eidolonFIRE Posted April 9, 2014 Member ID: 2759 Group: **- Inactive Registered Users Followers: 17 Topic Count: 199 Topics Per Day: 0.04 Content Count: 3496 Content Per Day: 0.68 Reputation: 3021 Achievement Points: 26464 Solved Content: 0 Days Won: 3 Joined: 08/22/11 Status: Offline Last Seen: June 16, 2017 Birthday: 07/27/1990 Posted April 9, 2014 Ouchy... http://www.latimes.com/business/la-fi-web-vulnerability-20140409,0,3935723.story#axzz2yMLgLk3y OpenSSL really something you don't want to have sabotaged. Hopefully it wasn't intentional. KingStinger! and ChknFngr 2
KingStinger! Posted April 9, 2014 Member ID: 2465 Group: +++ Minecraft Head Admin Followers: 30 Topic Count: 170 Topics Per Day: 0.03 Content Count: 1818 Content Per Day: 0.34 Reputation: 1937 Achievement Points: 14561 Solved Content: 0 Days Won: 2 Joined: 05/06/11 Status: Offline Last Seen: September 16 Birthday: 04/17/1972 Device: Windows Posted April 9, 2014 Yup, there is truly never a non presence of internet risk. Canada's CRA - Canadian Revenue Agency is on full internet lock down right now to protect Canadians personal tax information. Its a bad day when your Government gets breached.. eidolonFIRE 1 Awards
eidolonFIRE Posted April 9, 2014 Member ID: 2759 Group: **- Inactive Registered Users Followers: 17 Topic Count: 199 Topics Per Day: 0.04 Content Count: 3496 Content Per Day: 0.68 Reputation: 3021 Achievement Points: 26464 Solved Content: 0 Days Won: 3 Joined: 08/22/11 Status: Offline Last Seen: June 16, 2017 Birthday: 07/27/1990 Author Posted April 9, 2014 Yep, nobody really knows how far this goes... Just that its massively extensive. Any site running that version of openssl can be so snooped. KingStinger! 1
eidolonFIRE Posted April 9, 2014 Member ID: 2759 Group: **- Inactive Registered Users Followers: 17 Topic Count: 199 Topics Per Day: 0.04 Content Count: 3496 Content Per Day: 0.68 Reputation: 3021 Achievement Points: 26464 Solved Content: 0 Days Won: 3 Joined: 08/22/11 Status: Offline Last Seen: June 16, 2017 Birthday: 07/27/1990 Author Posted April 9, 2014 I just saw this on my favorite comic strip. www.xkcd.com
Astronomer Posted April 9, 2014 Member ID: 2069 Group: ***- Inactive Clan Members Followers: 24 Topic Count: 214 Topics Per Day: 0.04 Content Count: 2411 Content Per Day: 0.45 Reputation: 2409 Achievement Points: 18298 Solved Content: 0 Days Won: 7 Joined: 12/25/10 Status: Offline Last Seen: October 2, 2023 Birthday: 08/08/1966 Posted April 9, 2014 I did some digging because I sysadmin for a non-profit. Not all versions of OpenSSL are compromised, though this is still major. "The bug is not present in 1.0.1g, nor is it present in the 1.0.0 branch nor the 0.9.8 branch of OpenSSL" eidolonFIRE 1 Awards
eidolonFIRE Posted April 9, 2014 Member ID: 2759 Group: **- Inactive Registered Users Followers: 17 Topic Count: 199 Topics Per Day: 0.04 Content Count: 3496 Content Per Day: 0.68 Reputation: 3021 Achievement Points: 26464 Solved Content: 0 Days Won: 3 Joined: 08/22/11 Status: Offline Last Seen: June 16, 2017 Birthday: 07/27/1990 Author Posted April 9, 2014 I did some digging because I sysadmin for a non-profit. Not all versions of OpenSSL are compromised, though this is still major. "The bug is not present in 1.0.1g, nor is it present in the 1.0.0 branch nor the 0.9.8 branch of OpenSSL"[/size] Right. I think its just one.
hypn0t1k Posted April 9, 2014 Member ID: 20914 Group: **- Inactive Registered Users Followers: 0 Topic Count: 2 Topics Per Day: 0.00 Content Count: 38 Content Per Day: 0.01 Reputation: 27 Achievement Points: 246 Solved Content: 0 Days Won: 0 Joined: 02/19/14 Status: Offline Last Seen: January 24, 2015 Birthday: 01/01/1969 Posted April 9, 2014 As far as I know the bug was introduced into OpenSSL 1.0.1 and version through 1.0.1f http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 If I recall correctly OpenSSL is usually installed by default in most *nix distributions so I'd guess most web services using SSL would need to update. Host Test - http://filippo.io/Heartbleed/ Proof of Concept (PoC) - https://gist.github.com/takeshixx/10107280 eidolonFIRE 1
Astronomer Posted April 9, 2014 Member ID: 2069 Group: ***- Inactive Clan Members Followers: 24 Topic Count: 214 Topics Per Day: 0.04 Content Count: 2411 Content Per Day: 0.45 Reputation: 2409 Achievement Points: 18298 Solved Content: 0 Days Won: 7 Joined: 12/25/10 Status: Offline Last Seen: October 2, 2023 Birthday: 08/08/1966 Posted April 9, 2014 My Sophos home Unified Threat Manager/router was updated this morning. eidolonFIRE 1 Awards
YACCster Posted April 10, 2014 Member ID: 20683 Group: ++ COD4 Admin Followers: 140 Topic Count: 312 Topics Per Day: 0.07 Content Count: 3428 Content Per Day: 0.79 Reputation: 4159 Achievement Points: 46028 Solved Content: 0 Days Won: 22 Joined: 12/12/13 Status: Offline Last Seen: 22 hours ago Device: iPhone Posted April 10, 2014 LOL, it doesn't matter if your local client malware was updated, this is an issue with the open ssl on the servers that you are talking to. If you were accessing an OSX server the you are likely ok: "No versions of the OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version shipped by Apple in an OS was 0.9.8y, which is a branch not affected by the bug" Chris 1 Awards
eidolonFIRE Posted April 10, 2014 Member ID: 2759 Group: **- Inactive Registered Users Followers: 17 Topic Count: 199 Topics Per Day: 0.04 Content Count: 3496 Content Per Day: 0.68 Reputation: 3021 Achievement Points: 26464 Solved Content: 0 Days Won: 3 Joined: 08/22/11 Status: Offline Last Seen: June 16, 2017 Birthday: 07/27/1990 Author Posted April 10, 2014 LOL, it doesn't matter if your local client malware was updated, this is an issue with the open ssl on the servers that you are talking to. If you were accessing an OSX server the you are likely ok: "No versions of the OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version shipped by Apple in an OS was 0.9.8y, which is a branch not affected by the bug" All i heard was, " not to worry apple's shit is outdated..". Lol Chris 1
djMot Posted April 10, 2014 Member ID: 3189 Group: *** Clan Members Followers: 98 Topic Count: 358 Topics Per Day: 0.07 Content Count: 5258 Content Per Day: 1.05 Reputation: 11147 Achievement Points: 48961 Solved Content: 0 Days Won: 114 Joined: 02/11/12 Status: Offline Last Seen: 11 hours ago Birthday: 12/24/1957 Device: Windows Posted April 10, 2014 The biggest irresponsible act in all of this was leaking it to the media. Sorta like saying, "HEY HACKERS - LOOK, THE FRONT DOOR IS OPEN !! MIGHT AS WELL JUST WALK ON IN..." Twinkie 13 and KaptCrunch 2 Awards
eidolonFIRE Posted April 10, 2014 Member ID: 2759 Group: **- Inactive Registered Users Followers: 17 Topic Count: 199 Topics Per Day: 0.04 Content Count: 3496 Content Per Day: 0.68 Reputation: 3021 Achievement Points: 26464 Solved Content: 0 Days Won: 3 Joined: 08/22/11 Status: Offline Last Seen: June 16, 2017 Birthday: 07/27/1990 Author Posted April 10, 2014 The biggest irresponsible act in all of this was leaking it to the media. Sorta like saying, "HEY HACKERS - LOOK, THE FRONT DOOR IS OPEN !! MIGHT AS WELL JUST WALK ON IN..." Can't say i agree with you on that. The foundation fixed the bug and provided the new version before anouncing the finding. Anouncing it was a necessary public call to have everybody change to the new version all at once so nobody is left behind and made vulnerable.
