E-commerce Internet Banking Users must change their password

E-commerce online banking threatened Users need to change password
Researchers discovered that the OpenSSL loopholes spread across the Internet companies worldwide and created an image named "Bleeding Heart". Over 30,000 host computers in China have been affected. The technicians of domestic websites and security vendors have gone through the inspections and repairs. As of yesterday, over 30% of the mainframes had been repaired, and the “big stations” stated that they were safe. However, technical personnel said that it is still to be observed if consumers’ sensitive information is leaked.
Event: OpenSSL vulnerability exposure
On April 8th, OpenSSL's big loophole was exposed. Foreign hackers named it as "heartbleed" and described the severity of the incident with the most deadly internal bleeding "bleeding heart." The vulnerability was independently discovered by researchers at Codenomicon and Google Security. However, according to foreign media reports, in order to minimize the impact, researchers have cooperated with the OpenSSL team and other key insiders, and are ready to repair the program before the issue is announced.
OpenSSL is a security protocol that provides security and data integrity for network communications. It includes key cryptographic algorithms, commonly used key and certificate encapsulation management functions, and SSL protocols. Each of the major online banking, online payment, e-commerce sites, and portals , E-mail and other important sites are widely used. Knowing that Chuang Yu, director of the website security department, described OpenSSL as "the biggest door lock on the Internet." This loophole revealed that a specific version of OpenSSL can be used as a waste lock that can be turned on without a key. An intruder can check the 64K information of the head of the household every time. As long as there is enough patience and time, he can review enough data. , Put together the householder's bank passwords, private letters and other sensitive data.
"A simple way to identify whether a Web site uses SSL encryption is to look at whether the browser's address bar is http or https. The latter is encrypted with SSL. Usually it is a very critical network service, such as email, payment, and banking." Kingsoft Internet Security Expert Li Tiejun said.
"With this golden opportunity, hackers are reluctant to sleep. They will try to get more information on some of the servers," said Tan Xiaosheng, vice president of technology at 360.
Impact: Internet Security Earthquake
“This is the most serious cybersecurity crisis in the past two years.” Mr. Tan Xiaosheng, vice president of technology of 360 companies, commented that in the websites that began with https, preliminary assessments included not less than 30% of the websites’ recruits, including the most commonly used ones. Well-known websites such as shopping, online banking, social networking, portals, etc., and at least 50% of online banking clients of mobile phone APPs are at risk.
According to Fang Xing, founder of Nanjing Hanhaiyuan Information Technology Co., Ltd., popularly speaking, through this loophole, you can disclose the following four aspects: First, the private key, encrypted content of all https site all-around crack; Second, the site user password, user Assets such as online banking privacy data are stolen; third, the server configuration and source code, the server can be compromised; fourth, the server hangs up and cannot provide services.
A security industry source disclosed that he used this loophole to attempt to read data on a famous e-commerce website. After reading 200 times, he obtained more than 40 user names and 7 passwords. With these passwords, he successfully logged in. The site.
On the afternoon of the 9th, monitoring from the Chuangyu ZoomEye search engine showed that there were 22,611 host computers in the country affected, and the figure was 33,303 the day before yesterday. You can see that the situation is improving and over 30% of the hosts have been repaired.
“The damage caused by the exploitation of the loopholes will not show up very quickly.” Rising security expert Tang Wei told reporters that at the current stage the enterprise level can do the troubleshooting and upgrading of OpenSSL.
However, industry insiders said yesterday that this loophole is not so terrible, because this is an old version of OpenSSL's security loopholes, developers can upgrade the server program to OpenSSL1.0.1g can be solved.
Response: Bank UnionPay payment is not affected
For OpenSSL vulnerabilities, there are rumors that even bank online payment, U shield, and UnionPay payment are not safe. However, industry insiders told reporters yesterday that the impact of this loophole on bank online payment, bank U shield use and UnionPay is almost zero.
Lin Feng, general manager of the Application Development Department of the China Financial Certification Center, stated that the vulnerability of OpenSSL is due to the fact that the code is not implemented rigorously. This vulnerability exists in the OpenSSL 1.0.1 series, and the previous OpenSSL version is not affected. Tmall, Taobao uses this version of the series, so it can steal data in memory.
"If the bank uses the OpenSSL open source software version with this vulnerability, it will have a certain impact. However, this loophole is only to steal data in memory. The bank's user password is also protected by a heavy encryption, and generally will not be decrypted in the SSL server, so It's also difficult to get the bank user's password."
Lin Feng also said that in fact, this OpenSSL loophole and the security of the U shield has nothing to do, because the user's transaction sensitive information is sent to the U shield through the USB interface, in the U shield for encryption and digital signature operations, SSL protocol is The U-Shield encrypts the signed data and encrypts the transport layer once more. This OpenSSL loophole has no effect on the U shield.
In addition, the relevant person in charge of China UnionPay responded yesterday that the operation of UnionPay's core interbank trading system is based on a private network and has nothing to do with loopholes. The person in charge said that "Internet UnionPay Online Payment" and other Internet-based innovative business systems do not use OpenSSL technology. For OpenSSL vulnerabilities that may exist in individual peripheral vendors, CUP has taken the initiative to conduct investigations before technical personnel such as Wuyun.com disclose open loopholes. Coordinated suppliers have eliminated hidden dangers and cardholders can use them with confidence.
