Apple releases AirPort firmware update to combat Heartbleed flaw. Apple is recommending that users of its AirPort wireless products patch their kit with a new firmware update designed to fix security issues related to Secure Sockets Layer (SSL), almost certainly to address the recent Heartbleed security flaw.
The firm posted a notice to its support website overnight detailing the AirPort Base Station Firmware Update 7.7.3. Apple said the update should be applied to all AirPort Extreme and AirPort Time Capsule base stations supporting 802.11ac, but said that other AirPort base stations do not require it. Apple said the update "provides security improvements related to SSL/TLS". It does not explicitly mention the Heartbleed bug, but Heartbleed was found in the OpenSSL implementation of the SSL protocol. The company also advised owners of the AirPort Extreme and AirPort Time Capsule products with 802.11ac that they may need to re-enable the Back to My Mac remote access service on their equipment after applying the update, if they use this service. When it's Time to Share Information: How Heartbleed Got it Right. For all of the chaos and exposure that came with the Heartbleed OpenSSL vulnerability, there is one thing that the security community got right – broad, loud communication to everyone and their mother.
Literally. As my mom called me up to ask whether she should change her passwords, I couldn’t help but think that this global news item would eventually help drive the awareness we need to protect ourselves. Nobody likes sharing bad news, particularly around security issues. Would a Proprietary OpenSSL Have Been More Secure than Open Source? « The OpenSSL Heartbleed vulnerability has resurrected the age-old debate of whether or not open source code is more or less secure than proprietary code.
Many Devices Will Never Be Patched to Fix Heartbleed Bug. A security bug uncovered this week affects an estimated two-thirds of websites and has Internet users scrambling to understand the problem and update their online passwords.
But many systems vulnerable to the flaw are out of public view and are unlikely to get fixed. OpenSSL, in which the bug, known as Heartbleed, was found, is widely used in software that connects devices in homes, offices, and industrial settings to the Internet. The Heartbleed flaw could live on for years in devices like networking hardware, home automation systems, and even critical industrial-control systems, because they are infrequently updated. Network-connected devices often run a basic Web server to let an administrator access online control panels. In many cases, these servers are secured using OpenSSL and their software will need updating, says Philip Lieberman, president of security company Lieberman Software.
Heartbleed.
Akamai admits issuing faulty OpenSSL patch, reissues keys. How Heartbleed was found. Details on the vulnerabilities. La CNIL. Heartbleed Bug Creates Risk for Businesses and Consumers. Heartbleed bug fixes threaten to cause major Internet disruptions in coming weeks. Efforts to fix the notorious Heartbleed bug threaten to cause major disruptions to the Internet over the next several weeks as companies scramble to repair encryption systems on hundreds of thousands of Web sites at the same time, security experts say.
Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week.
Heartbleed—What's Next? Check Your Clients, Routers, Virtual Machines And VPNs. What we thought was secure—Web servers, routers, virtual machines, virtual private networks, and even client software—isn't so safe, after all.
Faille Heartbleed : les sites pour lesquels il est conseillé de changer son mot de passe. Le Monde.fr | • Mis à jour le | Par Michaël Szadkowski Deux jours après la révélation d'une faille de sécurité au sein du protocole OpenSSL, baptisée « Heartbleed », cette dernière est décrite par certains comme « le pire cauchemar » qui puisse arriver concernant la sécurité des échanges sur Internet.
Heartbleed: Hundreds of thousands of servers at risk from catastrophic bug. Hundreds of thousands of web and email servers worldwide have a software flaw that lets attackers steal the cryptographic keys used to secure online commerce and web connections, experts say.
They could also leak personal information to hackers when people carry out searches or log into email. The bug, called "Heartbleed", affects web servers running a package called OpenSSL. Among the systems confirmed to be affected are Imgur, OKCupid, Eventbrite, and the FBI's website, all of which run affected versions of OpenSSL. Attacks using the vulnerability are already in the wild: one lets a hacker look at the cookies of the last person to visit an affected server, revealing personal information. The Bleeding Hearts Club: Heartbleed Recovery for System Administrators. The Heartbleed SSL vulnerability presents significant concerns for users and major challenges for site operators.
This article presents a series of steps server and site owners should carry out as soon as possible to help protect the public. We acknowledge that some steps might not be feasible, important, or even relevant for every site, so the steps are given in order both of their importance and the order they should be carried out. 1. Update Your Servers. The Bleeding Hearts Club: Heartbleed Recovery for System Administrators. Heartbleed. Heartbleed is a catastrophic bug in OpenSSL: "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users. Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. "Catastrophic" is the right word. Half a million sites are vulnerable, including my own. The bug has been patched. At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. This article is worth reading. Faille Heartbleed : les équipements Cisco et Juniper pris dans la tourmente. Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013? Yesterday afternoon, Ars Technica published a story reporting two possible logs of Heartbleed attacks occurring in the wild, months before Monday's public disclosure of the vulnerability.
It would be very bad news if these stories were true, indicating that blackhats and/or intelligence agencies may have had a long period when they knew about the attack and could use it at their leisure. 01net. Les banques sommées d'agir « le plus vite possible » contre la faille Heartbleed. M.01net.com - article. Sécurité10/04 à 19:35 Mis à jour le 10/04 à 19:43 Robin Seggelmann, l'homme par qui l'énorme faille Heartbleed est arrivée Un développeur allemand est à l'origine de la faille de sécurité OpenSSL.
Mais il assure ne pas l'avoir introduit de manière délibérée, et encore moins pour une agence de renseignement. Personne ne le connaissait il y a encore quelques jours, il est désormais une star planétaire. En tous les cas dans le milieu de la sécurité informatique. Robin Seggelmann, l'infortuné auteur de "Heartbleed" Interrogé par le Sydney Morning Herald, il explique avoir participé au développement du protocole OpenSSL il y a deux ans. « J’ai corrigé beaucoup de bogues et introduit de nouvelles fonctionnalités. Normalement, dans les processus de codage open source, il y a toujours une personne qui relit un nouveau code écrit par un contributeur.
Théorie du complot Certains internautes, toutefois, ont du mal à croire à la malchance et ont échafaudé des thèses conspirationnistes. M.