The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a part of the Deparment of Homeland Security, has warned that the first sightings of exploits seeking to take advantage of well-publicised security flaws in OpenSSL have appeared in the wild.
OpenSSL is an open-source security tool widely used to encrypt passwords when people log-in to a system. A flaw in the implementation of OpenSSL could allow the private key used in a Secure Sockets Layer (SSL) communication to be exposed. An attacker could then decrypt and read any secure data passed on the network link.
In a freshly revised alert, the organisation warned that there are already indications that exploits have emerged to take advantage of the security flaw.
"ICS-CERT is aware of a public report of a vulnerability with proof-of-concept (PoC) exploit code that could expose private SSL keys used in the OpenSSL implementation of secure communication," claims the advisory.
It continues: "According to this report, the vulnerability in OpenSSL Versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the transport layer security/datagram transport layer security (TLS/DTLS) heartbeat functionality that could disclose private/encrypted information to an attacker.
Ironically, while the ICS-CERT, one part of the US government, is battling to minimise the fall-out from the security flaw, another part of the US government - the US National Security Agency, predictably enough - has covertly been exploiting the flaw for at least two years, according to reports out today.
Sometimes, the power of the mainframe is the most cost effective answer. Computing's Peter Gothard puts Computing's readers' questions on the future of the mainframe to IBM's Z13 expert Steven Dickens.
This Dummies white paper will help you better understand business process management (BPM)