Free Republic

Remember Heartbleed? Well, this is probably worse. Here's a (somewhat simplified) explanation of what Shellshock actually is. Don't worry: I haven't included instructions on how to actually exploit it. The moral of the story is: keep your security patches up to date!

It seems like only yesterday that the federal government assured us that none of its big public websites - and especially not HealthCare.gov, the ObamaCare exchange site - were at risk from the Heartbleed security flaw, which can allow hackers to steal passwords and personal data. Actually, those assurances came last Friday, April 11, in the form of a blog post from the Department of Homeland Security. "The government's core citizen-facing websites are not exposed to risks from this cybersecurity threat," we were assured by DHS National Cybersecurity and Communications Integration Center director Larry Zelvin, as quoted at Nextgov. One...

WASHINGTON — People who have accounts on the enrollment website for President Barack Obama’s signature health care law are being told to change their passwords following an administration-wide review of the government’s vulnerability to the confounding Heartbleed Internet security flaw. Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government’s Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular...

WASHINGTON – People who have accounts on the enrollment website for President Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the confounding Heartbleed Internet security flaw. Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government's Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov...

Federal systems remained vulnerable to hackers even after researchers identified the bug. Google knew about a critical flaw in Internet security, but it didn't alert anyone in the government. Neel Mehta, a Google engineer, first discovered "Heartbleed"—a bug that undermines the widely used encryption technology OpenSSL—some time in March. A team at the Finnish security firm Codenomicon discovered the flaw around the same time. Google was able to patch most of its services—such as email, search, and YouTube—before the companies publicized the bug on April 7. The researchers also notified a handful of other companies about the bug before going...

WASHINGTON — Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday. But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to...

Apple said Thursday that its mobile, desktop and Web services weren’t affected by a major flaw in a set of security software used by hundreds of thousands of websites. The flaw, codenamed “Heartbleed” and first reported by Web security firm Codenomicon, was discovered in a technology called “OpenSSL” — a set of encryption software used by Web companies to safeguard user information. Sites that use OpenSSL will display a small “lock” icon in the top left-hand corner of your Web browser’s address bar (though not all sites showing this lock use OpenSSL); the technology is used on more than two-thirds...

link only: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

The cybersecurity firm that discovered the so-called Heartbleed bug, a gaping hole in the most widely used software privacy and security software on the Internet, said the flaw went undetected for two years because of the large amount of intensive work it takes to manually test encryption software.

This week web experts discovered a huge flaw in the security software used by millions of Web sites — including many banks, email and social media services. Some sites have likened the breach to leaving your front door unlocked, and anyone who knows how to open the door can intrude and expose your confidential information. Unfortunately, the fix isn’t as simple as locking the door from inside your house. The code vulnerability exists within layers of secure Internet server coding. So how does this affect you? * This week web experts discovered a huge flaw in the security software used...

Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.