+ Reply to Thread
Results 1 to 20 of 20

Thread: The OpenSSL bug "HeartBleed" - a serious web security issue (see Update in my Post #14)

  1. Link to Post #1
    United States Administrator Paul's Avatar
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    66
    Posts
    16,828
    Thanks
    10,643
    Thanked 53,491 times in 10,408 posts

    Default The OpenSSL bug "HeartBleed" - a serious web security issue (see Update in my Post #14)

    A software bug called Heartbleed was announced a couple of days ago, that potentially leaked the passwords and server SSL certficates of many of the websites using secure connections (SSL, https), such as email, banking, ...
    This Project Avalon forum does not usually use SSL (https), so we are not much effected. Ilie had made some experiments with SSL, and we might want to upgrade our certificate before using it further. But this should not directly impact our users in any case.

    However, quite a few major websites, including Yahoo, Imgur, FastMail, LastPass, and OKCupid, are effected, which means hackers could have stolen their security credentials, and then if they were able to hack your DNS (some consumer grade routers have hackable DNS settings) could further have played a man-in-the-middle attack and potentially peaked at your other passwords as well.

    What I expect to do (unless I learn more or differently):
    • Wait a few days (for the sites I use securely, via https, to replace their SSL certificates)
    • Change all my important passwords.
    From netcraft.com:
    Quote Half a million widely trusted websites vulnerable to Heartbleed bug

    A serious overrun vulnerability in the OpenSSL cryptographic library affects around 17% of SSL web servers which use certificates issued by trusted certificate authorities. Already commonly known as the Heartbleed bug, a missing bounds check in the handling of the TLS heartbeat extension can allow remote attackers to view up to 64 kilobytes of memory on an affected server. This could allow attackers to retrieve private keys and ultimately decrypt the server's encrypted traffic or even impersonate the server.

    The Heartbleed bug write-up mentions Apache and nginx as being the most notable software using OpenSSL, and also points out that these have a combined active site market share of over 66% according to our April 2014 Web Server Survey. However, not all of these servers are running an HTTPS service, nor are they all running vulnerable versions of OpenSSL with heartbeats enabled.
    From Steve Gibson, a long time expert in Windows software for disks and Windows and Internet security issues:
    From ABC Action News:
    From a new website setup for this bug, http://heartbleed.com/
    Quote
    The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

    The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
    From Bruce Schneier, one of the most well known computer and Internet security experts:
    Quote Heartbleed is a catastrophic bug in OpenSSL.

    Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

    "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

    Half a million sites are vulnerable, including my own. Test your vulnerability here.

    The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.

    At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.
    A good geeky explanation at ArsTechnica:
    Quote Lest readers think "catastrophic" is too exaggerated a description for the critical defect affecting an estimated two-thirds of the Internet's Web servers, consider this: at the moment this article was being prepared, the so-called Heartbleed bug was exposing end-user passwords, the contents of confidential e-mails, and other sensitive data belonging to Yahoo Mail and almost certainly countless other services.

    The two-year-old bug is the result of a mundane coding error in OpenSSL, the world's most popular code library for implementing HTTPS encryption in websites, e-mail servers, and applications. The result of a missing bounds check in the source code, Heartbleed allows attackers to recover large chunks of private computer memory that handle OpenSSL processes. The leak is the digital equivalent of a grab bag that hackers can blindly reach into over and over simply by sending a series of commands to vulnerable servers. The returned contents could include something as banal as a time stamp, or it could return far more valuable assets such as authentication credentials or even the private key at the heart of a website's entire cryptographic certificate.

