Zoder join:2002-04-16 Miami, FL
2 recommendations |
Zoder
Member
2014-Apr-7 11:23 pm
Heartbleed - zero day critical bug in OpenSSLJust saw this on Ars. » arstechnica.com/security ··· ropping/and a blog post about the bug. » heartbleed.com/The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users. It's been in the code for 2 years and is fixed in version 1.0.1g which was just released. However, unpatched systems are vulnerable to having the following compromised and the attack leaves no trace that it was performed. quote: secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
|
|
QuaffAPintA Big Thanks To The Troops join:2001-01-10 Downingtown, PA
1 recommendation |
Just patched mine last night, Test yours (or any) server to see if it has the vulnerability... » filippo.io/Heartbleed/ |
|
|
Boooost to Zoder
Anon
2014-Apr-8 12:53 pm
to Zoder
I thought open source was supposed to prevent this sort of thing. |
|
Zoder join:2002-04-16 Miami, FL |
Zoder
Member
2014-Apr-8 2:50 pm
|
|
|
angussf Premium Member join:2002-01-11 Tucson, AZ |
to Zoder
BarclayCardUS.com is vulnerable. Not good, as are used by many private-label cards like GE.
[edit] LLBeanVisa.com is also vulnerable. |
|
your moderator at work
hidden : Other reason
|
|
DslreportsOK to Zoder
Anon
2014-Apr-8 6:56 pm
to Zoder
Re: Heartbleed - zero day critical bug in OpenSSLDslreports not vulnerable to heartbleed.
|
|
|
to Zoder
OpenVPN 2.3.2 Installer Update The I004 Windows installer includes OpenSSL 1.0.1g, which fixes the fairly serious TLS heartbeat security vulnerability. Link to advisory - » www.openssl.org/news/sec ··· 0407.txt» openvpn.net/index.php/op ··· ads.html |
|
Doctor FourMy other vehicle is a TARDIS Premium Member join:2000-09-05 Dallas, TX |
to Zoder
This impacted Amazon's load balancing services, which is used by Mojang.com and Minecraft.net. The following was posted to the Minecraft forum tonight: » www.minecraftforum.net/n ··· rd-asap/In short, if you play Minecraft (and some here do), your account information may have been compromised, and changing your password is strongly recommended. |
|
your moderator at work
hidden : Other reason
|
|
to Doctor Four
Re: Heartbleed - zero day critical bug in OpenSSLWith something like 30 million users, what are the odds that someone found your password? Nil. |
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI TP-Link Archer C7 Linksys WRT54GS Linksys WRT54G v4
4 recommendations |
to QuaffAPint
They seem to have problems with volume. Qualys added a test so here's their option, too: » www.ssllabs.com/ssltest/ |
|
19579823 (banned)An Awesome Dude join:2003-08-04 |
to Zoder
Wow thier page provides quite alot of detail!! |
|
3 recommendations |
to Zoder
Re: Heartbleed - zero day critical bug in OpenSSLAnother NSA backdoor closed. Only countless more to go. |
|
ke4pym Premium Member join:2004-07-24 Charlotte, NC |
to Bill_MI
I *LOVE* me some SSLLabs. Been using them for about a year now to test various properties for my employer. And they are super awsome about replying to emails when you find a bug. |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI |
to Bill_MI
Welll...well...I guess the world has suddenly discovered Qualys. I was just told that they are operating at full capacity and to try again later. |
|
therube join:2004-11-11 Randallstown, MD |
to Zoder
For local applications, is it sufficient to simply replace existing dll's (libeay32.dll & ssleay32.dll) with updated 1.0.1g's ? (My Eudora's were dated 08/17/2006 .) |
|
ke4pym Premium Member join:2004-07-24 Charlotte, NC |
to Mele20
said by Mele20:Welll...well...I guess the world has suddenly discovered Qualys. I was just told that they are operating at full capacity and to try again later. Beat on the submit button. It'll go through in about 5 tries. |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI |
Mele20
Premium Member
2014-Apr-9 11:07 am
Yeah...I got it to work...very slow the first test. Then I did a couple of other banking sites and it was fast.
Anyone know what version of Firefox first supported TLS 1.2? I was surprised to see that my Fx 24.4 ESR does NOT even support TLS 1.1 much less 1.2!
SeaMonkey 2.25 supports TLS 1.2. I suppose I should be using SM instead of Fx for banking. |
|
ke4pym Premium Member join:2004-07-24 Charlotte, NC |
ke4pym
Premium Member
2014-Apr-9 11:17 am
said by Mele20:Then I did a couple of other banking sites and it was fast. Probably because their results were cached. |
|
therube join:2004-11-11 Randallstown, MD
1 recommendation |
to Mele20
|
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
to Zoder
E-filing of Canadian taxes shut down because of Heartbleed bugquote: (Reuters) - Right in the heart of tax-filing season, the Canada Revenue Agency (CRA) shut down access to online tax services on Wednesday because of an Internet bug that has made data on many of the world's major websites vulnerable to theft by hackers.
» www.reuters.com/article/ ··· 20140409 |
|
1 recommendation |
to Zoder
Before you start changing passwords make sure the site you're changing the password on has been patched, otherwise changing the password is of little value. |
|
ke4pym Premium Member join:2004-07-24 Charlotte, NC
1 recommendation |
ke4pym
Premium Member
2014-Apr-9 12:41 pm
said by IamGimli:Before you start changing passwords make sure the site you're changing the password on has been patched, otherwise changing the password is of little value. Can't recommend this enough. I'd give it at least 15-20 or 30 days before even bothering. It's going to take some companies that long just to think about scheduling a change control for the fix. |
|
SixOfNineBrake In A Ladylike Manner. Premium Member join:2001-08-30 Sterling, VA |
said by ke4pym:said by IamGimli:Before you start changing passwords make sure the site you're changing the password on has been patched, otherwise changing the password is of little value. Can't recommend this enough. I'd give it at least 15-20 or 30 days before even bothering. It's going to take some companies that long just to think about scheduling a change control for the fix. +1. LastPass has published a Heartbleed checker. » lastpass.com/heartbleed/Edit: Here's the results for dslreports: Detected server software of nginx That server is known to use OpenSSL and could have been vulnerable.
The SSL certificate for www.dslreports.com valid 9 months ago at Jul 3 05:04:07 2013 GMT. This is before the heartbleed bug was published, it may need to be regenerated. |
|
psloss Premium Member join:2002-02-24 |
to ke4pym
said by ke4pym:said by IamGimli:Before you start changing passwords make sure the site you're changing the password on has been patched, otherwise changing the password is of little value. Can't recommend this enough. I'd give it at least 15-20 or 30 days before even bothering. It's going to take some companies that long just to think about scheduling a change control for the fix. Agree with the recommendation, disagree on the time-frame. This is already an all-nighter, triage situation -- for the good guys and the bad guys. Hopefully this won't require the same wholesale action by users, but I'm expecting to hear from vendors and providers this week. » isc.sans.edu/forums/diar ··· ns/17929 |
|
Hitron CDA3 (Software) OpenBSD + pf
1 recommendation |
to SixOfNine
The LastPass checker is not a valid check for the vulnerability. It is basing its findings on the web daemon in use, whether it uses OpenSSL by default and the age of the cert(s) themselves.
A valid checker will actually initiate a SSL connection to the device and send a heartbeat request & decide based on the reply. |
|
SixOfNineBrake In A Ladylike Manner. Premium Member join:2001-08-30 Sterling, VA |
said by Chubbzie:The LastPass checker is not a valid check for the vulnerability. I should have mentioned the fine print, mea culpa. LastPass says that their checker tells whether other sites and services may have been affected by Heartbleed. » blog.lastpass.com/2014/0 ··· bug.html |
|
your moderator at work
hidden :
|
DannyZGentoo Fanboy Premium Member join:2003-01-29 united state |
to Zoder
Re: Heartbleed - zero day critical bug in OpenSSLThe second post in this thread has a link to a heartbeat checker » Re: Heartbleed - zero day critical bug in OpenSSL |
|