dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
8864
Zoder
join:2002-04-16
Miami, FL

2 recommendations

Zoder

Member

Heartbleed - zero day critical bug in OpenSSL

Just saw this on Ars. »arstechnica.com/security ··· ropping/

and a blog post about the bug. »heartbleed.com/

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

It's been in the code for 2 years and is fixed in version 1.0.1g which was just released. However, unpatched systems are vulnerable to having the following compromised and the attack leaves no trace that it was performed.
quote:
secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

QuaffAPint
A Big Thanks To The Troops
join:2001-01-10
Downingtown, PA

1 recommendation

QuaffAPint

Member

Just patched mine last night, Test yours (or any) server to see if it has the vulnerability...
»filippo.io/Heartbleed/

Boooost
@151.190.40.x

Boooost to Zoder

Anon

to Zoder
I thought open source was supposed to prevent this sort of thing.
Zoder
join:2002-04-16
Miami, FL

Zoder

Member

Yahoo mail and fbi.gov is effected.

»threatpost.com/seriousne ··· n/105309

angussf
Premium Member
join:2002-01-11
Tucson, AZ

angussf to Zoder

Premium Member

to Zoder
BarclayCardUS.com is vulnerable. Not good, as are used by many private-label cards like GE.

[edit] LLBeanVisa.com is also vulnerable.
Expand your moderator at work

DslreportsOK
@comcast.net

DslreportsOK to Zoder

Anon

to Zoder

Re: Heartbleed - zero day critical bug in OpenSSL

Dslreports not vulnerable to heartbleed.



kickass69
join:2002-06-03
Lake Hopatcong, NJ

kickass69 to Zoder

Member

to Zoder
OpenVPN 2.3.2 Installer Update

The I004 Windows installer includes OpenSSL 1.0.1g, which fixes the fairly serious TLS heartbeat security vulnerability.

Link to advisory - »www.openssl.org/news/sec ··· 0407.txt

»openvpn.net/index.php/op ··· ads.html

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

Doctor Four to Zoder

Premium Member

to Zoder
This impacted Amazon's load balancing services, which is used by Mojang.com and Minecraft.net. The following was posted to the Minecraft forum tonight:

»www.minecraftforum.net/n ··· rd-asap/

In short, if you play Minecraft (and some here do), your account information may have been compromised, and changing your password is strongly recommended.
Expand your moderator at work

Boooost
@optonline.net

Boooost to Doctor Four

Anon

to Doctor Four

Re: Heartbleed - zero day critical bug in OpenSSL

With something like 30 million users, what are the odds that someone found your password? Nil.

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

4 recommendations

Bill_MI to QuaffAPint

MVM

to QuaffAPint
They seem to have problems with volume. Qualys added a test so here's their option, too: »www.ssllabs.com/ssltest/
19579823 (banned)
An Awesome Dude
join:2003-08-04

19579823 (banned) to Zoder

Member

to Zoder

Wow thier page provides quite alot of detail!!

MacGyver

join:2001-10-14
Vancouver, BC

3 recommendations

MacGyver to Zoder

to Zoder

Re: Heartbleed - zero day critical bug in OpenSSL

Another NSA backdoor closed. Only countless more to go.
ke4pym
Premium Member
join:2004-07-24
Charlotte, NC

ke4pym to Bill_MI

Premium Member

to Bill_MI
said by Bill_MI:

They seem to have problems with volume. Qualys added a test so here's their option, too: »www.ssllabs.com/ssltest/

I *LOVE* me some SSLLabs. Been using them for about a year now to test various properties for my employer. And they are super awsome about replying to emails when you find a bug.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Bill_MI

Premium Member

to Bill_MI
Welll...well...I guess the world has suddenly discovered Qualys. I was just told that they are operating at full capacity and to try again later.

therube
join:2004-11-11
Randallstown, MD

therube to Zoder

Member

to Zoder
For local applications, is it sufficient to simply replace existing dll's (libeay32.dll & ssleay32.dll) with updated 1.0.1g's ?

(My Eudora's were dated 08/17/2006 .)
ke4pym
Premium Member
join:2004-07-24
Charlotte, NC

ke4pym to Mele20

Premium Member

to Mele20
said by Mele20:

Welll...well...I guess the world has suddenly discovered Qualys. I was just told that they are operating at full capacity and to try again later.

Beat on the submit button. It'll go through in about 5 tries.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Yeah...I got it to work...very slow the first test. Then I did a couple of other banking sites and it was fast.

Anyone know what version of Firefox first supported TLS 1.2? I was surprised to see that my Fx 24.4 ESR does NOT even support TLS 1.1 much less 1.2!

SeaMonkey 2.25 supports TLS 1.2. I suppose I should be using SM instead of Fx for banking.
ke4pym
Premium Member
join:2004-07-24
Charlotte, NC

ke4pym

Premium Member

said by Mele20:

Then I did a couple of other banking sites and it was fast.

Probably because their results were cached.

therube
join:2004-11-11
Randallstown, MD

1 recommendation

therube to Mele20

Member

to Mele20
(SeaMonkey 2.24) Enabled support for TLS 1.2 (RFC 5246) by default (bug 861266)

So that would be FF27.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to Zoder

Premium Member

to Zoder
E-filing of Canadian taxes shut down because of Heartbleed bug
quote:
(Reuters) - Right in the heart of tax-filing season, the Canada Revenue Agency (CRA) shut down access to online tax services on Wednesday because of an Internet bug that has made data on many of the world's major websites vulnerable to theft by hackers.
»www.reuters.com/article/ ··· 20140409
IamGimli (banned)
join:2004-02-28
Canada

1 recommendation

IamGimli (banned) to Zoder

Member

to Zoder
Before you start changing passwords make sure the site you're changing the password on has been patched, otherwise changing the password is of little value.
ke4pym
Premium Member
join:2004-07-24
Charlotte, NC

1 recommendation

ke4pym

Premium Member

said by IamGimli:

Before you start changing passwords make sure the site you're changing the password on has been patched, otherwise changing the password is of little value.

Can't recommend this enough. I'd give it at least 15-20 or 30 days before even bothering. It's going to take some companies that long just to think about scheduling a change control for the fix.

SixOfNine
Brake In A Ladylike Manner.
Premium Member
join:2001-08-30
Sterling, VA

SixOfNine

Premium Member

said by ke4pym:

said by IamGimli:

Before you start changing passwords make sure the site you're changing the password on has been patched, otherwise changing the password is of little value.

Can't recommend this enough. I'd give it at least 15-20 or 30 days before even bothering. It's going to take some companies that long just to think about scheduling a change control for the fix.

+1. LastPass has published a Heartbleed checker.

»lastpass.com/heartbleed/

Edit: Here's the results for dslreports:

Detected server software of nginx
That server is known to use OpenSSL and could have been vulnerable.

The SSL certificate for www.dslreports.com valid 9 months ago at Jul 3 05:04:07 2013 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.

psloss
Premium Member
join:2002-02-24

psloss to ke4pym

Premium Member

to ke4pym
said by ke4pym:

said by IamGimli:

Before you start changing passwords make sure the site you're changing the password on has been patched, otherwise changing the password is of little value.

Can't recommend this enough. I'd give it at least 15-20 or 30 days before even bothering. It's going to take some companies that long just to think about scheduling a change control for the fix.

Agree with the recommendation, disagree on the time-frame. This is already an all-nighter, triage situation -- for the good guys and the bad guys. Hopefully this won't require the same wholesale action by users, but I'm expecting to hear from vendors and providers this week.
»isc.sans.edu/forums/diar ··· ns/17929

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

1 recommendation

Chubbzie to SixOfNine

Member

to SixOfNine
The LastPass checker is not a valid check for the vulnerability. It is basing its findings on the web daemon in use, whether it uses OpenSSL by default and the age of the cert(s) themselves.

A valid checker will actually initiate a SSL connection to the device and send a heartbeat request & decide based on the reply.

SixOfNine
Brake In A Ladylike Manner.
Premium Member
join:2001-08-30
Sterling, VA

SixOfNine

Premium Member

said by Chubbzie:

The LastPass checker is not a valid check for the vulnerability.

I should have mentioned the fine print, mea culpa. LastPass says that their checker tells whether other sites and services may have been affected by Heartbleed.

»blog.lastpass.com/2014/0 ··· bug.html
Expand your moderator at work

DannyZ
Gentoo Fanboy
Premium Member
join:2003-01-29
united state

DannyZ to Zoder

Premium Member

to Zoder

Re: Heartbleed - zero day critical bug in OpenSSL

The second post in this thread has a link to a heartbeat checker »Re: Heartbleed - zero day critical bug in OpenSSL