Understanding the world and Humanity changes due the Globalization phenomenon allows to identify the special conditions created that promote the implementation and the dissemination of the International Organized Criminality, in short time, affecting the International Community in all dimensions. As one of the most serious threats to the Rule of Law, violating the national legal systems and the International Law, being especially dangerous to the states and human lives in a global context. The International, regional and (most of) national juridical and judicial systems recognize the International Organized Criminality as a emergent problem that needs to be in the top of the political agenda and of the action by the Institutions aiming to prevent and fight their evolution, their dangerous damages and consequences to all their target – human and institutional. Although all difficult but effective legal, political, economic, and social work in this fight, mainly by the United Nations in cooperation with International Organizations and States, the Council of Europe assumed their responsibility to protect their State Members, their citizens, and the rest of the world by inherence. There is an enormous political and legal work, with a straight position based on their main structure document, the European Convention on Human Rights, but with the specialized work teams, understanded as need in each case. Consequently, the Council of Europe has a continuous production of legislation and management of procedures and activities, as well as International political and governance diplomatic relations in networks, in compliance with the International Law facing the challenge that context obliges permanently. Since 1959, with the Convention on Mutual Assistance in Criminal Matters, the strategic action promoted is the multidimensional International Cooperation between all “actors” in the International Community, preventing the violation of the International Law, generated conditions to apply the International Penal Law and developing policymaking articulated with the real contexts and needs. Within International Community, the Cooperation is the best key to join procedures to transcend the difficulties and constraints to achieve to the prevention and fight against the International Organized Criminality. This scientific research is being developed based on juridical, criminal, and political methodology, mainly qualitative, but presenting statistic data to demonstrate the results discussed.
OpenSSL 的公告如下:https://www.openssl.org/news/secadv_20140407.txt
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.要如何測試自己的網站有沒有這樣的漏洞呢?可以利用以下的網站或工具直接查詢。
直接輸入 Domain 即可查詢,例如「fbi.gov」。
使用方法直接執行「python ssltest.py ifttt.com」,或是用「-p」指定特定 SSL 連接埠。畫面上會顯示出記憶體資料,可能內含機敏資料例如 private key、session cookie 等。
原始碼如下:
使用方法直接執行「perl check-ssl-heartbleed.pl mail.XXXXXX.gov.tw:443」,可在網域名稱後指定特定 SSL 連接埠。
使用說明:
如果發現自己的伺服器有這樣的漏洞,該怎麼辦呢?
詳細討論與建議可以參考
Heartbleed: What is it and what are options to mitigate it? http://serverfault.com/questions/587329/heartbleed-what-is-it-and-what-are-options-to-mitigate-it
真的會有攻擊者利用這樣的攻擊手法嗎?目前在烏雲 wooyun平台上已經滿滿的資安研究員開始回報網站含有 OpenSSL 漏洞。也有駭客在嘗試撰寫更有效的攻擊利用程式,想要藉此把平常打不下來的網站一舉攻陷。
怎樣的站台會是重點目標呢?含有會員機制的網站特別如此,例如 Web Mail、社群網站等等。因此不少企業要多注意了,例如全世界最大的社群網站 Facebook、SlideShare、台灣知名電信公司網站、社交平台、網路銀行、NAS,都會在這波的攻擊範圍之內。如果沒有儘速修復,等到更有效的攻擊程式出現,就真的等著失血了。
技術發布