Que es el #Heartbleed #bug? / @LOCOSDEL136


Se ha hablado mucho esta semana de una nueva accidental manera de seguridad no cubierta en el Internet y no nos extraña que alguno de tus conocidos servicios de Internet como redes sociales, banca, servicios con pagos, etc. ya hayan hecho acercamiento contigo para dejarte saber que medidas toman o confirmar si estuvieron afectados o no, pero ¿tienes una idea de que se trata?

Screen Shot 2014-04-12 at 5.16.37 PM

Todo empezó con un reporte de Google Security esta misma semana, donde Neel Mehta reportó que OpenSSL tiene un fallo en donde se afecta el manejo de memoria en la implementación del layer de seguridad de TLS usado en la mayoria de clientes de email para tomar un ejemplo, provocando que 64 kilobytes de la memoria de la extensión Heartbleed de TLS que puede incluir hasta información de usuarios y de ahí su nombre de Heartbleed.

Lo terrible de todo es que se averiguó que la falla lleva en existencia desde el 2011 pero no fue masivo hasta que todos los programadores con protocolo de Internet actualizaron a la versión OpenSSL 1.0.1 en el 2012.

El impacto es de tal manera, que mediante la lectura de un bloque arbitrario de la memoria del servidor web, los atacantes podrían recibir datos sensibles que pudieran estar incluidos en esos bloques de 64 kilobytes, lo que compromete la seguridad del servidor y sus usuarios. Datos vulnerables incluyen la clave del servidor principal privado, lo que permitiría a los atacantes para descifrar el tráfico actual o almacenada a través de ataques pasivos o activos como man-in-the-middle, si se utiliza confidencialidad directa perfecta. El atacante no puede controlar los dates que se devuelven ya que el servidor responde con un trozo aleatorio de su propia memoria.

El siguiente es una lista gracias a CNET que documenta las páginas y servicios que pudieran estar afectados y si las empresas ya resolvieron:

 

Site Qualys Confirmation from site
Google Pass Vulnerability patched. Password change recommended
Facebook Pass Vulnerability patched. Password change recommended
YouTube Pass Vulnerability patched. Password change recommended
Yahoo! Pass Vulnerability patched. Password change recommended
Amazon Pass Was not vulnerable
Wikipedia Pass Vulnerability patched. Password change recommended
LinkedIn Pass Was not vulnerable
eBay Pass Was not vulnerable
Twitter Pass Was not vulnerable
Craigslist Pass Awaiting response
Bing Pass Vulnerability patched. Password change recommended
Pinterest Pass Vulnerability patched. Password change recommended
Blogspot Pass Vulnerability patched. Password change recommended
CNN Be on alert Awaiting response
Live Pass Was not vulnerable
PayPal Pass Was not vulnerable
Instagram Pass Vulnerability patched. Password change recommended
Tumblr Pass Vulnerability patched. Password change recommended
Espn.go.com Pass Vulnerability patched. Password change recommended
WordPress Pass Awaiting response
Imgur Pass Awaiting response
Huffington Post Not available Awaiting response
Reddit Pass Vulnerability patched. Password change recommended
MSN Pass Was not vulnerable
Netflix Pass Vulnerability patched. Password change recommended
Weather.com Not available Vulnerability patched. Password change recommended
IMDb Not available Was not vulnerable
Yelp Pass Vulnerability patched. Password change recommended
Apple Pass Was not vulnerable
AOL Pass Awaiting response
Microsoft Pass Was not vulnerable
NYTimes Pass Awaiting response
Bank of America Pass Was not vulnerable
Ask Not available Was not vulnerable
Fox News Pass Was not vulnerable
Chase Pass Was not vulnerable
GoDaddy Pass Vulnerability patched. Password change recommended
About Not available Was not vulnerable
BuzzFeed Pass Awaiting response
Zillow Pass Was not vulnerable
Wells Fargo Pass Was not vulnerable
Etsy Pass Vulnerability patched. Password change recommended
XVideos Be on alert Awaiting response
Walmart Pass Was not vulnerable
CNET Pass Was not vulnerable
Pandora Pass Was not vulnerable
xHamster Pass Awaiting response
PornHub Pass Awaiting response
Comcast Pass Awaiting response
Stack Overflow Pass Vulnerability patched. Password change recommended
Salesforce Pass Was not vulnerable
Daily Mail Be on alert Awaiting response
Vimeo Pass Vulnerability patched. Password change recommended
Conduit Pass Awaiting response
Flickr Pass Vulnerability patched. Password change recommended
Zedo Not available Was not vulnerable
Forbes Not available Was not vulnerable
LiveJasmin Be on alert Awaiting response
USPS Pass Vulnerability patched. Password change recommended
Indeed Pass Awaiting response
Hulu Pass Was not vulnerable
Answers Pass Was not vulnerable
HootSuite Pass Was not vulnerable
Amazon Web Services Pass Awaiting response
Adobe Pass Awaiting response
Blogger Pass Vulnerability patched. Password change recommended
Dropbox Pass Vulnerability patched. Password change recommended
Reference.com Not available Was not vulnerable
AWeber Pass Was not vulnerable
UPS Pass Was not vulnerable
Intuit Pass Awaiting response
NBC News Pass Awaiting response
USA Today Pass Was not vulnerable
Outbrain Pass Vulnerability patched. Password change recommended
The Pirate Bay Pass Awaiting response
The Wall Street Journal Pass Awaiting response
Bleacher Report Pass Awaiting response
Constant Contact Pass Was not vulnerable
Wikia Pass Vulnerability patched. Password change recommended
CBSSports Pass Was not vulnerable
Publishers Clearing House Pass Awaiting response
Washington Post Not available Vulnerability patched. Password change recommended
Target Pass Was not vulnerable
Drudge Report Be on alert Awaiting response
TripAdvisor Pass Was not vulnerable
FedEx Pass Was not vulnerable
Capital One Pass Was not vulnerable
wikiHow Not available Was not vulnerable
Googleusercontent.com Pass Vulnerability patched. Password change recommended
Groupon Pass Was not vulnerable
Best Buy Pass Awaiting response
AT&T Pass Awaiting response
Home Depot Pass Awaiting response
Trulia Not available Was not vulnerable
TMZ Pass Awaiting response
Feedbin Pass Vulnerability patched. Password change recommended
Pinboard Pass Vulnerability patched. Password change recommended
GetPocket Pass Vulnerability patched. Password change recommended
IFTTT Pass Vulnerability patched. Password change recommended
ManageWP Pass Was not vulnerable
PayScale Pass Was not vulnerable

Por su parte, Google reclamó que ya aplicaron los arreglos necesarios para Search, Gmail, YouTube, Wallet, Play, Apps y App Engine, mientras que otros servicios están en proceso y lo mejor de todo es que Chrome y Chrome OS no están afectados.

Publicado el 12 abril, 2014 en Noticias. Añade a favoritos el enlace permanente. Deja un comentario.

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s

A %d blogueros les gusta esto: