Results 1 to 13 of 13

Thread: Heartbleed

  1. #1
    Regular Member stealthyeliminator's Avatar
    Join Date
    Dec 2008
    Location
    Texas
    Posts
    3,318

    Heartbleed

    Wow...........


    https://www.google.com/search?tbm=nws&q=heartbleed


    Heartbleed is a vulnerability in OpenSSL. A very serious vulnerability, which has been present for quite some time. A huge portion of the internet relies on OpenSSL for security including integrity, confidentiality, authentication, etc.
    Advocate freedom please

  2. #2
    Regular Member
    Join Date
    Feb 2013
    Location
    Thru Death's Door in Wisconsin
    Posts
    13,154
    Much of the web relies also on Apache linux server. I watched a large OpenSSL patch applied over the previous day.

    Hello again, Fedora community.

    This is an update on Fedora’s response to CVE-2014-0160 (aka “Heartbleed”). This is a critical security vulnerability that requires your immediate attention.

    Updates are now available, and are being pushed to our mirror network. The update announcements for Fedora 19 and Fedora 20 are available at:

    [SECURITY] Fedora 19 Update: openssl-1.0.1e-37.fc19.1
    [SECURITY] Fedora 20 Update: openssl-1.0.1e-37.fc20.1

    Apply updates with ...

    http://fedoramagazine.org/update-on-...ka-heartbleed/
    Read the Wiki too that massively cites filippo.io

    https://en.wikipedia.org/wiki/Heartbleed_bug

    I received my updated certificates for my e-mail servers google.com and reagan.com two days ago.
    Last edited by Nightmare; 04-10-2014 at 07:39 PM.
    I am responsible for my writing, not your understanding of it.

  3. #3
    Regular Member sudden valley gunner's Avatar
    Join Date
    Dec 2008
    Location
    Whatcom County
    Posts
    17,338
    I can't find a way to bring the constitution into this thread so I can win an argument.......
    I am not anti Cop I am just pro Citizen.

    U.S. v. Minker, 350 US 179, at page 187
    "Because of what appears to be a lawful command on the surface, many citizens, because
    of their respect for what only appears to be a law, are cunningly coerced into waiving their
    rights, due to ignorance." (Paraphrased)

  4. #4
    Regular Member sudden valley gunner's Avatar
    Join Date
    Dec 2008
    Location
    Whatcom County
    Posts
    17,338
    For us non techy guys....suggestions on what we can do? The only thing I pay online is my mortgage is that in trouble? Talk to me like I am totally ignorant on how this works.....cuz I am.
    I am not anti Cop I am just pro Citizen.

    U.S. v. Minker, 350 US 179, at page 187
    "Because of what appears to be a lawful command on the surface, many citizens, because
    of their respect for what only appears to be a law, are cunningly coerced into waiving their
    rights, due to ignorance." (Paraphrased)

  5. #5
    Regular Member
    Join Date
    Feb 2013
    Location
    Thru Death's Door in Wisconsin
    Posts
    13,154

    Massive Internet Security Vulnerability -- Here's What You Need To Do

    Quote Originally Posted by sudden valley gunner View Post
    For us non techy guys....suggestions on what we can do? The only thing I pay online is my mortgage is that in trouble? Talk to me like I am totally ignorant on how this works.....cuz I am.
    Teaser final paragraph
    Massive Internet Security Vulnerability -- Here's What You Need To Do

    So what should I do?

    Before performing sensitive tasks over HTTPS:

    Check a reputable list of websites that do not run OpenSSL. Mashable published such a list – and many major banks are on it. If a site did not run OpenSSL on any of its equipment in the last few years it was not vulnerable to the current bug. Of course, if you use the same password on a site that was/is vulnerable as you do on a site that is not vulnerable you should change it on the non-vulnerable site ASAP.

    If you check the list and find that a site was indeed running OpenSSL – check if the site was patched. Most (if not all) major sites did patch. In that case, it is probably a good idea to change your password on that site ASAP. Be careful, however, not to weaken the strength of your passwords just because you have to update several at the same time, and do not reuse passwords that you use on sensitive sites. Don’t let HeartBleed cause you to create new password risks.

    If you find some site that was vulnerable and for some reason has not confirmed that it has patched (and, hopefully, there should not be too many like that) – I would wait to change my password, and, if possible, either check the site myself using one of the reliable tools to do so (e.g., http://filippo.io/Heartbleed/ ) or refrain from using the site until I could confirm that a patch has been applied. As described above, changing your password before the patch is applied could actually worsen the situation.

    Be wary of phishing attacks – type in the URL of any sensitive site to which you are going. Do not click links to get there. While I have, in the past, demonstrated methods of using various exploits to impersonate sites that use SSL, those hacks required much more effort than doing so would take for someone who stole a certificate and key. Until all possibly-pilfered SSL certificates are replaced as described above, the potential for real-looking phishing sites is enormous. So be wary.

    Hopefully, browser vendors will also add code to warn users accessing sites running vulnerable versions of OpenSSL – so, make sure to keep your browser up to date.

    Of course, the above reflects my opinion, and others may feel free to disagree.
    http://www.forbes.com/sites/josephst...ou-need-to-do/
    Last edited by Nightmare; 04-10-2014 at 07:21 PM.
    I am responsible for my writing, not your understanding of it.

  6. #6
    Regular Member sudden valley gunner's Avatar
    Join Date
    Dec 2008
    Location
    Whatcom County
    Posts
    17,338
    Thanks that was helpful.
    I am not anti Cop I am just pro Citizen.

    U.S. v. Minker, 350 US 179, at page 187
    "Because of what appears to be a lawful command on the surface, many citizens, because
    of their respect for what only appears to be a law, are cunningly coerced into waiving their
    rights, due to ignorance." (Paraphrased)

  7. #7
    Regular Member
    Join Date
    Feb 2013
    Location
    Thru Death's Door in Wisconsin
    Posts
    13,154
    http://filippo.io/Heartbleed/#forum.opencarry.org

    timeout is apparently also caused by patched servers that don't respond to our "quit" message. This happens with a patched server, but is not a green since the same behavior might be caused by my servers being overloaded, so I can't be sure.
    I am responsible for my writing, not your understanding of it.

  8. #8
    Regular Member stealthyeliminator's Avatar
    Join Date
    Dec 2008
    Location
    Texas
    Posts
    3,318
    More information
    http://heartbleed.com/
    http://www.troyhunt.com/2014/04/ever...now-about.html

    SVG you may be interested in the "What do I tell my non-technical friends to do?" section of the second link, although Nightmare has already answered your question.
    Last edited by stealthyeliminator; 04-10-2014 at 07:49 PM.
    Advocate freedom please

  9. #9
    Regular Member
    Join Date
    Feb 2013
    Location
    Thru Death's Door in Wisconsin
    Posts
    13,154

    EFF.org, Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?

    Yesterday afternoon, Ars Technica published a story reporting two possible logs of Heartbleed attacks occurring in the wild, months before Monday's public disclosure of the vulnerability. It would be very bad news if these stories were true, indicating that blackhats and/or intelligence agencies may have had a long period when they knew about the attack and could use it at their leisure.

    In response to the story, EFF called for further evidence of Heartbleed attacks in the wild prior to Monday. The first thing we learned was that the SeaCat report was a possible false positive; the pattern in their logs looks like it could be caused by ErrataSec's masscan software, and indeed one of the source IPs was ErrataSec.

    The second log seems much more troubling. We have spoken to Ars Technica's second source, Terrence Koeman, who reports finding some inbound packets, immediately following the setup and termination of a normal handshake, containing another Client Hello message followed by the TCP payload bytes 18 03 02 00 03 01 40 00 in ingress packet logs from November 2013. These bytes are a TLS Heartbeat with contradictory length fields, and are the same as those in the widely circulated proof-of-concept exploit.

    [More ... ][links in the original]
    https://www.eff.org/deeplinks/2014/0...-november-2013
    https://www.eff.org/copyright Creative Commons Attribution
    Last edited by Nightmare; 04-11-2014 at 09:16 AM.
    I am responsible for my writing, not your understanding of it.

  10. #10
    Regular Member
    Join Date
    Feb 2013
    Location
    Thru Death's Door in Wisconsin
    Posts
    13,154

    NSA denies exploiting 'Heartbleed' vulnerability

    "The stern denial came amid growing panic among Internet users the world over about the newly exposed flaw, after a report by Bloomberg News said the spy agency decided to keep quiet about the matter and even used it to scoop up more data, including passwords. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," NSA spokeswoman Vanee Vines said in an email, "Reports that say otherwise are wrong."

    http://phys.org/news/2014-04-nsa-den...erability.html
    I am responsible for my writing, not your understanding of it.

  11. #11
    Regular Member stealthyeliminator's Avatar
    Join Date
    Dec 2008
    Location
    Texas
    Posts
    3,318
    Quote Originally Posted by Nightmare View Post
    "The stern denial came amid growing panic among Internet users the world over about the newly exposed flaw, after a report by Bloomberg News said the spy agency decided to keep quiet about the matter and even used it to scoop up more data, including passwords. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," NSA spokeswoman Vanee Vines said in an email, "Reports that say otherwise are wrong."

    http://phys.org/news/2014-04-nsa-den...erability.html
    Who believes them? Their word is worthless. They're a spy agency, and a government agency. Double whammy on the untrustworthy note.
    Advocate freedom please

  12. #12
    Regular Member
    Join Date
    Feb 2013
    Location
    Thru Death's Door in Wisconsin
    Posts
    13,154

    Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say. New York Times

    Quote Originally Posted by stealthyeliminator View Post
    Who believes them? Their word is worthless. They're a spy agency, and a government agency. Double whammy on the untrustworthy note.
    " Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons. [ ... ] When the White House denied prior knowledge of Heartbleed on Friday afternoon, it appeared to be the first time that the N.S.A. had ever said whether a particular flaw in the Internet was — or was not — in the secret library it keeps at Fort Meade, Md., the headquarters of the agency and Cyber Command.

    But documents released by Edward J. Snowden, the former N.S.A. contractor, make it clear that two years before Heartbleed became known, the N.S.A. was looking at ways to accomplish exactly what the flaw did by accident. A program code-named Bullrun, apparently named for the site of two Civil War battles just outside Washington, was part of a decade-long effort to crack or circumvent encryption on the web. The documents do not make clear how well it succeeded, but it may well have been more effective than exploiting Heartbleed would be at enabling access to secret data.
    [ ... ]
    The presidential advisory committee did not urge the N.S.A. to get out of the business entirely. But it said that the president should make sure the N.S.A. does not “engineer vulnerabilities” into commercial encryption systems. And it said that if the United States finds a “zero day,” it should patch it, not exploit it, with one exception: Senior officials could “briefly authorize using a zero day for high priority intelligence protection.

    http://www.nytimes.com/2014/04/13/us...cials-say.html
    I am responsible for my writing, not your understanding of it.

  13. #13
    Regular Member
    Join Date
    Feb 2013
    Location
    Thru Death's Door in Wisconsin
    Posts
    13,154
    I am responsible for my writing, not your understanding of it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •