×
Security

Private Keys Stolen Within Hours From Heartbleed OpenSSL Site 151

Posted by samzenpus from the that-didn't-take-long dept.
Billly Gates (198444) writes "It was reported when heartbleed was discovered that only passwords would be at risk and private keys were still safe. Not anymore. Cloudfare launched the heartbleed challenge on a new server with the openSSL vulnerability and offered a prize to whoever could gain the private keys. Within hours several researchers and a hacker got in and got the private signing keys. Expect many forged certificates and other login attempts to banks and other popular websites in the coming weeks unless the browser makers and CA's revoke all the old keys and certificates."
Crime

US Takes Out Gang That Used Zeus Malware To Steal Millions 38

Posted by samzenpus from the book-em-danno! dept.
coondoggie (973519) writes "The US Department of Justice charged nine members of a group that used Zeus malware to infect thousands of business computers and illegally siphon-off millions of dollars into over-seas bank accounts. The DoJ said an indictment was unsealed in connection with the arraignment this week at the federal courthouse in Lincoln, Neb., of two Ukrainian nationals, Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36. Konovalenko and Kulibaba were recently extradited from the United Kingdom."
Encryption

Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed 134

Posted by Soulskill from the thanks-for-providing-zero-clarity dept.
An anonymous reader writes "The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered. Unfortunately, this statement was hedged. The NSA should reveal these flaws unless 'a clear national security or law enforcement need' exists. Since that can be construed to apply to virtually any situation, we're left with the same dilemma as before: do we take them at their word or not? The use of such an exploit is certainly not without precedent: 'The NSA made use of four "zero day" vulnerabilities in its attack on Iran's nuclear enrichment sites. That operation, code-named "Olympic Games," managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.' A senior White House official is quoted saying, 'I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.'" Side note: CloudFlare has named several winners in its challenge to prove it was possible to steal private keys using the Heartbleed exploit.

Slashdot Top Deals