OpenSSL Crypto Bug Leaves Severs Open to Eavesdropping
Note: Emerging Threats, the clearinghouse infotex uses for our own IPS/IDS signatures, has already released signatures for Snort and Suricata based intrusion detection engines. You can get these signatures at emergingthreats.net.
A critical defect in the cryptographic software library used to identify severs to end users across two-thirds of the internet may be leaving millions of passwords, banking credentials, and sensitive data open to eavesdropping hackers.
The threat comes from a two-year-old bug found in OpenSSL, the default cryptographic library for Apache and nginx Web server applications. It could potentially allow a hacker to retrieve the encryption key of digital validation certificates used in authenticating servers and to encrypt data moving between server and end-user. Such an attack would not leave a single trace in the server logs, so there would be no way of knowing if one had been hacked or not.
Experts are saying that, although most similar bugs are fixed with newer versions and patches, websites may remain vulnerable to attack as they may have already been exploited. There’s no way to know if hackers already have sensitive information from the server.
Original article by Dan Goodin.
Read the full story here.
Leave a comment
Voice assistants can be helpful, but their “always on” functionality can leave you vu Read more
Previously thought to be designed to deliver a DDoS attack, VPNFilter can alter data Read more
Getting a message to the user is one thing, having them see it is another… An article Read more
US Cyber Command joins with the FS-ISAC to share threat intelligence… An article revi Read more