eidolonFIRE Posted April 11, 2014 Member ID: 2759 Group: **- Inactive Registered Users Followers: 17 Topic Count: 199 Topics Per Day: 0.04 Content Count: 3496 Content Per Day: 0.68 Reputation: 3021 Achievement Points: 26464 Solved Content: 0 Days Won: 3 Joined: 08/22/11 Status: Offline Last Seen: June 16, 2017 Birthday: 07/27/1990 Author Posted April 11, 2014 Another XKCD on heart bleed! Astronomer 1
djMot Posted April 11, 2014 Member ID: 3189 Group: *** Clan Members Followers: 98 Topic Count: 358 Topics Per Day: 0.07 Content Count: 5258 Content Per Day: 1.05 Reputation: 11147 Achievement Points: 48961 Solved Content: 0 Days Won: 114 Joined: 02/11/12 Status: Offline Last Seen: 11 hours ago Birthday: 12/24/1957 Device: Windows Posted April 11, 2014 (edited) Can't say i agree with you on that. The foundation fixed the bug and provided the new version before anouncing the finding. Anouncing it was a necessary public call to have everybody change to the new version all at once so nobody is left behind and made vulnerable. Announcing to the media that there is a serious breach in SSL server operations is neither necessary, nor advisable. It instils fear in the general public and invites the stupider hackers to look into something they might otherwise not have bothered with. Rather, this type of information should be confined to the administrators who are responsible for maintaining the servers running the compromised code. I suspect the vast majority of servers were patched as soon as security updates were released. Nevertheless, many companies will now collectively spend millions of dollars defending their best practices against those who will simply assume they were irresponsible, all because someone thought it would be "responsible" to sensationalize the matter in the media. Is this a big deal? Yes. Not disputing that. But does the average Joe need to be in this loop? No. This information should be on a need-to-know basis, and server admins should know how to keep abreast of these matters. If a breach has been identified due to a failure to administer a server properly, then the burden of disclosure is on the breached company - as was the case with Target, for instance. IMHO. Edited April 11, 2014 by djMot Awards
hypn0t1k Posted April 11, 2014 Member ID: 20914 Group: **- Inactive Registered Users Followers: 0 Topic Count: 2 Topics Per Day: 0.00 Content Count: 38 Content Per Day: 0.01 Reputation: 27 Achievement Points: 246 Solved Content: 0 Days Won: 0 Joined: 02/19/14 Status: Offline Last Seen: January 24, 2015 Birthday: 01/01/1969 Posted April 11, 2014 Announcing to the media that there is a serious breach in SSL server operations is neither necessary, nor advisable... Lol. Well since OpenSSL is open source how exactly should they announce it? Any "hacker" as you put it could have read the source and had their way with the internet for the past 2 years. If they didn't tell the media only admins/security people would know and in turn would more then likely leave many systems/servers unpatched. It's not like they could have followed the path that most closed source software companies do, which is more like what you describe via responsible disclosure. eidolonFIRE 1
Sammy Posted April 11, 2014 Member ID: 3036 Group: ***- Inactive Clan Members Followers: 32 Topic Count: 219 Topics Per Day: 0.04 Content Count: 9419 Content Per Day: 1.86 Reputation: 7515 Achievement Points: 62539 Solved Content: 0 Days Won: 21 Joined: 11/29/11 Status: Offline Last Seen: June 24 Birthday: 04/26/2008 Device: Windows Posted April 11, 2014 Often businesses dont do things that are even in their own best interests until the public hears about it and screams at them. If the problem was fixed, and the fixes already made available some time in the past, then there is no excuse if some server is still vulnerable. eidolonFIRE 1 Awards
