Jump to content
Mac Dude

(Public Announcement) Heartbleed bug

Recommended Posts

Ouch!

 

Looks like a bug in OpenSSL could mean you need to change your passwords, but not yet...

 

Heartbleed bug found in OpenSSL software prompts tech companies to urge passwords reset

 

Several technology companies are urging people to change all of their passwords after the discovery of a major security flaw. Computer security specialists says a bug dubbed Heartbleed has been discovered in online data-scrambling software and hackers can use it to their advantage.

The Yahoo blogging platform, Tumblr, has advised the public to "change passwords everywhere - especially on high-security services like email, file storage and banking". Cyber-defence specialists at Fox-IT say the bug found in OpenSSL encryption software lets attackers illicitly retrieve passwords and other information from working memory on computer servers.

 

Still digging for more info...

Share this post


Link to post
Share on other sites

What's interesting is that some of the sites listed as not vulnerable I've seen listed elsewhere as possibly vulnerable (adobe for example)...

Adobe has thousands of servers. Some servers run Windows and probably aren't vulnerable, some run *nix and probably are vulnerable.

 

Lists like this are interesting, but nowhere near conclusive.

 

I find it interesting that you describe this as "not as bad as it could be", chrisg, because this seems pretty bad. It doesn't get much worse.

 

One might argue that this is the worst information security issue ever. It certainly eclipses the Debian certificate issue and all of the recent data leaks from big companies (including Adobe).

 

Rob.

Share this post


Link to post
Share on other sites

"Heartbleed has been discovered in online data-scrambling software and the NSA and other Big Brother outfits can use it to their advantage."

 

Hmm, should I be worried?

 

I changed all my passwords a month or so back due to the last big scare (whatever that was?)

Share this post


Link to post
Share on other sites

Who cares if hackers want your data or Big Brother they will get it regardless. Close one Door open another Door.

Share this post


Link to post
Share on other sites

What's interesting is that some of the sites listed as not vulnerable I've seen listed elsewhere as possibly vulnerable (adobe for example)...

Adobe has thousands of servers. Some servers run Windows and probably aren't vulnerable, some run *nix and probably are vulnerable.

 

Lists like this are interesting, but nowhere near conclusive.

 

I find it interesting that you describe this as "not as bad as it could be", chrisg, because this seems pretty bad. It doesn't get much worse.

 

One might argue that this is the worst information security issue ever. It certainly eclipses the Debian certificate issue and all of the recent data leaks from big companies (including Adobe).

 

Rob.

 

Check the date Mac, this scan was run yesterday some of the lists on line are older. Everyone is scrambling to plug the hole.

 

I was directed to this list by a contact at Hostgator where I have some servers.

 

It could be far worse Robzy because OpenSSL is somewhat old news for the majority of sites of note who use TLS.

 

BEAST was potentially much worse but never really eventuated.

 

Adobe don.t like any big host run many Windows servers as web hosts, if at all but Linux developers are well ahead of the game so I wonder why you are saying Linux would be vulnerable? The *Nix developer time to fix is typically much faster than MS.

 

Most servers these days are actually running on VMs and most of those VMWare. The early embarrassment of VMWare shared holes was blocked a long time back and the SSL is not directly OpenSSL, latest patch is TLS anyway.

 

It was identified and the big sites advised well before it was made public, plenty of time to close it out.

 

Lastly it's a potential exploit, no one seems to actually have an account of it being exploited according to HostGator.

 

I'm still looking but a contact at Symantec says it is well in hand.

 

Cheers

Share this post


Link to post
Share on other sites

I'm being part of the crazy camp and I'm changing ALL my passwords tonight. Some of them haven't been changed at all since I started up the account!

 

Here's a brief list of what websites/services are affected so far:

Mashable

Share this post


Link to post
Share on other sites

It could be far worse Robzy because OpenSSL is somewhat old news for the majority of sites of note who use TLS.

I'm sorry, but that comment makes me doubt that you know enough about the bug to comment on it. That comment is incorrect in a major and fundamental way.

 

A significant amount of "majority of sites of note" who use TLS do so via OpenSSL. Therefore, this is pretty fucking major news for the significant amount of "majority of sites of note" who use TLS.

 

The OpenSSL bug was specifically within the TLS functionality.

 

Source: https://www.openssl.org/news/secadv_20140407.txt

 

Rob.

Edited by robzy

Share this post


Link to post
Share on other sites

:)

 

A security expert I am not Robzy, relying on those who are, everyone I've spoken to so far says it's a bit of a beat up.

 

Why? Because it was discovered by a deep probe team, mostly at Google, who passed it along to the dev teams and it was made sure that the fix was out there before it was made public.

 

There is some doubt that the crackers even knew about it until it went public but that's moot, it doesn't leave any trace so an abuse would only be detected at social level.

 

One comment from a bank security guy I had a chat to today was interesting, he called it a "lab detected exploit" worth closing but then again he didn't have to lose sleep their security is much more robust.

 

The simple fact is that most anything will have exploits, what's concerning here is that it is an exploit within a security blanket which sort of creates false security :)

 

Another comment was that the way it seems to work is an interaction between openSSL and TLS but not all versions of either in combination are vulnerable.

 

Not my field but I'm not seeing guys who do this for a living mainlining caffeine :)

 

The evidence says that the way it has been handled is mature - it was discovered by a reputable team and corrected before being discussed. Some sites probably had a bit of a scramble but it's a bit back to front, the sites most likely to be vulnerable are the big ones with the most current software, older branches of SSL are not affected.

 

In one respect I kinda hope it's a wake up call to the stupidity of passwords, one time systems are readily available just need both ends to get with the plot.

 

Cheers

Share this post


Link to post
Share on other sites

Another comment was that the way it seems to work is an interaction between openSSL and TLS but not all versions of either in combination are vulnerable.

I'm sorry, but this is another example of you not understanding the very fundamentals of what's going on here.

 

That's not an issue in itself, no one knows everything, but your posting a lot of words and thoughts on this issue (with numerous issues), and your consistent inability to understand the fundamentals of the issue strongly suggests that it's all rubbish.

 

To clarify for you: The way it seems to work is not an interaction between OpenSSL and TLS. The problem was absolutely and entirely in OpenSSL's implementation of the TLS specification.

 

As a loose narative: Someone read the TLS specifications document, tried to wrote some code to implement it, and made a real clanger of a mistake.

 

This is not an issue with the TLS specification in any way shape or form.

 

Rob.

Edited by robzy

Share this post


Link to post
Share on other sites

i doubt i could even begin to remember the number of passwords i would need to change

 

and then i'd need to remember the passwords

 

nah, fuck it, i will ignore the biggest thing since that scary time that y2k never did shit to me

 

edit : omg ! facepage is vulnerable ! lucky i shun it

given i have a different password for everything requiring login, i would need to generate at least 50 new passwords i think... if i could recall all the sites

 

and having some hacktard knowing which model aeroplanes i made, or what overclocks i have achieved, i am beyond caring

 

c'mon motherfuckers, come get some.... of my boring geek online obsessive compulsive documentation awesomeness

 

and if you want my tax files, you are a complete desperado

 

and read my blogs too if you leave a like to mark your passing... and don't neglect my atomic posts

 

 

 

if i had a single master password for every online request, i might be concerned about my welfare as a netizen, whereas for lots of people i could guess "password" and hack them anyway

replacing one really weak password with a new one isn't going to improve things for jo (that's a gender neutral sobriquet) average

Edited by scruffy1

Share this post


Link to post
Share on other sites

Another comment was that the way it seems to work is an interaction between openSSL and TLS but not all versions of either in combination are vulnerable.

I'm sorry, but this is another example of you not understanding the very fundamentals of what's going on here.

 

That's not an issue in itself, no one knows everything, but your posting a lot of words and thoughts on this issue (with numerous issues), and your consistent inability to understand the fundamentals of the issue strongly suggests that it's all rubbish.

 

To clarify for you: The way it seems to work is not an interaction between OpenSSL and TLS. The problem was absolutely and entirely in OpenSSL's implementation of the TLS specification.

 

As a loose narative: Someone read the TLS specifications document, tried to wrote some code to implement it, and made a real clanger of a mistake.

 

This is not an issue with the TLS specification in any way shape or form.

 

Rob.

 

:)

 

They are not my words Robzy, they are what I'm being told but if you say so :)

 

Cheers

Share this post


Link to post
Share on other sites

I'm working off the advice of one seriously large host, three cloud data centres and a senior engineer at a security company and another at a bank.