    Underscoring the urgency of the problem, a conservatively estimated two-thirds of the Internet's Web servers use OpenSSL to cryptographically prove their legitimacy and to protect passwords and other sensitive data from eavesdropping. Many more e-mail servers and end-user computers rely on OpenSSL to encrypt passwords, e-mail, instant messages, and other sensitive data. OpenSSL developers have released version 1.0.1g that readers should install immediately on any vulnerable machines they maintain. But given the stakes and the time it takes to update millions of servers, the risks remain high.
    From http://imgs.xkcd.com/comics/heartbleed.png
    There is more information available at most of the above links, and no doubt more will be forthcoming as we go.
    Last edited by Paul; 10th April 2014 at 01:05.
    -- Formerly known as "ThePythonicCow", aka "Cow", "PCow", "TPC", "PC", "Mooster", ...

  2. The Following 29 Users Say Thank You to Paul For This Post:

    Agape (12th April 2014), Aragorn (12th April 2014), avid (13th April 2014), Billy (10th April 2014), Bob (10th April 2014), Christine (10th April 2014), Craig (10th April 2014), cursichella1 (10th April 2014), Dawn (10th April 2014), enfoldedblue (10th April 2014), exponentialist (10th April 2014), guayabal (10th April 2014), Hervé (10th April 2014), Ilie Pandia (10th April 2014), JRS (10th April 2014), Krist (14th April 2014), ljwheat (10th April 2014), mariposafe (12th April 2014), meat suit (10th April 2014), panopticon (10th April 2014), Playdo of Ataraxas (10th April 2014), Positive Vibe Merchant (10th April 2014), Reirrac (10th April 2014), risveglio (10th April 2014), seeingterra (10th April 2014), spiritwind (10th April 2014), StandingWave (10th April 2014), Tesla_WTC_Solution (10th April 2014), Timreh (10th April 2014)

  3. Link to Post #2
    United States Administrator Paul's Avatar
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    66
    Posts
    16,828
    Thanks
    10,643
    Thanked 53,491 times in 10,408 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    Thanks to another thread on HeartBleed (OpenSSL Heartbleed vulnerability: is PA affected?), I was led to another good article on this, from Forbes: Heartbeat Heartbleed Bug Breaks Worldwide Internet Security Again (And Yahoo):
    Quote Every day you use encryption technology to protect your data, your applications and online services . Most of the time most people are blissfully unaware it is even happening. Whether you are a consumer accessing your Internet bank site, using a mobile application to log in and share data or trading online most of our use of modern technology involves this key capability and without it trust on the Internet is significant undermined. A new bug, again, puts trust on the Internet at risk on a significant scale. The bug, dubbed ‘heartbleed’ is based on a fault in functionality in the widely used OpenSSL library. It was originally discovered by Neel Mehta of Google Security. This library is extremely widely used from security vendors products to secure web browsing (when you log in to a site and see https://) and even mobile banking applications. The Apache web server which powers a substantial part of the Internet tends towards using OpenSSL. You may be using it at your business right now and many popular services like Yahoo have been shown to be vulnerable (see the image below). UPDATE Yahoo is no longer vulnerable to the attack, but there may have been significant data leaked for the extended period where they were running the vulnerable software.

    So what exactly does this bug do and why should you care? There are numerous technical write ups (with excellent detail, one of my favourites being this one) but for the rest of the Internet community the problem is as follows. When the bug is exploited the attacker can retrieve memory (up to 64kb) from the remote system. This memory may contain usernames, passwords, keys or other useful information that enables bigger attacks. An attacker may for example be able to retrieve the keys and secrets used to encrypt traffic and then intercept and read the communications of all other users of that service. There are all kinds of variations that might be possible based on the ability to read this memory. 64kb may not seem like a great deal of data, but of course the attacker can connect repeatedly and progressively collect more information. This is a serious problem indeed. If you want more detail you can review Paul Ducklin’s excellent outline at Naked Security. If you want to mitigate the issue on your systems skip to the end of the article. Consumers should assume that their usernames, passwords or secrets may have been leaked and take steps to re-set their passwords once the provider has patched. In this case it is very difficult, if not impossible, to retrospectively identify if someone attacked your systems so it is better to assume compromise, re-set your credentials and play it safe.
    -- Formerly known as "ThePythonicCow", aka "Cow", "PCow", "TPC", "PC", "Mooster", ...

  4. The Following 14 Users Say Thank You to Paul For This Post:

    avid (13th April 2014), Billy (10th April 2014), Bob (10th April 2014), Christine (10th April 2014), Craig (10th April 2014), cursichella1 (10th April 2014), Dawn (10th April 2014), Hervé (10th April 2014), ljwheat (10th April 2014), panopticon (10th April 2014), risveglio (10th April 2014), seeingterra (10th April 2014), Tesla_WTC_Solution (10th April 2014), Timreh (10th April 2014)

  5. Link to Post #3
    United States Avalon Member Tesla_WTC_Solution's Avatar
    Join Date
    20th November 2012
    Location
    Sex Bomb Technician
    Age
    31
    Posts
    4,369
    Thanks
    13,566
    Thanked 15,999 times in 3,720 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    Paul can I ask a question?

    Does RPCSS vulnerability have anything to do with this openSSL stuff?

    Quote Recent Activity

    Since the last regularly scheduled CERT summary, issued in September
    2003 (CS-2003-03), we have documented vulnerabilities in the Microsoft
    Windows Workstation Service, RPCSS Service, and Exchange. We have also
    documented vulnerabilities in various SSL/TLS implementations, a
    buffer overflow in Sendmail, and a buffer management error in OpenSSH.
    We have received reports of W32/Swen.A, W32/Mimail variants, and
    exploitation of an Internet Explorer vulnerability reported in August
    of 2003.

    For more current information on activity being reported to the
    CERT/CC, please visit the CERT/CC Current Activity page. The Current
    Activity page is a regularly updated summary of the most frequent,
    high-impact types of security incidents and vulnerabilities being
    reported to the CERT/CC. The information on the Current Activity page
    is reviewed and updated as reporting trends change.
    it was taking half of my computer's memory last night
    "I hear the horses thunder down in the valley below
    I'm waiting for the angels of Avalon, waiting for the eastern glow" ~ Led Zeppelin

    Frank Herbert - The concept of progress acts as a protective mechanism to shield us from the terrors of the future.

    John 1:5 And the light shineth in darkness; and the darkness comprehended it not.

  6. Link to Post #4
    United States Administrator Paul's Avatar
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    66
    Posts
    16,828
    Thanks
    10,643
    Thanked 53,491 times in 10,408 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    Quote Posted by Tesla_WTC_Solution (here)
    Paul can I ask a question?

    Does RPCSS vulnerability have anything to do with this openSSL stuff?
    Totally unrelated.

    RPCSS is a Microsoft Windows RPC server task running on Windows client PC's.

    The HeartBleed bug is an OpenSSL bug running on Linux and other open source web servers.
    -- Formerly known as "ThePythonicCow", aka "Cow", "PCow", "TPC", "PC", "Mooster", ...

  7. The Following User Says Thank You to Paul For This Post:

    panopticon (10th April 2014)

  8. Link to Post #5
    Avalon Member Bob's Avatar
    Join Date
    23rd June 2013
    Posts
    3,105
    Thanks
    4,374
    Thanked 10,392 times in 2,552 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    Have you been to heartbleed.com; are they are saying they are the official (?) website dealing with it?
    Joy flows from the Heart


  9. The Following 3 Users Say Thank You to Bob For This Post:

    panopticon (10th April 2014), Paul (10th April 2014), seeingterra (10th April 2014)

  10. Link to Post #6
    Australia Avalon Member
    Join Date
    26th May 2010
    Location
    NSW
    Posts
    357
    Thanks
    1,356
    Thanked 1,310 times in 298 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    I love Steve Gibson I have used his shieldsup tester millions of times - no exaggeration, ok, slightly little it would be in the 00's though.

    just now need to organise time to change passwords galore

    good work as usual Paul

  11. The Following 5 Users Say Thank You to Craig For This Post:

    avid (13th April 2014), Bob (10th April 2014), Hervé (10th April 2014), Paul (10th April 2014), seeingterra (10th April 2014)

  12. Link to Post #7
    United States Administrator Paul's Avatar
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    66
    Posts
    16,828
    Thanks
    10,643
    Thanked 53,491 times in 10,408 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    Quote Posted by Bobd (here)
    Have you been to heartbleed.com; are they are saying they are the official (?) website dealing with it?
    Yes, I've been to heartbleed.com ... it's quoted in my opening post above.

