Information Security News
Contrary to previous suspicions, it is possible for hackers exploiting the catastrophic vulnerability dubbed Heartbleed to extract private encryption keys from vulnerable websites, Web services firm Cloudflare reported Saturday.
As recently as yesterday, Cloudflare published preliminary findings that seemed to indicate that it would be difficult, if not impossible, to use Heartbleed to get the vital key that essentially unlocks the secure sockets layer padlock in millions of browsers. To be extra-sure, Cloudflare launched “The Heartbleed Challenge” to see how other people exploiting Heartbleed might fare. The company set up an nginx server running a Heartbleed-vulnerable version of OpenSSL and invited the Internet at large to steal its private key.
Just nine hours later, software engineer Fedor Indutny and Ilkka Mattila at NCSC-FI had obtained the server's private keys using nothing but the Heartbleed vulnerability. As of this writing, CloudFlare had confirmed a total of four winners: Rubin Xu, a PhD student in the Security group of Cambridge University, as well as security researcher Ben Murphy.
Pro2col Announces its Presence at InfoSec 2014
Newswire Today (press release)
NewswireToday - /newswire/ - Bournemouth, Dorset, United Kingdom, 2014/04/09 - Leading independent file transfer specialists Pro2col who will be exhibiting at InfoSec, is also pleased to announce an exclusive agreement with Thru to distribute their ...
CloudFlare lunched a challenge yesterday: Can You Get Private SSL Keys Using Heartbleed? The site created by CloudFlare engineers is located here and is intentionally vulnerable to heartbleed. If you manage to steal the private key from the site, they will post the full details on that site. So far two individuals have succeeded: Fedor Indutny (@indutny) and Ilkka Mattila of NCSC-F.
If you have time and bandwidth, this might be a fun weekend project.
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.