Serious flaw discovered in OpenSSL that affects the security of more than 11 million websites around the world.
An international group of security researchers have discovered a new security vulnerability, called "Drown", affecting OpenSSL that can decrypt HTTPS, making it possible for hackers to see credit card numbers, account usernames, passwords, emails, IM chat messages, and documents on one-third of all HTTPS websites on the internet today. This could lead to huge data leaks and potential theft.
Researchers from Google, the OpenSSL Project, Tel Aviv University in Israel, Münster University of Applied Sciences and Ruhr University Bochum in Germany, the Universities of Pennsylvania and of Michigan in the US, and Two Sigma and the Hashcat project have discovered that it is possible to exploit a vulnerability affecting HTTPS and other services relying on SSL and TLS in order for hackers to view all communications between users and servers.
In Vietnam, Bkav has conducted an inspection and found that hundreds of systems in the country might be vulnerable, placing user at risks of theft of important information such as credit card numbers, passwords, and personal information, etc.
Of these systems, 58 per cent are in the financial sector, 21 per cent in the oil and gas sector, 11 per cent in other industrial fields, 5 per cent in technology, and the remaining 5 per cent in transport and travel. Bkav have sent warnings and instructions on how to fix the security flaw to some of these systems.
Mr. Ngo Tuan Anh, Bkav’s Vice President of Internet Security, stressed that the flaw is more difficult to be exploited by hackers than the “Heartbleed” flaw as they must stand between the server and connected users. “However, the risk of being exploited is still there,” he said. “Systems administrators should disable SSLv2 to protect the security of their system as well as their users.”