    Steve Gibson, in another one of his interviews on this that I did not post above, indicated that the two original Codenomicom engineers who discovered this were talking with him, and were responsible for putting up the heartbleed.com website.

    If you look at the source for that heartbleed.com website, you will see that it says
    Code:
    <meta name="author" content="Codenomicom Ltd. http://www.codenomicon.com/">
    If you go to the current http://www.codenomicon.com website, you will see that it has the following banner at the top of its main page, naming the heartbleed.com website and linking directly to it if you click on the banner:
    Last edited by Paul; 10th April 2014 at 02:25.
    -- Formerly known as "ThePythonicCow", aka "Cow", "PCow", "TPC", "PC", "Mooster", ...

  13. The Following 7 Users Say Thank You to Paul For This Post:

    Aragorn (12th April 2014), Bob (10th April 2014), Craig (10th April 2014), Dawn (10th April 2014), Hervé (10th April 2014), panopticon (10th April 2014), seeingterra (10th April 2014)

  14. Link to Post #8
    Avalon Member Bob's Avatar
    Join Date
    23rd June 2013
    Posts
    3,105
    Thanks
    4,374
    Thanked 10,392 times in 2,552 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    Paul would you say this certificate/security module issue is in the earlier flavors of Ubuntu? before 12, I have a ver 10 I believe that I use.. never upgraded it.

    (and PS, weren't you with Eagle computers way back when? love the old stuff when bootstrap was keyed in by hand, not.. )

    Ya agreed Gibson is great Craig for his great server checks although I don't go there as often as I should
    Joy flows from the Heart


  15. The Following User Says Thank You to Bob For This Post:

    Paul (10th April 2014)

  16. Link to Post #9
    United States Administrator Paul's Avatar
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    66
    Posts
    16,828
    Thanks
    10,643
    Thanked 53,491 times in 10,408 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    Quote Posted by Bobd (here)
    Paul would you say this certificate/security module issue is in the earlier flavors of Ubuntu? before 12, I have a ver 10 I believe that I use.. never upgraded it.
    That depends on whether openssl has been updated.

    If you have the command "dpkg", do "dpkg -s openssl | grep Version", and see if it shows Version: 1.0.1X for some X between 'a' and 'f' - bad news. If it shows the old version 0.9.8, or if you have just upgraded to 1.0.1g in the last two days, then that's good.

    If you don't have dpkg, then use whatever else is your favorite software package tool.

    However if you're not running a web server that supports https ssl links with that Ubuntu, it doesn't matter. This is a problem on the server side, not (so far as I've figured out so far anyway) with the client.

    ===

    No, I wasn't at Eagle (too bad what happened to Dennis Barnhart.) But the front paddle switches on the PDP-8i were cool ... not too many of us have written entire "operating systems", on the fly, in machine code (not asm) and keyed them in, bit by bit.
    -- Formerly known as "ThePythonicCow", aka "Cow", "PCow", "TPC", "PC", "Mooster", ...

  17. The Following 4 Users Say Thank You to Paul For This Post:

    Bob (10th April 2014), Hervé (10th April 2014), Ilie Pandia (10th April 2014), seeingterra (10th April 2014)

  18. Link to Post #10
    Norway Avalon Member seeingterra's Avatar
    Join Date
    11th April 2010
    Location
    Norway
    Posts
    422
    Thanks
    932
    Thanked 2,072 times in 328 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    Thanks for the thread Paul, very informative!

