Biggest exploit of the last 12 years ... |Rajat Poonia Rajasthan

Heartbleed is the name given to a vulnerability in the OpenSSL underpinning large sections of the Web, which potentially exposes passwords and other data from various sites. The code that contains the bug was written by programmer Robin Seggelmann, who admits he "missed the necessary validation by an oversight."

**Heartbleed is a security vulnerability in OpenSSL software that lets a hacker access the memory of data servers. According to Netcraft, an Internet research firm, 500,000 Web sites could be affected. That means a user's sensitive personal data -- including usernames, passwords, and credit card information -- is potentially at risk of being intercepted.
 The vulnerability also means an attacker could steal a server's digital keys that are used to encrypt communications and get access to a company's secret internal documents.

The programmer who inadvertently introduced the Heartbleed bug to the Internet on New Year's Eve 2011 reckons the fact it was eventually spotted proves the value of open source.

**facebook twitter linkedin googleplus more more + email tumblr stumble delicious reddit pinterest digg presented by Heartbleed is a major vulnerability across the Internet. Codenomicon We've all woken up on New Year's Day regretting what happened the night before, but this puts things in perspective: the man who accidentally introduced the Heartbleed bug to the Web did so on New Year's Eve.


**[Report says NSA exploited Heartbleed, kept flaw secret -- but agency denies it]
A Bloomberg report says the agency knew about the Heartbleed security flaw that's sent sites like Google scrambling to patch their systems -- but it kept it secret and used it to spy. The agency, however, says that's not so.

Heartbleed bug affects gadgets everywhere ::
*The Internet bug Heartbleed doesn't just affect websites. It also has shown up in the gadgets we use to connect to the Internet.
>That means for two years now, someone could have been able to tap your phone calls and voicemails at work, all your emails and entire sessions at your computer or iPhone. You also could have been compromised if you logged into work from home remotely. And you'll probably never know if you were hacked.

**"That's why this is being dubbed the biggest exploit of the last 12 years.

What could be hacked ?
Work phone
Company video conference
VPN
Smartphone
Switches

How does the bug work?
 The vulnerability lets a hacker access up to 64 kilobytes of server memory, but perform the attack over and over again to get lots of information. That means an attacker could get not just usernames and passwords, but also "cookie" data that Web servers and browsers use to track individuals and ease log-in. According to the Electronic Frontier Foundation, doing the attack repeatedly could yield more serious information, like a site's private SSL key, used to encrypt traffic. With that key, someone could run a fake version of a Web site and use it to steal all other kinds of information, like credit card numbers or private messages.


Should you change your passwords?

For many Web sites, yes. BUT wait until you get confirmation from the Web site operator that the bug has been patched. It's a natural reaction to want to change all of your passwords immediately, but if the Web site's bug has not been fixed yet, making the change could be useless -- you're just potentially giving an attacker your new password.

How do you check if a Web site has been affected -- or fixed?
A few companies and developers have created testing sites to check which Web sites are vulnerable or safe. Two good ones are by LastPass, a company that makes password management software, and Qualys, a security firm. While these test sites are a good preliminary check, continue to proceed with caution, even if the site gives you an all-clear indication. If you're given a red flag, however, avoid the site.