you use (Please note: This bug could steal passwords, credit card details and even encryption keys, without trace)
  • Change your password and don't use 'password' as your new password
  • Note that, Vulnerabilities for consumers using "desktop" browsers are more on their visit of websites that may be running bogus server code
  • Download smartphone applications from authorized websites as some of the apps were vulnerable to Heartbleed bug
  • Last but most important thing is that, everyone should reissue and revoke your private keys
# # #

About ESET
Founded in 1992, ESET is a global provider of security solutions for businesses and consumers. ESET's flagship products ESET NOD32 Antivirus, ESET Smart Security and ESET Cyber security for Mac are trusted by millions of global users. ESET NOD32 Antivirus holds the world record for the number of Virus Bulletin VB100 Awards, and has never missed a single "In-the-Wild" worm or virus since the inception of testing in 1998.

The Company has global headquarters in Bratislava (Slovakia), with regional distribution headquarters in San Diego (U.S.), Buenos Aires (Argentina), and Singapore. ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Prague (Czech Republic), Krakow (Poland), Montreal (Canada), Moscow (Russia), and an extensive partner network in 180 countries.

In India ESET products are exclusively supplied and supported by "ESS Distribution Pvt Ltd".  The sales of ESET products are executed through the Channel Partners across India. Website: www.esetindia.com/
Previous Media Announcements

No comments:

Post a Comment