    I got the hole plugged on our end as soon as the latest patch/version came out, but just in case this is useful for someone reading, I noticed that after doing the updates all changes did not take effect until after you restarted apache/httpd. Have not tried on nginx yet, so not sure if the same applies there. The strange part is that usually when important fixes like these come out they restart all affected services (which it seemed it did during update), but not properly this time it seems. But after I did a simple manual service restart the check reported the site as being "fixed or unaffected"

    Just thought this was kinda interesting and somewhat strange.
    Last edited by seeingterra; 10th April 2014 at 09:23. Reason: typo
    Web Administrator,
    Project Camelot

  19. The Following 2 Users Say Thank You to seeingterra For This Post:

    Bob (10th April 2014), Paul (10th April 2014)

  20. Link to Post #11
    Avalon Member EYES WIDE OPEN's Avatar
    Join Date
    27th March 2010
    Posts
    1,194
    Thanks
    452
    Thanked 3,616 times in 749 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    Quote The current buzz about Heartbleed plays into an ongoing government propaganda campaign to forge a public-private cybersecurity infrastructure.

    It is telling a company linked to Google, with its known intelligence connections, and having a member of the board of directors connected directly to the Obama administration’s cyber security initiative in addition to the DHS and the FBI, should discover a network vulnerability begging a government intervention.
    http://www.infowars.com/heartbleed-m...-the-internet/

  21. Link to Post #12
    Scotland Moderator Billy's Avatar
    Join Date
    27th January 2011
    Location
    Scotland
    Age
    60
    Posts
    3,287
    Thanks
    13,934
    Thanked 15,280 times in 2,660 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    This was sent to me today. More Info. http://www.reuters.com/article/2014/...A3804U20140409

    Little Internet users can do to thwart 'Heartbleed' bug

    (Reuters) - Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until exploitable websites upgrade their software.

    Researchers have observed sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers.

    OpenSSL is used on about two-thirds of all web servers, but the issue has gone undetected for about two years.

    Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced on Monday.

    Read More Here:

    http://www.reuters.com/article/2014/...A3804U20140409

    And Here. http://mobile.abc.net.au/news/2014-0...penssl/5379604

    "A lot of the big companies have now patched the exploit, but others haven't. So changing your password is pointless if the hole is still there," he said.

    "The problem is that lots of these companies don't know they have been exploited. It's best just to assume that you have been.

    "This bug has been sitting on a whole bunch of servers for many years and has only now been discovered."
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~

    Oh dear.
    When you express from a fearful heart in the now moment, You create a fearful future.
    When you express from a loving heart in the now moment, You create a loving future.

    Have no fear, Be aware and live your lives journey from a compassionate caring nurturing heart to manifest a compassionate caring nurturing future. Billyji


    Peace

  22. The Following 5 Users Say Thank You to Billy For This Post:

    Bob (10th April 2014), Hervé (10th April 2014), Limor (10th April 2014), Paul (10th April 2014), seeingterra (10th April 2014)

  23. Link to Post #13
    United States Administrator Paul's Avatar
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    66
    Posts
    16,828
    Thanks
    10,643
    Thanked 53,491 times in 10,408 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    Quote Posted by Billy (here)
    OpenSSL is used on about two-thirds of all web servers, but the issue has gone undetected for about two years.

    Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced on Monday.
    Two thirds of web servers might have been running OpenSSL, but many of those servers were
    1. running an older OpenSSL without this bug,
    2. not supporting SSL (https) links, or
    3. running OpenSSL with this new heartbeat feature disabled.
    In the case of this Project Avalon forum, -both- (1) and (2) apply. Good.

    As noted in my opening post above, netcraft reported:
    A serious overrun vulnerability in the OpenSSL cryptographic library affects around 17% of SSL web servers which use certificates issued by trusted certificate authorities.
    So the potential damage is 17% of the sites supporting https, not 2/3's of all sites.
    -- Formerly known as "ThePythonicCow", aka "Cow", "PCow", "TPC", "PC", "Mooster", ...

