Monday, April 14, 2014

HeartBleed - One line of coding - Entire whole world immersed in misery



Interesting...........


According to the article:-

On New Year's Eve in 2011, at one minute before 11pm, a British computer consultant named Stephen Henson finished testing a new version of a popular piece of free security software. With a few keystrokes he released OpenSSL version 1.0.1 into the public domain. Now, more than two years later, the events of that night have shaken the foundations of the internet.

What Henson didn't realise when he released the new version, is that he missed a tiny bug in a new feature called Heartbeat. This feature, written by a German graduate student named Robin Seggelmann, had the best of intentions

Unfortunately, both Seggelmann and Henson missed the fact that this check can be abused to trick the listening computer into replying with up to 64 000 characters of data directly from its memory. The asking computer simply lies about the length of the word it is sending ("cat is 64 000 letters long"), and the replying computer doesn't bother to check – it just spits the data out of its memory.

And here's where it gets really ugly. That data can contain literally anything loaded into memory including passwords, email addresses and encryption keys. Instead of attacking the armoured car, the hackers now have a secret back door into the warehouse and the codes to the safe.


The link below has more information:-

No comments:

Post a Comment