heartbleed!

[eidolonFIRE]

Ouchy... 

 

http://www.latimes.com/business/la-fi-web-vulnerability-20140409,0,3935723.story#axzz2yMLgLk3y

 

OpenSSL really something you don't want to have sabotaged. Hopefully it wasn't intentional.

[KingStinger!]

Yup, there is truly never a non presence of internet risk. Canada's CRA - Canadian Revenue Agency is on full internet lock down right now to protect Canadians personal tax information. Its a bad day when your Government gets breached..

[eidolonFIRE]

Yep, nobody really knows how far this goes... Just that its massively extensive. Any site running that version of openssl can be so snooped.

[eidolonFIRE]

I just saw this on my favorite comic strip.  www.xkcd.com

 

[Astronomer]

I did some digging because I sysadmin for a non-profit. Not all versions of OpenSSL are compromised, though this is still major.

 

"The bug is not present in 1.0.1g, nor is it present in the 1.0.0 branch nor the 0.9.8 branch of OpenSSL"

[eidolonFIRE]

I did some digging because I sysadmin for a non-profit. Not all versions of OpenSSL are compromised, though this is still major.

 

"The bug is not present in 1.0.1g, nor is it present in the 1.0.0 branch nor the 0.9.8 branch of OpenSSL"[/size]

Right. I think its just one.

[hypn0t1k]

As far as I know the bug was introduced into OpenSSL 1.0.1 and version through 1.0.1f  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

 

If I recall correctly OpenSSL is usually installed by default in most *nix distributions so I'd guess most web services using SSL would need to update.

 

Host Test - http://filippo.io/Heartbleed/

Proof of Concept (PoC) - https://gist.github.com/takeshixx/10107280

[Astronomer]

My Sophos home Unified Threat Manager/router was updated this morning.

[YACCster]

LOL, it doesn't matter if your local client malware was updated, this is an issue with the open ssl on the servers that you are talking to.  If you were accessing an OSX server the you are likely ok: "No versions of the OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version shipped by Apple in an OS was 0.9.8y, which is a branch not affected by the bug" 

[eidolonFIRE]

LOL, it doesn't matter if your local client malware was updated, this is an issue with the open ssl on the servers that you are talking to.  If you were accessing an OSX server the you are likely ok: "No versions of the OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version shipped by Apple in an OS was 0.9.8y, which is a branch not affected by the bug" 

 

All i heard was, " not to worry apple's shit is outdated..". Lol

[djMot]

The biggest irresponsible act in all of this was leaking it to the media. 

Sorta like saying, "HEY HACKERS - LOOK, THE FRONT DOOR IS OPEN !!  MIGHT AS WELL JUST WALK ON IN..."

[eidolonFIRE]

The biggest irresponsible act in all of this was leaking it to the media. 

Sorta like saying, "HEY HACKERS - LOOK, THE FRONT DOOR IS OPEN !!  MIGHT AS WELL JUST WALK ON IN..."

Can't say i agree with you on that. The foundation fixed the bug and provided the new version before anouncing the finding.

Anouncing it was a necessary public call to have everybody change to the new version all at once so nobody is left behind and made vulnerable.

[eidolonFIRE]

Another XKCD on heart bleed!

 

[djMot]

Can't say i agree with you on that. The foundation fixed the bug and provided the new version before anouncing the finding.

Anouncing it was a necessary public call to have everybody change to the new version all at once so nobody is left behind and made vulnerable.

 

Announcing to the media that there is a serious breach in SSL server operations is neither necessary, nor advisable.  It instils fear in the general public and invites the stupider hackers to look into something they might otherwise not have bothered with.  Rather, this type of information should be confined to the administrators who are responsible for maintaining the servers running the compromised code.  I suspect the vast majority of servers were patched as soon as security updates were released.  Nevertheless, many companies will now collectively spend millions of dollars defending their best practices against those who will simply assume they were irresponsible, all because someone thought it would be "responsible" to sensationalize the matter in the media.  Is this a big deal?  Yes.  Not disputing that.  But does the average Joe need to be in this loop?  No.  This information should be on a need-to-know basis, and server admins should know how to keep abreast of these matters.  If a breach has been identified due to a failure to administer a server properly, then the burden of disclosure is on the breached company - as was the case with Target, for instance.  IMHO.

Edited April 11, 2014 by djMot

[hypn0t1k]

Announcing to the media that there is a serious breach in SSL server operations is neither necessary, nor advisable...