  24. The Following 4 Users Say Thank You to Paul For This Post:

    Billy (10th April 2014), Bob (10th April 2014), Hervé (10th April 2014), seeingterra (10th April 2014)

  25. Link to Post #14
    United States Administrator Paul's Avatar
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    66
    Posts
    16,828
    Thanks
    10,643
    Thanked 53,491 times in 10,408 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    Ok - after some more research - the potential damage caused by the Heartbleed bug is wider than I first realized.

    There are quite a few commands on my Linux box that link to whatever OpenSSL version I have installed. If any of those commands connected to an appropriately hacked server, then code on the server could use the Heartbleed bug to extract randomly placed passwords and certificates from my personal Linux box. Here is a list of some of the commands on my home system that I observe can link to the OpenSSL code, so might expose this vulnerability, depending on which version of OpenSSL I have installed:
    • bitcoind
    • curl
    • git
    • links
    • links2
    • ncat
    • nginx
    • nginx
    • nmap
    • nping
    • perl
    • python
    • qemu
    • ruby
    • ruby
    • socat
    • svn
    • tor
    • unbound
    • wget
    • wvdial
    Also, many home routers, network attached storage (NAS) boxes, and digital video recorders (DVR's, such as TiVo) have embedded Linux with network connectivity, most commonly using OpenSSL. Figuring out which ones of these have which versions of OpenSSL could be a challenge for all but the nerdiest of us.

    Also Adobe's (formerly Macromedia) Flash Player on Windows, Mac and Linux has just issued an update (see here) without saying clearly what bug(s) the release fixes. But I observe that the Firefox plugin on my Linux box for Flash links with my (potentially vulnerable) OpenSSL shared library. So it may well be (I'd guess that it is) that the Adobe support for Flash on any of the main Windows, Mac or Linux web browsers (IE, Firefox, Chrome, Safari, ...) is vulnerable to Heartbleed, if connected to a compromised server.

    Plan to update all your interesting passwords within the next few days .
    -- Formerly known as "ThePythonicCow", aka "Cow", "PCow", "TPC", "PC", "Mooster", ...

  26. The Following 3 Users Say Thank You to Paul For This Post:

    Bob (10th April 2014), Hervé (10th April 2014), seeingterra (18th April 2014)

  27. Link to Post #15
    United States Administrator Paul's Avatar
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    66
    Posts
    16,828
    Thanks
    10,643
    Thanked 53,491 times in 10,408 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue (see Update in my Post #14)

    Most home routers (often buried inside a cable modem) don't support end user firmware upgrade, and most end users are not equipped to do such an upgrade anyway.

    For those who do have upgradable firmware, and who are equipped to upgrade it, if they have an embedded version of Linux with a vulnerable version of the OpenSSL library in that router, they should plan on upgrading the firmware, once a fixed version is available. That's what I'll be doing, real soon now, as soon as the developer of TomatoUSB Shibby (good chap) has a fix ready.

    For the remaining 99%, I don't have a good answer that doesn't involve a trash can, a trip to Best Buy and a credit card (and knowing somehow which routers on their shelves have the fix.) From a practical point of view, I guess it's hope and pray, and may all the websites you visit not contain the hacks needed to exploit this vulnerability.
    -- Formerly known as "ThePythonicCow", aka "Cow", "PCow", "TPC", "PC", "Mooster", ...

  28. The Following 2 Users Say Thank You to Paul For This Post:

    Bob (10th April 2014), Hervé (10th April 2014)

  29. Link to Post #16
    United States Administrator Paul's Avatar
    Join Date
    4th January 2011
    Location
    North Texas
    Age
    66
    Posts
    16,828
    Thanks
    10,643
    Thanked 53,491 times in 10,408 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue (see Update in my Post #14)

