heartbleed
Latest
Lexus software update gives new meaning to 'car crash'
Last year, headlines made everyone fearful of hackers taking over cars on the freeway. Turns out the real menace to owners of connected cars are the loopy manufacturers themselves. Toyota had to suck it up this week and admit to Lexus owners, who were going nuts on Facebook and Twitter on Tuesday, about why the climate control, radio, GPS, USB, Bluetooth, and other features suddenly stopped working for a range of 2014-2016 Lexus models. Or, their dashboard console would reset itself repeatedly.
The problem with 'pumpkin spice' security bugs
Bad Password is a hacking and security column by Violet Blue. Every week she'll be exploring the trendy new cyberhysteria, the state of the infosec community and the ever-eroding thing that used to be called "privacy." Bad Password cuts through the greed, fear mongering and jargon with expertise, a friendly voice and a little levelheaded perspective. When asked, "Why give a vulnerability a website, logo and brand image?" many infosec professionals will confidently answer that flamboyant bugs raise awareness toward fixes. Fixing and patching, we're led to believe, is almost as fun as a trip to the dentist. Which is true. Heartbleed, Shellshock, Stagefright, Sandworm, Rootpipe, Winshock and the truly terror-inducing nom-de-sploit POODLE are not, in fact, a list of situational phobias. These were named with intent to become PR markers -- although looking at the way some of these vulns (vulnerabilities) got their names and brands, it seems like the focus was more on the credit for naming them, rather than the actual usefulness of trying to "pumpkin spice" a bug.
A virtual server bug is said to be worse than Heartbleed
In case you were napping, Heartbleed struck web servers' OpenSSL security last year, opening up the servers' memory to intruders. There's a new so-called zero-day vulnerability, only this time the researchers who discovered it say it's much worse, impacting millions of datacenter machines. The flaw is called Venom, which stands for Virtualized Environment Neglected Operations Manipulation. What does that mean? With the common practice of putting multiple customers into virtual servers, datacenters are setup to share some key tools, but sensitive information remains separated. Thanks to Venom, though, a hacker can gain access to a datacenters' entire storage network, leaving all of the customers on it vulnerable. As you might expect, the issue resides in an often ignored virtual floppy disk controller, but when it's exploited, it's like opening up a vault of stored info. As ZDNet reports, many modern virtual systems contain the bug -- platforms like Oracle's VirtualBox, KVM and Xen. The good news is Oracle says it already remedied the issue, and will nix it completely in forthcoming update. [Image credit: Marvel via Getty images]
Heartbleed blamed for Chinese theft of 4.5 million health records
Yesterday, Community Health Systems announced that Chinese hackers had managed to steal the healthcare records of 4.5 million of its customers. Now, security firm TrustedSec is claiming that the reason the information was swiped was because of the world-famous Heartbleed vulnerability. TrustedSec founder David Kennedy then told Bloomberg that he learned this fact from three unnamed insiders who told him under the cloak of anonymity. The security expert went on to say that the attack took place roughly a week after Heartbleed was made public, but before the healthcare chain could patch the hole in its system. We don't think we need to tell you what the lesson is, here.
Google banks on its own tech to protect Chrome users from another Heartbleed
Last month Google said that it was tired of mashed-together bug fixes for OpenSSL and decided to create its own fork called BoringSSL. It has now implemented that variant in the latest Chromium build, the open-source software that eventually arrives in Chrome. OpenSSL is software used for secure connections -- created largely by volunteers -- and an overlooked code problem recently caused the infamous Heartbleed bug. When BoringSSL was first announced, there was some grumbling from the security community about yet another flavor of SSL. But Google said that with over 70 patches now in OpenSSL, it was becoming much too unwieldy to implement in Chrome. It added that it wasn't trying to replace OpenSSL and would continue to send any of its own bug fixes to that group. It'll likely be implemented in the next version of Chrome, but you'll be able try the beta soon here, if you're feeling lucky. [Image credit: AP/Mark Lennihan]
How to Disappear (almost) Completely: the illusion of privacy
Can anyone ever really leave the internet? And if you had the choice, is that something that you'd want to do? After all, abandoning the connected world might help you reclaim some privacy, but even if you smashed your PC, burned your tablet and tossed your smartphone, you might still not be able to escape constant surveillance. In our three-part series How To Disappear, we're going to look at why you'd think about going offline, what you can do to tidy up your digital footprint and what happens to those who have made the leap into the darkness.
Technology leaders form alliance to prevent another Heartbleed
Be honest, don't you kinda wish we could just rub our collective eyes and all this Heartbleed business would just disappear? Tough luck hombre, it's still here, and some kid's trying to steal your vacation photos (probably). When we spoke to the open source initiative about it recently, we got a less than reassuring reply -- that the problem is partly about resources. What is more reassuring this this: The Core Infrastructure Initiative. If that sounds like a conference you'd pay money to not attend, we're with you, but trust us, it's for your benefit. In short, some of the biggest names in tech (Facebook, Google, Amazon, Intel and many more) have pledged to work with the Linux Foundation to make sure something like Heartbleed doesn't happen again. How? Mostly with cold hard cash, with each of the 13 company's involved chipping in to the "multi-million" dollar project. But how's it actually going to work?
Apple mends a Heartbleed security bug in its latest WiFi routers
Apple has largely avoided the wrath of the Heartbleed security flaw, but it now appears that the company's products aren't completely immune. The crew in Cupertino just updated its most recent AirPort Extreme and Time Capsule WiFi routers to fix a Heartbleed-related vulnerability that surfaces when you're either using Back to My Mac remote access or sending diagnostics. While the flaw won't let evildoers steal your credentials, they could launch man-in-the-middle attacks that grant access to login pages on both the router and your computers -- more than a little dangerous, we'd say. You don't have to worry if you're still hanging on to an older AirPort, but everyone using Apple's latest networking gear will want to patch up as soon as possible.
1Password's iOS and Mac apps get better sync and edit features
If you use 1Password, you might be worried about the security of your private data, what with all the talk about Heartbleed. Fortunately, the software's developer, AgileBits, says 1Password isn't affected by the OpenSSL exploit, but some of the sites you visit probably are. That's why the company built a service called Watchtower, which allows you to check the vulnerability of sites you frequent. Even still, users will be happy to know that both the password manager's Mac and iOS applications just received a whopper of an update, bringing a bevy of bug fixes, UI tweaks and notable improvements for each platform. Oh, and they're on sale until Friday for $24.99 and $8.99 respectively.
Engadget Podcast 393 - 4.18.14
We have less libations, but more tech-related news than last week's peaty podcast and that's just fine for your sleep-deprived hosts. First up is some informed speculation on Amazon's new smartphone, based on a few inconclusive photos that recently surfaced. Another work in progress is Google's Project Ara, a modular concept that looks to make swappable smartphone parts a reality. The one thing that's all too real and in your face, however, is the recent Heartbleed exploit, which has had widespread impact across the web. While you're racing to update all those passwords -- yes, it's OK to do that now -- it couldn't hurt to get a refresher on exactly what happened and which sites were affected. So head on down to the streaming links and get your brain fix with this week's episode of the Engadget Podcast. Hosts: Terrence O'Brien, Ben Gilbert Producer: Jon Turi Hear the podcast:
The Open Source Initiative hopes public awareness is Heartbleed's 'silver lining'
Looking for a positive take to cut though all the negative press that Heartbleed has been getting? Then the Open Source Initiative (OSI) has one. The news has been full of stories about the exploit in OpenSSL (itself, an open-source project) that has caused a wave of panic around the internet. With much of the public not understanding what open-source is (it's complex, but mostly involves freedom to redistribute, and access to the code it's built on), and the fact that all this can be caused by a few lines of edited text, the integrity of open-source software has understandably come under scrutiny. We spoke with a representative from the OSI, and they gave us the positive spin we'd all been looking for.
The Engadget Podcast is live at 12PM ET!
After last week's Very Special Episode, we've grabbed a Hair of the Dog (or two...or three), a bit of rest, and we're back for a regular ol' episode of The Engadget Podcast. We're discussing a triplet of topics that are assuredly close to your heart and head: the experimental and bizarre phones from Amazon and Google, and the hit security flaw that all the kids are raving about (Heartbleed). The show starts at 12PM ET sharp(ish), so grab your favorite plate of leftovers, a set of cans and a comfy seat. And tune in!
Tor's anonymity network may have to shrink to fight the Heartbleed bug
Bad news if you're relying on the Tor network to evade surveillance or otherwise remain anonymous: you're not immune from the Heartbleed bug, either. Key developer Roger Dingledine warns that some Tor nodes are running encryption software that's vulnerable to the flaw, and that they may have to be kicked off the network to safeguard its privacy-minded users. If all the service's directory operators decide to boot compromised nodes, roughly an eighth of Tor's capacity could go away -- you may well notice the difference.
The NSA issues its own suggestions for avoiding lost Heartbleed data
The United States National Security Agency may or may not have known about the security vulnerability known as "Heartbleed," but now that it's a widely publicized issue, the agency has some safety suggestions. Sure, you've probably heard all this before, but bear with us. First and foremost, websites/web services using the affected software (OpenSSL versions 1.0.1 through 1.0.1f) are told to update, or turn off the function which enables the security flaw. Second, a variety of OSes and client/server software use the affected service, so the NSA suggests you get in touch with your software's creator directly (Google's already taken care of it in one version of Android, for instance). Finally, after you're back up on a safe version of the website/service/OS you use, it's time to dump your current password in place of a fancy new one. Like we said, nothing you haven't heard before, but here's the NSA confirming as much. Head below for the full document in all its acronym-laden glory.
The TUAW Daily Update Podcast for April 14, 2014
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get some the top Apple stories of the day in three to five minutes for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the player at the top of the page. The Daily Update has been moved to a new podcast host in the past few days. Current listeners should delete the old podcast subscription and subscribe to the new feed in the iTunes Store here.
Crooks use Heartbleed exploit to steal 900 Canadian tax IDs
While it might not be the worst-case scenario, a security breach at the Canada Revenue Agency could be the worst known real-world exploit of the Heartbleed vulnerability since it went global last week. The CRA claims that almost 1,000 Social Insurance Numbers, as well as unspecified business data was removed from the CRA systems by hackers using the high-profile server vulnerability. Most significantly, the breach happened after the CRA (and the world) learned about Heartbleed. While the agency took swift action to start securing its own systems (which were affected by the bug), it looks like the opportunistic hackers beat them to it, and managed to bag the identifying data before being shut out. Further analysis by the government agency assures the public that there is no evidence of any similar breach either before or since this incident. The Canadian authorities will be applying additional security measures to the accounts that were compromised to hopefully prevent any misuse of the data. While this might be of little comfort to the 900 or so taxpayers who had their information pilfered, it highlights the importance for organizations, -- government or otherwise -- to not waste any time stemming the flow.
Talkcast tonight, 7pm PT/10pm ET: Heartbleed Edition!
New dial-in experience! Set up Fuze Meeting before the show if you want to join in live. We come once again to the long standing Sunday night tradition of the TUAW talkcast! This week we'll be chatting with special guest Jeff Gamet, Managing Editor over at The Mac Observer. Tonight we shall discuss the news of the week, including Heartbleed and basic security steps for all manner of digital protection. To chat live, use the Chatroll embed below. Reminder on new-style talkcasting: With some help from the fine folks at Fuze, we're using a new system to record the show. This should let everyone listen in live -- and, if you want, raise your hand as you would in the Talkshoe room to get unmuted and chime in. You can join the call in progress (meeting # is 20099010) at 10 pm ET from any computer via this link; if you download the Mac or Windows Fuze clients ahead of time, you'll get better audio and a slicker experience, but browser-only will work fine. Just click the phone icon to join the audio once you're in. Using an iPhone or iPad? Grab the native clients from the App Store and get busy. (Even Android users can join the party.) Still feel like using the conventional phone dial-in? Just call 201-479-4595 and enter the meeting number 20099010, then press #. While the Fuze web and native clients have a chat channel, we'd like to reserve that for host participants, requests to talk and other real-time alerts... so the full-on chat for the show will appear in this very post at 10 pm tonight. You'll need Twitter, Facebook or Chatroll credentials to participate in the chat. We'll remind everyone to check back in at that time.
NSA can keep quiet on internet flaws it discovers in 'clear national security' cases
When news of the Heartbleed internet security bug broke last week, Bloomberg reported that the NSA may have known about the OpenSSL flaw for years, using it to gain info instead of warning the public. The government agency was quick to deny that story, saying that it found when the rest of us did. But as it turns out, if they had kept the discovery secret in the interest of a national security threat, that would've been okay thanks to a January decision by President Obama. The New York Times reports that although details were never publicly reported by the White House, info about the choice began to surface after Friday's advance knowledge of the Heartbleed situation. The President determined that unless there's "a clear national security or law enforcement need," it's better for the government to publicly disclose those internet flaws that it uncovers -- in the interest of getting them fixed. Of course, this wording is quite vague, leaving quite a bit of room for interpretation. [Photo credit: Larry Downing/AFP/Getty Images]
What is Heartbleed, anyway?
If you're an IT professional, gadget blogger or token geek in your circle of friends, chances are, you've been hounded relentlessly over the past couple of days about "this Heartbleed thing." "Do I need to update my antivirus?" "Can I login to my bank account now?" "Google already fixed it, right?" We've heard them all, but the answers aren't all that clear or simple. In an attempt to take the pressure off -- it is the weekend after all -- we've put together a primer that should answer all of those questions and a few more. Next time someone asks you about that "Heartbleed thing," just shoot them in our direction.
Webcomic explains Heartbleed bug like you're five
So, you understand what that terrible Heartbleed bug's all about, but you can't really explain it in words even a five-year-old can understand. Here's what you should do when someone asks at your weekly family dinner, then: launch the XKCD website and show them its two recent Heartbleed strips. With just a bit more detail from your end, the webcomic should make the concept easy to grok, like what it did for global warming, radiation and Saturn V rockets in the past.