 

Lol. Well since OpenSSL is open source how exactly should they announce it? Any "hacker" as you put it could have read the source and had their way with the internet for the past 2 years. If they didn't tell the media only admins/security people would know and in turn would more then likely leave many systems/servers unpatched. It's not like they could have followed the path that most closed source software companies do, which is more like what you describe via responsible disclosure.

[Sammy]

Often businesses dont do things that are even in their own best interests until the public hears about it and screams at them. If the problem was fixed, and the fixes already made available some time in the past, then there is no excuse if some server is still vulnerable.

[eidolonFIRE]

Announcing to the media that there is a serious breach in SSL server operations is neither necessary, nor advisable.  It instils fear in the general public and invites the stupider hackers to look into something they might otherwise not have bothered with.  Rather, this type of information should be confined to the administrators who are responsible for maintaining the servers running the compromised code.  I suspect the vast majority of servers were patched as soon as security updates were released.  Nevertheless, many companies will now collectively spend millions of dollars defending their best practices against those who will simply assume they were irresponsible, all because someone thought it would be "responsible" to sensationalize the matter in the media.  Is this a big deal?  Yes.  Not disputing that.  But does the average Joe need to be in this loop?  No.  This information should be on a need-to-know basis, and server admins should know how to keep abreast of these matters.  If a breach has been identified due to a failure to administer a server properly, then the burden of disclosure is on the breached company - as was the case with Target, for instance.  IMHO.

...but its open source....

 

Most of the world uses openssl. A public announcement is the only way they can tell everybody that they need to use the new version. There is no way they would be able to message every admin in the world. Would you rather them only tell the big corporations for the sake of keeping the public calm? This security hole affects everbody and quick action needs taken by everbody... Including the users.

[Sammy]

The more I read about this the more I think its NSA related considering many of the other things they did regarding 'secure' software and hardware. The timing of this security flaw is too much of a coincidence.

[hypn0t1k]

The more I read about this the more I think its NSA related considering many of the other things they did regarding 'secure' software and hardware. The timing of this security flaw is too much of a coincidence.

 

It's not. The person who checked in the code has already spoken up about it. It was an honest mistake.

 

http://it.slashdot.org/story/14/04/10/2235225/heartbleed-coder-bug-in-openssl-was-an-honest-mistake

http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html

[KaptCrunch]

you make me laugh for skydrive, cloud is a biggest breach of all. even a 5 yr old boy can hack box1

[Sammy]

Yes but conspiracy theories are more fun.

[Burt(XI)]

This has far reaching implications. Not only are servers running Open SSL vunerable but many additional products including a lot of gear designed for web security. It even includes some phone systems. I was on the Cisco security site this morning checking the status of some firewall and associated stuff. They have a fukin list as long as your arm that has this vunerability. You may be running MS OS and think your OK but some other device in your network is running some flavor of OpenSSL.

[djMot]

...but its open source....

 

Most of the world uses openssl. A public announcement is the only way they can tell everybody that they need to use the new version. There is no way they would be able to message every admin in the world. Would you rather them only tell the big corporations for the sake of keeping the public calm? This security hole affects everbody and quick action needs taken by everbody... Including the users.

 

 

Quick action when the exploit actually existed, what, two years ago?

 

The public does not need or want to know about OpenSSL; it's Greek to them.  For an open source project, I certainly would not suggest that the fork's author contact everyone using their flavor of OpenSSL.  That burden falls to the end user - the server owner.  It's the network administrators and their security teams that need to be monitoring all tech channels for news of security breaches.  This did NOT need to instill panic in the general public due to blathering about it to the public media channels.  Moreover, in this case, it comes down to a matter of why the tech community was clueless? - assuming that the exploit was known FAR earlier than it was disclosed to the public.

 

All that said, there probably was containment within the tech community about this.  Where it broke down is when it somehow leaked to the general press and it exploded virally.  Not much that can be done once that happens.  But again, administrators and security experts that were not on top of this long ago need to be eliminated.  Tough stance, but if you snooze and your data gets breached, and your company is exposed to millions/billions in liability, you loose your job.  Pretty cut and dry.  By the time something like this leaks to the general public, it should be last-year's news to the admin/security team.

[Hoth]

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

 

 

A decent read.

[eidolonFIRE]

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

 

 

A decent read.

I guess i'm not affected.