    From the site github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt, the following websites were vulnerable shortly after Heartbleed was announced:
    • Testing yahoo.com... vulnerable.
      Testing imgur.com... vulnerable.
      Testing stackoverflow.com... vulnerable.
      Testing kickass.to... vulnerable.
      Testing flickr.com... vulnerable.
      Testing redtube.com... vulnerable.
      Testing sogou.com... vulnerable.
      Testing adf.ly... vulnerable.
      Testing outbrain.com... vulnerable.
      Testing archive.org... vulnerable.
      Testing addthis.com... vulnerable.
      Testing stackexchange.com... vulnerable.
      Testing popads.net... vulnerable.
      Testing avito.ru... vulnerable.
      Testing kaskus.co.id... vulnerable.
      Testing web.de... vulnerable.
      Testing suning.com... vulnerable.
      Testing zeobit.com... vulnerable.
      Testing beeg.com... vulnerable.
      Testing seznam.cz... vulnerable.
      Testing okcupid.com... vulnerable.
      Testing pch.com... vulnerable.
      Testing xda-developers.com... vulnerable.
      Testing steamcommunity.com... vulnerable.
      Testing slate.com... vulnerable.
      Testing scoop.it... vulnerable.
      Testing hidemyass.com... vulnerable.
      Testing 123rf.com... vulnerable.
      Testing m-w.com... vulnerable.
      Testing dreamstime.com... vulnerable.
      Testing amung.us... vulnerable.
      Testing duckduckgo.com... vulnerable.
      Testing leo.org... vulnerable.
      Testing eventbrite.com... vulnerable.
      Testing wetransfer.com... vulnerable.
      Testing sh.st... vulnerable.
      Testing entrepreneur.com... vulnerable.
      Testing zoho.com... vulnerable.
      Testing yts.re... vulnerable.
      Testing usmagazine.com... vulnerable.
      Testing fool.com... vulnerable.
      Testing digitalpoint.com... vulnerable.
      Testing picmonkey.com... vulnerable.
      Testing petflow.com... vulnerable.
      Testing squidoo.com... vulnerable.
      Testing avazutracking.net... vulnerable.
      Testing elegantthemes.com... vulnerable.
      Testing 500px.com... vulnerable.
    If you have a password protected account at any of the above, you should verify whether that site is still vulnerable, using any of several available test sites, such as http://filippo.io/Heartbleed. Then once the site is fixed, change your password there, as it might have been exposed.
    -- Formerly known as "ThePythonicCow", aka "Cow", "PCow", "TPC", "PC", "Mooster", ...

  30. The Following 2 Users Say Thank You to Paul For This Post:

    Bob (11th April 2014), sandy (11th April 2014)

  31. Link to Post #17
    Ireland Avalon Member
    Join Date
    2nd April 2014
    Age
    33
    Posts
    21
    Thanks
    70
    Thanked 123 times in 19 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue (see Update in my Post #14)

    Hi Guys,

    I'm not an expert in SSL topic but something is telling me that all this heartbleed stuff may be one big setup. I totally accept I may be wrong but what if its actually opposite and if you now re-set your password they will all get captured? There is huge attention given to that 'bug' at the moment in media, where all the so called 'experts' are persuading us in every mainstream tv station to change our passwords... isn't that a little bit too weird? I think I'll keep my existing passwords for a while and see what is going to happen within the next few days.

  32. Link to Post #18
    Belgium Avalon Member Aragorn's Avatar
    Join Date
    14th January 2014
    Location
    Middle-Earth
    Posts
    437
    Thanks
    3,675
    Thanked 2,384 times in 417 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue (see Update in my Post #14)

    Quote Posted by fifula (here)
    Hi Guys,

    I'm not an expert in SSL topic but something is telling me that all this heartbleed stuff may be one big setup. I totally accept I may be wrong but what if its actually opposite and if you now re-set your password they will all get captured? There is huge attention given to that 'bug' at the moment in media, where all the so called 'experts' are persuading us in every mainstream tv station to change our passwords... isn't that a little bit too weird? I think I'll keep my existing passwords for a while and see what is going to happen within the next few days.
    OpenSSL is Free & Open Source Software, which means that the code is open to scrutiny by everyone with a pair of eyes and understanding of the C programming language (because that's what OpenSSL is written in). By consequence, that which you are suggesting would be immediately discovered, especially now that the bug has become known in the mainstream and that more skilled people will be paying attention to the code.

