background preloader

NSA Said to Exploit Heartbleed Bug for Intelligence for Years

NSA Said to Exploit Heartbleed Bug for Intelligence for Years
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Related: Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Controversial Practice Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. Free Code Serious Flaws Flawed Protocol Ordinary Data

Test your server for Heartbleed (CVE-2014-0160) If there are problems, head to the FAQ Results are now cached globally for up to 6 hours. Enter a URL or a hostname to test the server for CVE-2014-0160. All good, seems fixed or unaffected! Uh-oh, something went wrong: Check what it means at the FAQ. Here is some data we pulled from the server memory: (we put YELLOW SUBMARINE there, and it should not have come back) Please take immediate action! You can specify a port like this example.com:4433. 443 by default. Go here for all your Heartbleed information needs. If you want to donate something, I've put a couple of buttons here.

Heartbleed Bug The Heartbleed Hit List: The Passwords You Need to Change Right Now An encryption flaw called the Heartbleed bug is already being dubbed one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years. But it hasn't always been clear which sites have been affected. Mashable reached out to some of the most popular social, email, banking and commerce sites on the web. We've rounded up their responses below. Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. Although changing your password regularly is always good practice, if a site or service hasn't yet patched the problem, your information will still be vulnerable. We'll keep updating the list as new information comes in. Social Networks Other Companies Email Stores and Commerce Other

HeartBleed : une chance qu'OpenSSL soit un logiciel libre ! SSL/TLS, la base des communications chiffrées, pas si chiffrées que ça en fait Lorsque vous naviguez sur Internet, vous utilisez parfois sans le savoir des liaisons sécurisées. Ce sont en fait des liaisons chiffrées. C'est le cas lorsque vous vous connectez à votre webmail favori ou au site de votre banque. La majorité des serveurs sécurisés utilisent le protocole dit HTTPS. Le spectre de la NSA Il y a un point extrêmement gênant si on recroise avec l'affaire NSA/Prism. Le rôle du logiciel libre dans la gestion de HeartBleed Quelles leçons tirer de tout cela ? Les 4 libertés, l'accès direct à un correctif N'ayant pas accès au code-source, une personne qui aurait constaté un comportement anormal (ici, l'accès à une zone mémoire théoriquement inaccessible) n'aurait pas pu comprendre l'origine même du problème (ici une non-vérification d'une borne dans un tableau). Le logiciel libre, distribué mais organisé « Communauté », j'écris ton nom

Related: