What is the ruling Heartbleed
Heartbleed unexpected behavior is due to an error in the code. Specifically zone or OpenSSL library called present in some web servers that is in charge of the confidential and secure communications. While not all Internet servers using OpenSSL, hundreds of thousands of servers affected, including many of the most popular.
Leveraging fault someone can make a kind of ‘call to the server from the outside’ as if request something like a 64 KB page and extract content from the memory of that machine that is running OpenSSL
The ruling affects about web browsing.; everything that is stored in server memory using OpenSSL. mail, messaging, data on accounts, etc.; security certificates and calls ‘master keys’ that allow those who possess access (or perhaps replace) the server more easily. Excerpted from an article by Álvaro Ibáñez, ‘Alvy’
class=”name”> RTVE.es
Heartbleed, vulnerability affecting hundreds of thousands of Internet servers, could make 1,300 Android applications were defenseless , according to an analysis made by the security software company Trend Micro from over 390,000 apps Google Play.
And it mobile applications , from the browser to the apps or online-banking, shopping and web pages, also host information in a server. The company has announced that Google has already informed of this issue.
Trend Micro stresses that, given the ability to shop from a mobile app , when entering the information of credit card and completed the transaction, the bank details are stored on a server and can remain there for an indeterminate period of time.“Stop that cybercriminals exploit the Heartbleed mistake and address to that server to extract the information stored, which is located between your credit card number “they explain.
nonbank Applications
As apps that do not offer buy , according to security software company, not are safe , as if connected to a server online remain vulnerable, for example, click “Like” on a social network or “follow” a person to win prizes.
Most likely, they say, is the application to open the web site on your own in a browser window and Users have to log on to the social network from there. Although social networks that you access the user need not be vulnerable to failure Heartbleed, and there could be risks .
Apps and analyzed domains
Among the 1300 analyzed by Trend Micro’s applications related 15 banks, 39 with online payment services and 10 are related to online stores.
The company also has several popular apps found that many users use daily, such as instant messaging applications, health and my keyboard configuration. These applications use data mining both personally and financially sensitive information , and may be exposed to actions cybercriminals.
When trying to measure the impact of the vulnerability Heartbleed, the company has scanned the main domain name (TLD, by Top Level Domain) in certain countries extracted from more than a million domains by Alexa.After removing sites that use SSL, researchers have classified as ‘vulnerable’ or ‘safe’. About 5% of the domains are affected by the fault, with . Kr and jp to head ., Followed by . Ru,. Cn and. Gov , as explained the threat researcher at Trend Micro, Maxim Goncharov.
How to protect Heartbleed on mobile
mobile threats analyst at Trend Micro, see Zhang, says that you can not do much to protect the mobile Heartbleed.
“I would say to change your password, but that does not help application developers nor the providers of web services . Not fully solve the problem. This involves updating patched version of OpenSSL, or at least one of the non-vulnerable versions, “he noted.
Trend Micro Although advised to stop shopping from the application or any financial transaction for a while, at least until the developer of the application to issue a patch that eliminates the vulnerability, you can also ask the bank if the OpenSSL library is present on your server.In this regard, the company has announced that it will continue to analyze and scanning the list of selected major domains for a few days in order to detect possible alterations and advise webmasters to update OpenSSL to protect its users .
No comments:
Post a Comment