Spyware, Viruses, & Security forum


NEWS - April 08, 2014

'Heartbleed' Bug Exposes Passwords, Web Site Encryption Keys

Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.

From Heartbleed.com:

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users."

An advisory from Carnegie Mellon University's CERT [urlhttp://www.kb.cert.org/vuls/id/720951]notes that the vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f. According to Netcraft, a company that monitors the technology used by various Web sites, more than a half million sites are currently vulnerable. As of this morning, that included Yahoo.com, and — ironically — the Web site of openssl.org. This list at Github appears to be a relatively recent test for the presence of this vulnerability in the top 1,000 sites as indexed by Web-ranking firm Alexa.

Continued : http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/

Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
Critical crypto bug exposes Yahoo Mail passwords Russian roulette-style
Heartbleed bug affects Yahoo, Imgur, OKCupid sites; users face losing passwords
Discussion is locked
You are posting a reply to: NEWS - April 08, 2014
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - April 08, 2014
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
End of the line for Windows XP

In reply to: NEWS - April 08, 2014

Kaspersky Lab Weblog:

Support for Windows XP is ending: after today there will be no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates.

Is this a problem? After all, it's a 12-year old operating system.

It wouldn't be, if it weren't for the fact that there are still a lot of people running Windows XP - our data indicate that around 18 per cent of our customers are still running Windows XP. That's a lot of people wide open to attack once the security patches dry up: effectively, every vulnerability discovered from now will become a zero-day vulnerability - that is, one for which there is no chance of a patch.

The problem will be compounded once application vendors stop developing updates for Windows XP - every un-patched application will become another potential point of compromise, further increasing the potential attack surface.

Continued : http://www.securelist.com/en/blog/208213056/End_of_the_line_for_Windows_XP

Rest in Peace, Windows XP
The XPocalypse is upon us: Windows XP support has ended
XPocalypse: Experts Warn of Attackers Hoarding Windows XP 'Forever Days'

Collapse -
Popular but fake security app removed from Google Play

In reply to: NEWS - April 08, 2014

In little over a week, a developer selling a security app named Virus Shield on Google Play has managed to earn over $40,000, and the software topped the list of most downloaded new paid apps. But unfortunately for those who paid for it, the app in question actually does nothing to protect the device, as the claims made by the developer are completely bogus.

"The app description says that it 'Prevents harmful apps from being installed on your device,' 'scans apps, settings, files, and media in real time,' and 'protects your personal information.' Oh, and it has a low impact on battery life, and has 'No, ZERO pesky advertisements!'," Android Police's Michael Crider reported. "There's just one problem: it's a complete and total scam."

Continued : http://www.net-security.org/secworld.php?id=16650

Related: Fake Android anti-virus app taken down

Popular Forums

Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Best Black Friday Deals

CNET editors are busy culling the list and highlighting what we think are the best deals out there this holiday season.