{"id":4539,"date":"2014-04-18T12:30:20","date_gmt":"2014-04-18T16:30:20","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=4539"},"modified":"2020-12-11T06:01:34","modified_gmt":"2020-12-11T11:01:34","slug":"still-talking-about-heartbleed","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/still-talking-about-heartbleed\/4539\/","title":{"rendered":"A Week in the News: Still Talking About Heartbleed"},"content":{"rendered":"

Like last week<\/a>, the Heartbleed saga continues to dominate security news headlines. I could probably spend the whole recap just talking about Heartbleed, but I won\u2019t, because I think you may also want to know about a year-long data-breach affecting the makers of a popular (and stylish) brand of external hard-drives, an odd move by Microsoft that may impact your ability to install security updates, a potential initiative from a certain search giant that may boost search optimization for websites that make a good security decision, and a look at how the end of XP support has affected the Internet.<\/p>\n

The Heartbleed<\/b><\/p>\n

As I said, the Heartbleed saga continues. In case you haven\u2019t paid attention to any news source at all over the last two and a half weeks or so, Heartbleed is a crypto flaw that could have enabled anyone on the Internet to read the memory of a machine that\u2019s protected by an encryption implementation service called OpenSSL. In severe cases, this small block of memory could contain sensitive information like user-names, passwords, or even private encryption keys. There isn\u2019t enough time to re-explain this whole situation in a brief news wrap, but if you are a bit lost, read this Heartbleed walkthrough<\/a> and this further analysis explaining exactly why Heartbleed is a big deal<\/a>. If you\u2019re well acquainted with what\u2019s going on here, then read on:<\/p>\n

Over the weekend, Heartbleed escalated<\/a>, transitioning from a serious but still hypothetical security vulnerability to one which was being actively exploited in real world attacks and collecting real victims. A parenting website in the U.K. \u2013 called Mumsnet \u2013 was attacked by hackers exploiting Heartbleed. Those assailants made off with passwords there and reportedly used them to post messages on the site. More alarmingly, attackers also exploited Heartbleed and managed to compromise systems under the control of the Canadian Revenue Agency. Over a six-hour period, before the CRA managed to update its systems with the patched version of OpenSSL, the attackers stole the social insurance numbers of 900 citizens.<\/p>\n

The OpenSSL Heartbleed bug that could expose passwords, communications, and encryption keys continues to dominate news headlines across the security industry<\/div>\n

Even some 20 percent of servers or \u2018exit nodes\u2019 in the Tor anonymization network were found vulnerable, according to research examining a random sampling of Tor nodes performed by Collin Mulliner of Boston\u2019s Northeastern University late last week. Tor has begun blocking these vulnerable nodes.<\/p>\n

Despite these attacks; proofs-of-concept demonstrating that certificate theft was, in fact, possible; and wide knowledge about the need to replace potentially compromised certificates, the rush to revoke and replace certificates<\/a> seems to be no real rush at all. Briefly, these certificates ensure that a website is the website you think it is. Certificates, quite literally, are trust on the Internet. For sure, there has been an explosion in certificate revocation and replacement<\/a> since the Heartbleed realization, but the explosion is not nearly proportional to the scope of the bug.<\/p>\n

LaCie\u2019s Year-Long Leak<\/b><\/p>\n

According to my colleague (and monthly news podcast co-host<\/a>) Chris Brook, the French computer hardware company LaCie, perhaps best known for their colorful external hard drives, announced this week it fell victim to a data breach<\/a> that may have put at risk the sensitive information of anyone who has purchased a product off their website during the last year. The company says that an attacker compromised their online systems with a piece of malware and then used that access to steal customer names, addresses, and email addresses, as well as payment card information and card expiration dates. So, if you bought anything directly from LaCie\u2019s online store in the last year or so, your information may have been exposed, though you\u2019ve probably already been informed by the company if that is the case.<\/p>\n

A Bizarre Decision by Microsoft and a Potentially Great One by Google<\/b><\/p>\n

In a move that befuddled me, though I am sure there is probably a good reason for it, Microsoft somewhat recently announced that it would no longer provide security updates to users running out-of-date versions of Windows 8.1. In other words, in order to receive future security updates, customers will have to have updated their machines with the most recent Windows 8.1 Update<\/a>, which the company pushed out in April.<\/p>\n

I spoke with a spokesperson from Microsoft, but that person didn\u2019t elaborate much on why they made the decision. The good news here \u2013 as this Microsoft spokesperson was sure to point out \u2013 is that this announcement only affects the small percentage of users that don\u2019t have the auto-update feature enabled. To be clear, we definitely recommend turning on auto-update, and I believe it is turned on by default for most commercial Windows systems. If you\u2019re on auto-update, then you have nothing to worry about. If you install your updates manually, then you will need to install the Windows 8.1 update from April, or you won\u2019t be able to install their monthly patches moving forward. Your choice here, but it seems like a no-brainer to me.<\/p>\n

On the other hand, rumors are swirling around that the search giant Google may add some math to their magical search algorithm (at least I think that\u2019s how it works) that will boost search results for websites that implement encryption. The Wall Street Journal<\/i><\/a> reported this news based on something the companies\u2019 search algorithm guru, Matt Cutts, said at a conference. Google didn\u2019t outright deny these claims, but they did say that the company has nothing to announce at the moment. Hard to know if Google is actually mulling this over, but it certainly seems to be a good idea.<\/p>\n

XPocalypse Eventually?<\/b><\/p>\n

Speaking of things that Microsoft is not going to support anymore, they officially \u2013 and at long last \u2013 issued the final patches for Windows XP last month. There has been a lot of talk, for years, about what the impact would be of abandoning security support for an operating system that is still used by as many as 28 percent of computer users. It\u2019s too soon to tell what the impact of this will be, but it\u2019s probably time to get off XP if you are still running it. I have to think we\u2019d be talking about this a whole lot more if Heartbleed never emerged, and I bet we will be talking about it as we move further into the future. Here is a solid run-down on what the end of XP may mean going forward<\/a>.<\/p>\n

In Mobile News<\/b><\/p>\n

Last, but certainly not least, a new report from our researcher friends at Kaspersky Lab demonstrates that business is booming for those that use malware to steal banking information from Android users<\/a>. In closing: another day, another hack that compromises one of those fancy fingerprint scanners<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

The OpenSSL Heartbleed bug that could expose passwords, communications, and encryption keys continues to dominate news headlines across the security industry<\/p>\n","protected":false},"author":42,"featured_media":4540,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[105,588,619,590,600],"class_list":{"0":"post-4539","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-android","9":"tag-heartbleed","10":"tag-lacie-data-breach","11":"tag-openssl","12":"tag-windows-xp"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/still-talking-about-heartbleed\/4539\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/still-talking-about-heartbleed\/3354\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/still-talking-about-heartbleed\/3240\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/still-talking-about-heartbleed\/3657\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/still-talking-about-heartbleed\/3714\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/still-talking-about-heartbleed\/3747\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/still-talking-about-heartbleed\/3368\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/still-talking-about-heartbleed\/3747\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/still-talking-about-heartbleed\/4539\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/still-talking-about-heartbleed\/4539\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/android\/","name":"Android"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4539","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=4539"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4539\/revisions"}],"predecessor-version":[{"id":37993,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4539\/revisions\/37993"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/4540"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=4539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=4539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=4539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}