eidolonFIRE Posted April 11, 2014 Member ID: 2759 Group: **- Inactive Registered Users Followers: 17 Topic Count: 199 Topics Per Day: 0.04 Content Count: 3496 Content Per Day: 0.68 Reputation: 3021 Achievement Points: 26464 Solved Content: 0 Days Won: 3 Joined: 08/22/11 Status: Offline Last Seen: June 16, 2017 Birthday: 07/27/1990 Author Posted April 11, 2014 Announcing to the media that there is a serious breach in SSL server operations is neither necessary, nor advisable. It instils fear in the general public and invites the stupider hackers to look into something they might otherwise not have bothered with. Rather, this type of information should be confined to the administrators who are responsible for maintaining the servers running the compromised code. I suspect the vast majority of servers were patched as soon as security updates were released. Nevertheless, many companies will now collectively spend millions of dollars defending their best practices against those who will simply assume they were irresponsible, all because someone thought it would be "responsible" to sensationalize the matter in the media. Is this a big deal? Yes. Not disputing that. But does the average Joe need to be in this loop? No. This information should be on a need-to-know basis, and server admins should know how to keep abreast of these matters. If a breach has been identified due to a failure to administer a server properly, then the burden of disclosure is on the breached company - as was the case with Target, for instance. IMHO. ...but its open source.... Most of the world uses openssl. A public announcement is the only way they can tell everybody that they need to use the new version. There is no way they would be able to message every admin in the world. Would you rather them only tell the big corporations for the sake of keeping the public calm? This security hole affects everbody and quick action needs taken by everbody... Including the users.
Sammy Posted April 11, 2014 Member ID: 3036 Group: ***- Inactive Clan Members Followers: 32 Topic Count: 219 Topics Per Day: 0.04 Content Count: 9419 Content Per Day: 1.86 Reputation: 7515 Achievement Points: 62539 Solved Content: 0 Days Won: 21 Joined: 11/29/11 Status: Offline Last Seen: June 24 Birthday: 04/26/2008 Device: Windows Posted April 11, 2014 The more I read about this the more I think its NSA related considering many of the other things they did regarding 'secure' software and hardware. The timing of this security flaw is too much of a coincidence. ChknFngr and eidolonFIRE 2 Awards
hypn0t1k Posted April 11, 2014 Member ID: 20914 Group: **- Inactive Registered Users Followers: 0 Topic Count: 2 Topics Per Day: 0.00 Content Count: 38 Content Per Day: 0.01 Reputation: 27 Achievement Points: 246 Solved Content: 0 Days Won: 0 Joined: 02/19/14 Status: Offline Last Seen: January 24, 2015 Birthday: 01/01/1969 Posted April 11, 2014 The more I read about this the more I think its NSA related considering many of the other things they did regarding 'secure' software and hardware. The timing of this security flaw is too much of a coincidence. It's not. The person who checked in the code has already spoken up about it. It was an honest mistake. http://it.slashdot.org/story/14/04/10/2235225/heartbleed-coder-bug-in-openssl-was-an-honest-mistake http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html
KaptCrunch Posted April 11, 2014 Member ID: 389 Group: *** Clan Members Followers: 49 Topic Count: 475 Topics Per Day: 0.08 Content Count: 5852 Content Per Day: 0.99 Reputation: 5059 Achievement Points: 46517 Solved Content: 0 Days Won: 92 Joined: 09/14/09 Status: Offline Last Seen: 8 hours ago Birthday: 01/01/1970 Device: Windows Posted April 11, 2014 you make me laugh for skydrive, cloud is a biggest breach of all. even a 5 yr old boy can hack box1 Awards
Sammy Posted April 11, 2014 Member ID: 3036 Group: ***- Inactive Clan Members Followers: 32 Topic Count: 219 Topics Per Day: 0.04 Content Count: 9419 Content Per Day: 1.86 Reputation: 7515 Achievement Points: 62539 Solved Content: 0 Days Won: 21 Joined: 11/29/11 Status: Offline Last Seen: June 24 Birthday: 04/26/2008 Device: Windows Posted April 11, 2014 Yes but conspiracy theories are more fun. eidolonFIRE 1 Awards