    Addendum: The mechanism by which the passwords can be stolen is not an easy one. It involves reading raw chunks of memory from the server and searching those for passwords and logins. It is not a flaw in the encryption itself, but simply in the OpenSSL memory management system - it's a buffer overread vulnerability.

    The fix is to recompile the installed OpenSSL libraries with a certain feature disabled - which is possible because the source code for OpenSSL is available as Free Software - or else upgrade to version 1.0.1g. The disabling of the compile-time feature prevents a client from accessing the server's OpenSSL memory buffer.

    Changing the passwords is just a matter of being sure, because there's no knowing which of the affected servers on the web have indeed been compromised in this manner. What we do know for a fact is that the NSA has known about this security leak for a long time already and have been exploiting it to glean classified information from whatever domain they were interested in. This is most likely how they managed to break into many servers at - among others - Chinese universities.

    P.S.: Don't even dare think that a domain running a Microsoft Windows server would have been any more secure. Microsoft Windows is compromised out-of-the-box, because it contains at least two deliberately built-in (but already identified) backdoors - one for Microsoft itself, and one for the NSA.
    Last edited by Aragorn; 12th April 2014 at 17:42. Reason: Addendum
    Sometimes we have to see ourselves through the eyes of someone else to remind us of who we are.

  33. The Following User Says Thank You to Aragorn For This Post:

    Bob (12th April 2014)

  34. Link to Post #19
    Belgium Avalon Member Aragorn's Avatar
    Join Date
    14th January 2014
    Location
    Middle-Earth
    Posts
    437
    Thanks
    3,675
    Thanked 2,384 times in 417 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    Quote Posted by Bobd (here)
    Paul would you say this certificate/security module issue is in the earlier flavors of Ubuntu? before 12, I have a ver 10 I believe that I use.. never upgraded it.
    Bobd, all versions of OpenSSL - check your installed package version via the Software Center or Synaptic Package Manager - lower than 1.0.1 are unaffected, and 1.0.1g (and future versions) are unaffected as well. The affected versions are 1.0.1 through 1.0.1f.
    Sometimes we have to see ourselves through the eyes of someone else to remind us of who we are.

  35. The Following User Says Thank You to Aragorn For This Post:

    Bob (12th April 2014)

  36. Link to Post #20
    Belgium Avalon Member Aragorn's Avatar
    Join Date
    14th January 2014
    Location
    Middle-Earth
    Posts
    437
    Thanks
    3,675
    Thanked 2,384 times in 417 posts

    Default Re: The OpenSSL bug "HeartBleed" - a serious web security issue

    Quote Posted by Aragorn (here)
    Quote Posted by Bobd (here)
    Paul would you say this certificate/security module issue is in the earlier flavors of Ubuntu? before 12, I have a ver 10 I believe that I use.. never upgraded it.
    Bobd, all versions of OpenSSL - check your installed package version via the Software Center or Synaptic Package Manager - lower than 1.0.1 are unaffected, and 1.0.1g (and future versions) are unaffected as well. The affected versions are 1.0.1 through 1.0.1f.
    Addendum: You can also check the installed version by typing the following command in a terminal emulator window (where the red dollar sign ($) is your command prompt) :
    $ openssl version
    On my own machine - running an older Mageia 1 64-bit installation, this yields:
    $ openssl version
    OpenSSL 1.0.0d 8 Feb 2011
    From the above, my machine is clearly not affected by the Heartbleed bug. If I'm not mistaken, then Ubuntu 10 dates back to 2010, and as such, I suspect that the installed version of OpenSSL on your machine also predates the versions with the vulnerability. But best is to check, of course. ;-)
    Sometimes we have to see ourselves through the eyes of someone else to remind us of who we are.

  37. The Following User Says Thank You to Aragorn For This Post:

    Bob (14th April 2014)

+ Reply to Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts