OpenSSL Crypto Bug Leaves Severs Open to Eavesdropping
Note: Emerging Threats, the clearinghouse infotex uses for our own IPS/IDS signatures, has already released signatures for Snort and Suricata based intrusion detection engines. You can get these signatures at emergingthreats.net.
A critical defect in the cryptographic software library used to identify severs to end users across two-thirds of the internet may be leaving millions of passwords, banking credentials, and sensitive data open to eavesdropping hackers.
The threat comes from a two-year-old bug found in OpenSSL, the default cryptographic library for Apache and nginx Web server applications. It could potentially allow a hacker to retrieve the encryption key of digital validation certificates used in authenticating servers and to encrypt data moving between server and end-user. Such an attack would not leave a single trace in the server logs, so there would be no way of knowing if one had been hacked or not.
Experts are saying that, although most similar bugs are fixed with newer versions and patches, websites may remain vulnerable to attack as they may have already been exploited. There’s no way to know if hackers already have sensitive information from the server.
Original article by Dan Goodin.
Read the full story here.
Leave a comment
K-12 teachers offered training to help give every student an education in cybersecuri Read more
Battling Procedure Fatigue in Cybersecurity . . . Or . . . making sure we don’t just Read more
Weekly themes for the annual event have been announced… An article review. October is Read more
Another awareness poster for YOUR customers (and users). Now that we have our own em Read more