Dark Times for OpenSSL
Though it may sound like the title of a Slayer album, Heartbleed actually refers to a serious security vulnerability in OpenSSL. Nearly ubiquitous, OpenSSL is an open-source cryptographic library that is deployed by perhaps as many as two-thirds of the Internet’s websites. These sites use OpenSSL as a mechanism to implement secure SSL and TLS encrypted connections. TLS and its predecessor SSL are cryptographic protocols that ensure communication security online.
Attacks targeting the Heartbleed vulnerability, which is reportedly pretty easy to exploit and very difficult to detect, could have dire consequences for everyday Internet users. A successful exploit of the bug could expose private certificate keys, username and password combinations, and a variety of other sensitive data.
Heartbleed hit the news earlier this week after OpenSSL announced that it had provided a fix for the vulnerability. Since then, the seriousness of Heartbleed has settled in, and it’s pretty much the only thing anyone in the security industry has talked, heard, or read about. Considering what we know about Heartbleed, you’re probably going to want to do a bit of digital spring cleaning – particularly in regards to your passwords. You should definitely read the Heartbleed walkthrough we published on the Kaspersky Daily yesterday morning. It provides a pretty straightforward explanation of what is – in fact – an incredibly complicated problem. It also has tips on who is or was vulnerable and how to proceed from there.
The list of websites affected by Heartbleed is long and ever-changing, and you can use this tool to check individual sites. Beyond that, it’s now become clear that a number of online gaming platforms – Nintendo, Call of Duty, and League of Legends among them – were at some point afflicted with the Heartbleed and are now urging customers to change passwords immediately. You can find a list here at Digital Trends.
If you find all this crypto stuff interesting (or are incredibly confused about what encryption is and how it works), then go ahead and read our explainer on cryptographic hash functions. It’s not directly related to the OpenSSL situation, but it can’t hurt to expand that crypto-vocabulary from time to time.
The End of an Era
If you had asked last week what this week was going to be all about, I would have told you it was going to be a Windows XP exclusive affair. Tuesday, April 8, 2014, marked the very last time Microsoft would issue public security fixes for its more-than-12-year-old Windows XP operating system. It’s long been known that the April 2014 edition of Patch Tuesday would be the last in which Microsoft issued fixes for XP.
Problematically, XP is still a dominant operating system. You see it on the computers at doctors’ offices and hospitals and on the payment interfaces of point-of-sale terminals and ATMs; it is the underlying operating system for an unknown number of embedded devices, and it may even be the operating system you personally rely on every day. All told, I have read estimates of the operating system’s overall market-share ranging from 18 percent to 28 percent. Let there be no illusion, Windows XP isn’t going anywhere. The end of support merely means that any new vulnerability found in the operating system will never get patched.
For a full run-down on what this all means, you can read this brief look at the history and future of Windows XP, which was at one time the world’s most ubiquitous operating system.
In other News
It got buried a bit, but Google made what seems to be a fairly strong, user-security-first move this week. The company bolstered security on its mobile Android operating system with a feature that will continually monitor apps on user-devices to make sure they aren’t acting maliciously or exceeding permission with unwanted actions.
The existing systems, known as Bouncer and Verify Apps, scan Google’s Play Store and warn users if there’s a potential problem with an app they’re installing. In some cases, Google will block the installation of those apps outright. The new feature goes a step further, monitoring already-installed applications to safeguard against developers who will sometimes send updates to installed apps, adding malicious or otherwise unwanted functionalities. Altogether, these measures are designed to curb the growing problem of malicious Android applications making their way into the Google Play store.