Microsoft Baidu said it was not affected
On the 9th, Microsoft responded that no Microsoft product was affected by this vulnerability. OpenSSL is an open source product used to implement the SSL protocol. Microsoft does not use this open source solution in its products and services. It is reported that SSL encryption used by most commercial companies is paid, and has little to do with this time exposed loopholes in OpenSSL.
Baidu also said that Baidu wallet will not be affected.
E-commerce Dangdang said that Dangdang's inherent account system is very safe and consumers can feel comfortable shopping.
Shanda said that the certification of Shanda Pass is mainly through hardware encryption and other means to use the https protocol. Currently, it has been confirmed with the supplier. On the one hand, the version of OpenSSL used is not affected, and on the other hand, there are potential security risks. , has been processed through an upgrade at the first time.
Ali Jingdong response has been fixed
On the morning of the 9th, Ali’s department, who had caused the most leaked concerns over the vulnerability, said in a hurry that the vulnerability had been fixed. Ali Security responded that some versions of OpenSSL have common vulnerabilities based on basic protocols. Alibaba's websites have already been repaired for the first time. They have been processed, and major websites including Taobao, Tmall and Alipay have confirmed that they can safe to use. Among them, Taobao also revealed that from the current monitoring situation, no abnormal account was found.
Jingdong said that it had completed repairs yesterday and avoided the vulnerability.
Tencent also issued a statement yesterday morning that Tencent had already processed it at the first time, and related product businesses such as email, TenPay, QQ, Wechat, etc. have now been repaired.
NetEase's mailbox tells the reporter that the NetEase mailbox OpenSSL vulnerabilities mentioned in the Wuyun report have been checked by NetEase. The listed domain names all point to the CDN (Content Delivery Network) service. After receiving the report, the NetEase mailbox is returned to the CDN service provider for the first time. It was repaired that night.
In addition, the global Internet giants Yahoo, Google and Facebook have also stated that they have fixed the loopholes. Google said: "We have assessed the SSL vulnerability and patched Google's key services."
Who can use the "heart bleeding" loophole?
"It is not difficult for anyone who understands this loophole to use it," said Phil Teng, a computer scientist at Princeton University. The software that exploits this loophole is on the Internet. Although the software is not as easy to use as an iPad application, anyone with basic programming skills can learn how to use it.
Of course, this loophole may be of greatest value to intelligence agencies, and they have enough infrastructure to carry out large-scale interception of user traffic.
Consumer response: Users need to change password after website fixes vulnerabilities
Mr. Tan Xiaosheng, Vice President of Technology at 360 Company, suggested that users who have logged in to the vulnerable websites on April 7 and August 8, first need to confirm whether the websites that have been logged in have been upgraded and can be seen whether or not the website issues relevant announcements. , You can also use the OpenSSL vulnerabilities online check tool launched by 360 Website Guards, enter the URL to detect whether the site has the vulnerability. If the related website has been repaired, the user needs to modify the used personal information such as the user name and password; if the logged-in website still fails to complete the repair, "it is regrettable that the user can only wait for the other party to repair."
Li Tiejun, security expert of Kingsoft Internet Security, said that for important services, mobile phone authentication or dynamic passwords should be opened as far as possible, such as Alipay and e-mail.
"For OpenSSL vulnerabilities, hackers attack by constantly launching packet attacks. Each attack can get 64K data from the server's memory. However, the data obtained is sporadic and the hackers want to obtain truly useful information. It takes a time process to sort out the accumulated data. It will not be a big problem if the password is modified in time within the two days.” Tan Xiaosheng reminded, but even if the site is repaired, it will not It does not mean that the world is peaceful. It is still unknown whether there are new dangers in the future.
In addition, before the website is repaired, do not purchase online or pay online to avoid loss. The use of a password should not be too long. Replace it more than 3 months.
What is SSL?
SSL is a popular encryption technology that can protect private information that users transmit over the Internet. After the site uses this encryption technology, third parties cannot read any communication between you and the site. In the background, only the receiver can decrypt the data encrypted through SSL.
SSL was first introduced by Netscape in 1994 and has been adopted by all major browsers since the 1990s.
What is the "heart bleeding" loophole?
The SSL standard includes a heartbeat option that allows a computer on one end of the SSL connection to send a brief message confirming that the other end of the computer is still online and getting feedback. The researchers found that malicious heartbeat messages can be sent out ingeniously to deceive computers on the other end to leak confidential information. Affected computers may be cheated and send information in server memory.
Who found this problem?
The vulnerability was independently discovered by researchers at Codenomicon and Google Security. In order to minimize the impact, the researchers have collaborated with the OpenSSL team and other key insiders to prepare a fix before releasing the issue.

These products do not need any power supply to be functioned. The entire range of power systems offered by us is manufactured with beat quality material in compliance with the well-defined industrial quality standards. These solar products suit well with the utmost needs of clients and can be customized as per their specifications and requirements. Our solar power systems comprise MNES specifications. The broad range of these products includes DC fans, portable lights, lighting systems, portable lanterns, CFL lamps, and other appliances.

20W 12AH Solar Home Power

20W 12Ah Solar Home Power,12Ah Solar Home Power,20W Solar Home Power

Yangzhou Bright Solar Solutions Co., Ltd. , https://www.cnbrightsolar.com

Posted on