Burt(XI) Posted April 11, 2014 Member ID: 478 Group: *** Clan Members Followers: 23 Topic Count: 12 Topics Per Day: 0.00 Content Count: 302 Content Per Day: 0.05 Reputation: 249 Achievement Points: 2316 Solved Content: 0 Days Won: 1 Joined: 09/21/09 Status: Offline Last Seen: October 11 Birthday: 07/26/1952 Device: Windows Posted April 11, 2014 This has far reaching implications. Not only are servers running Open SSL vunerable but many additional products including a lot of gear designed for web security. It even includes some phone systems. I was on the Cisco security site this morning checking the status of some firewall and associated stuff. They have a fukin list as long as your arm that has this vunerability. You may be running MS OS and think your OK but some other device in your network is running some flavor of OpenSSL. Awards
djMot Posted April 11, 2014 Member ID: 3189 Group: *** Clan Members Followers: 98 Topic Count: 358 Topics Per Day: 0.07 Content Count: 5258 Content Per Day: 1.05 Reputation: 11147 Achievement Points: 48961 Solved Content: 0 Days Won: 114 Joined: 02/11/12 Status: Offline Last Seen: 11 hours ago Birthday: 12/24/1957 Device: Windows Posted April 11, 2014 ...but its open source.... Most of the world uses openssl. A public announcement is the only way they can tell everybody that they need to use the new version. There is no way they would be able to message every admin in the world. Would you rather them only tell the big corporations for the sake of keeping the public calm? This security hole affects everbody and quick action needs taken by everbody... Including the users. Quick action when the exploit actually existed, what, two years ago? The public does not need or want to know about OpenSSL; it's Greek to them. For an open source project, I certainly would not suggest that the fork's author contact everyone using their flavor of OpenSSL. That burden falls to the end user - the server owner. It's the network administrators and their security teams that need to be monitoring all tech channels for news of security breaches. This did NOT need to instill panic in the general public due to blathering about it to the public media channels. Moreover, in this case, it comes down to a matter of why the tech community was clueless? - assuming that the exploit was known FAR earlier than it was disclosed to the public. All that said, there probably was containment within the tech community about this. Where it broke down is when it somehow leaked to the general press and it exploded virally. Not much that can be done once that happens. But again, administrators and security experts that were not on top of this long ago need to be eliminated. Tough stance, but if you snooze and your data gets breached, and your company is exposed to millions/billions in liability, you loose your job. Pretty cut and dry. By the time something like this leaks to the general public, it should be last-year's news to the admin/security team. Awards
Hoth Posted April 12, 2014 Member ID: 64 Group: *** Clan Members Followers: 40 Topic Count: 20 Topics Per Day: 0.00 Content Count: 1115 Content Per Day: 0.19 Reputation: 986 Achievement Points: 10596 Solved Content: 0 Days Won: 2 Joined: 09/02/09 Status: Offline Last Seen: 21 hours ago Birthday: 12/09/1969 Device: Windows Posted April 12, 2014 http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ A decent read. YACCster and eidolonFIRE 2 Awards
eidolonFIRE Posted April 12, 2014 Member ID: 2759 Group: **- Inactive Registered Users Followers: 17 Topic Count: 199 Topics Per Day: 0.04 Content Count: 3496 Content Per Day: 0.68 Reputation: 3021 Achievement Points: 26464 Solved Content: 0 Days Won: 3 Joined: 08/22/11 Status: Offline Last Seen: June 16, 2017 Birthday: 07/27/1990 Author Posted April 12, 2014 http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ A decent read. I guess i'm not affected.
Recommended Posts