 

They are not pushing any panic buttons.

 

I tend to feel the same as Scruffy. I change my passwords every few months anyway not seeing a reason to deviate.

 

I guess though it depends on the security in place with any financial institutions you move money around with on-line.

 

I'm with BankWest, for personal banking their system is to treat any new movements of money out of your account as a request. They send you an SMS with a one-time code, the transaction does not happen until you enter that code.

 

Their business banking goes one step further with a Secure ID token.

 

I'm not concerned therefore about my banking.

 

Cheers

Share this post


Link to post
Share on other sites

It's only really an issue for those using OpenSSL for any of their sites (or sites you use).

 

I'm still patching servers here but our main application servers weren't vulnerable so at least i don't have to tell several thousand users to change their passwords.

 

As for banking, no provider should be vulnerable to this exploit anywhere.

Share this post


Link to post
Share on other sites

Yeah,

 

I agree on the banks xen, although not all are quite as security conscious as they could be.

 

Security is not my thing at all really, have some guys who its all they do, not joining Chicken Little under the coop yet :)

 

Cheers

Share this post


Link to post
Share on other sites

I'm working off the advice of one seriously large host, three cloud data centres and a senior engineer at a security company and another at a bank.

Were these the same people that told you "OpenSSL is somewhat old news for the majority of sites of note who use TLS" and that it "is an interaction between openSSL and TLS but not all versions of either in combination are vulnerable"?

 

Were they also the ones that told you that "it was identified and the big sites advised well before it was made public, plenty of time to close it out" despite the fact it's been in the wild for two years?

 

I know it was the person at HostGator (I'm presuming that's "one seriously large host"?) who told you that "no one seems to actually have an account of it being exploited", which is a really silly comment to make when this exploit is almost undetectable.

 

Rob.

Share this post


Link to post
Share on other sites

Heh,

 

Hostgator yes, Fujitsu was the one that said those words, or rather one of their guys at the DC here. The other data centres are NextDC and Amcom, the security company is Symantec.

 

The bank is my bank, BankWest, I used to work with their head of security. He's basing his comment not on detection obviously but on the banking industry body that reports exploits from the social perspective ie someone gets ripped off and the banks determine how, pass that to relevant fraud bodies and keep a shared database of the detail. He is the one who said there is no evidence, meaning any social evidence.

 

The Heartbleed site itself says they do not know if the exploit has ever been used.

 

Hostgator just said they knew about it and had for a while, like most hosts they use Centos which has had an interim patch.

 

No need to shoot the messenger Robzy, I've just reported what these organisations have told me.

 

Cheers

Share this post


Link to post
Share on other sites

I maintain 4 or 5 logins/passwords that I switch between and rotate from time to time. Whenever someone or something reacts to a currently talked about 'security scare' by forcing a password reset I'm all "Ho hum..." and then change it back to what I wanted it to be.

 

Been doing it (with the same sets of usernames/passwords) for 15 years or more, and it serves me well enough.

Share this post


Link to post
Share on other sites

No need to shoot the messenger Robzy, I've just reported what these organisations have told me.

I'm not shooting the messenger.

 

I'm pointing out the fundamental errors in what you've supposedly been told, and then being very surprised when you continue to cite these supposed "experts" which you know.

 

Rob.

Share this post


Link to post
Share on other sites

:)

 

I don't think there is much "supposed" about it, Hostgator aside, I deal with their Dallas operation and have for years, all the others are here in Perth.

 

If the question is do I know much about openSSL? Nope,not my area really but when this story emerged I knew I had several customers using it so it was sensible to check. Mac posted I posted what I'd been linked to or told.

 

Cheers

Share this post


Link to post
Share on other sites

No need to shoot the messenger Robzy, I've just reported what these organisations have told me.

I'm not shooting the messenger.

 

I'm pointing out the fundamental errors in what you've supposedly been told, and then being very surprised when you continue to cite these supposed "experts" which you know.

 

Rob.

 

Erm...

 

I don't know OpenSSL from a hole in the ground, but it does look to me like you specifically jumped on Chris, there, Rob. Or did Xen here (

It's only really an issue for those using OpenSSL for any of their sites (or sites you use).

...

As for banking, no provider should be vulnerable to this exploit anywhere.

) not actually agree with him?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×