Friday, 11 April 2014

Heartbleed: Facebook, Twitter, Amazon and Google react to gaping security hole

heartbleed bug
Technology vendors have moved to allay customers' concerns about the newly discovered Heartbleed flaw in the OpenSSL implementation of the transport layer security (TLS) protocol.
The security vulnerability was discovered by researchers with a Finnish company called Codenomicon and is believed to affect millions of web servers around the world
Though the US Computer Emergency Response Team (CERT) has published a list of all known affected companies, the full scale of the flaw remains unknown. Its potential for harm is significant as OpenSSL encryption is used by open-source web servers such as Apache and Nginx, which host 66 percent of all sites.
V3 has collected statements and guidance from key companies to help ascertain the full impact of the Heartbleed flaw.
Facebook
"We added protections for Facebook's implementations of OpenSSL before this issue was publicly disclosed, and we haven't detected any signs of suspicious activity on people's accounts. We're continuing to monitor the situation closely."
Microsoft
"Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows' implementation of SSL/TLS was also not impacted."
Google
"We've assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine."
Google also confirmed the vulnerability affects its Cloud SQL, Compute Engine, Search Appliance and Android services, but promised patches will arrive for them in the very near future.
The Android vulnerability oddly only affects the 4.1.1 Jelly Bean version. The Cloud SQL and Google Compute Engine fixes will be slightly more complex to fix and require separate actions from users.
As explained by Google: “We are currently patching Cloud SQL, with the patch rolling out to all instances today and tomorrow. In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances.

“[Google Compute Engine] customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL. Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library.”
Amazon
Amazon has warned customers that the vulnerability affects its Elastic Load Balancing, Amazon Elastic Compute Cloud (EC2), AWS OpsWorks, AWS Elastic Beanstalk and Amazon CloudFront services.
The Elastic Load Balancing components affected by the flaw have been updated, though Amazon recommended: “As an added precaution, we recommend that you rotate your SSL certificates using the information provided in the Elastic Load Balancing documentation.”
The firm also recommended: “Amazon EC2 customers using OpenSSL on their own Linux images should update their images in order to protect themselves from the Heartbleed bug.”
An update is available for AWS OpsWorks and it has already successfully mitigated the issue affecting its CloudFront service.
The company’s AWS Elastic Beanstalk is the only service that remains unfixed, though Amazon confirmed: “We are working with a small number of customers to assist them in updating their SSL-enabled single-instance environments that are affected by this bug.”
Twitter
"On 7 April 2014 we were made aware of a critical vulnerability in OpenSSL (CVE-2014-0160), the security library that is widely used across the internet and at Twitter. We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability. We are continuing to monitor the situation."
Cisco
The firm said: "The Cisco Product Security Incident Response Team (PSIRT) is currently investigating which Cisco products are affected by this vulnerability. Cisco Advisory OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products was just published and already includes information on vulnerable products and others confirmed not vulnerable.
"The advisory will be updated as additional information about other products becomes available. Cisco will release free software updates that address these vulnerabilities. Any updates specifically related to Cisco will be communicated according to the Cisco Security Vulnerability Policy."
Tumblr
"We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue. But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr said.
"This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."
PayPal
"Following a comprehensive review of all our services, our security teams did identify a handful of businesses that we recommend upgrade their Payflow Gateway integrations to eliminate the risk of vulnerability. The Payflow Gateway is a payment gateway for online merchants that links your website to your processing network or merchant account," said PayPal.
"We have already been in touch with the merchants who could potentially be affected and are working with them to upgrade their integrations."

No comments:

Post a Comment