dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
8866

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

Chubbzie to Zoder

Member

to Zoder

Re: Heartbleed - zero day critical bug in OpenSSL

Ars has updated some information:

Terrence Koeman of MediaMonks told Ars he found signs of attempts to use the exploit dating back to November 2013. He used the packet content of a successful exploit of the Heartbleed vulnerability to check inbound packets logged by his servers and found a number of incoming packets from a network suspected of harboring a number of “bot” servers that were apparently scans for the vulnerability—sending Heartbleed-style requests to two different development servers in requests that were about five minutes apart.

Originating article here

As more areas analyze their logs we might indeed be capable of discerning how long this vulnerability has been targeted in the wild.

planet
join:2001-11-05
Oz

planet to SixOfNine

Member

to SixOfNine
SixofNine, how are you able to access the info in your screenshot?

Ian1
Premium Member
join:2002-06-18
ON

Ian1

Premium Member

Lastpass security check from the tools menu.

DownTheShore
Pray for Ukraine
Premium Member
join:2003-12-02
Beautiful NJ

DownTheShore to EdmundGerber

Premium Member

to EdmundGerber
Just checked the Pale Moon forum and it confirmed that it has been patched:

"Heartbleed" vulnerability plugged.

by Admin » Tue Apr 08, 2014 6:37 pm
Just to let people know: All of Pale Moon's SSL-enabled services (forum login pages, XMPP server, etc. etc.) have been patched up to prevent exploitation of the heartbleed bug.

»forum.palemoon.org/viewt ··· 2#p25202

SixOfNine
Brake In A Ladylike Manner.
Premium Member
join:2001-08-30
Sterling, VA

1 recommendation

SixOfNine to planet

Premium Member

to planet
said by planet:

SixofNine, how are you able to access the info in your screenshot?

What Ian1 See Profile said.

Assuming that you're asking that as a fellow LastPass user, the Heartbleed check was added to their existing "security challenge," which provides a bunch of other useful information not related to Heartbleed.

carpetshark3
Premium Member
join:2004-02-12
Idledale, CO

carpetshark3 to Zoder

Premium Member

to Zoder
Heartbeat has me confused. I can see the server end, that's plain. Does it attack through the browser and also read info on your computer like the normal malware that wants you to download it, or just the infected server? Does it get DNS? or just hunt for accounts and passwords?

I'm asking as I must have about 50 aliases and different passwords all over the place. Yahoo, XDA and Android Central are the only questionable ones. I started the Yahoo account years ago when we had dialup and have not changed or given Yahoo any personal info, unless they read groups and know I have a certain DSLR camera or a 60mm telescope. I have no contacts in Yahoo mail, and only use it for companies I think might spam. No other personal info. Now HB is snooping through Yahoo server, it's not getting the info easily. Now I am over here and this site is not a problem. It has a different login and password. Do I have to change passwords for all these forum accounts with no real personal info? Or does Justin have the right idea?

I only do banking on Kubuntu - if I don't use Yahoo on that computer and the bank is safe, why do I have to change that password? I don't sync any computer or cell phone. I mostly surf and do fora on W7. I don't sync anything. I use a USB stick from one computer to another. I have 2 OFFLINE xp boxes so I can't sync them and it's just easier to use the USB on all. Our home computers are not networked.

howardfine
join:2002-08-09
Saint Louis, MO

1 recommendation

howardfine to Boooost

Member

to Boooost
said by Boooost :

I thought open source was supposed to prevent this sort of thing.

Find. Not necessarily prevent. And it did. The many eyes found the problem, which was so obscure, no one noticed.
howardfine

howardfine to Link Logger

Member

to Link Logger
said by Link Logger:

The next person who uses the phrase "many eyes make for shallow bugs" gets to buy drinks for everyone affected by the #OpenSSL bug.

Except 1) it wasn't a shallow bug and 2) the many eyes DID find it.

netboy34
Premium Member
join:2001-08-29
Kennesaw, GA

netboy34 to Zoder

Premium Member

to Zoder
We are waiting on VMWare to release a patch (and we just updated to 5.5 two weeks ago) and internal scans also picked up some HP MFP's that the firmware they run are vulnerable as well. The main issue with that is talking to HP printer support to get it reported, ended up with "upgrade your firewall this isn't a printer issue. click"

GuruGuy
Premium Member
join:2002-12-16
Atlanta, GA

GuruGuy to Zoder

Premium Member

to Zoder
Tested »www.gmail.com at »www.ssllabs.com/ssltest/
Got two ip addresses. Clicked on the first one and it says not vulnerable to heartbleed.

Cert was issued: Valid from Wed Mar 12 09:51:57 UTC 2014

The second ip address was the same.

How can it NOT be vulnerable if the cert hasn't been reissued?
GuruGuy

3 recommendations

GuruGuy to howardfine

Premium Member

to howardfine
said by howardfine:

said by Link Logger:

The next person who uses the phrase "many eyes make for shallow bugs" gets to buy drinks for everyone affected by the #OpenSSL bug.

Except 1) it wasn't a shallow bug and 2) the many eyes DID find it.

2+ years later
GuruGuy

GuruGuy to Zoder

Premium Member

to Zoder
There are way to many media outlets and websites reporting conflicting information. It's just making the confusion all that much worse.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

2 recommendations

siljaline to Zoder

Premium Member

to Zoder
The Heartbleed Hit List: The Passwords You Need to Change Right Now
»mashable.com/2014/04/09/ ··· ffected/
AsherN
Premium Member
join:2010-08-23
Thornhill, ON

1 recommendation

AsherN to carpetshark3

Premium Member

to carpetshark3
said by carpetshark3:

Heartbeat has me confused. I can see the server end, that's plain. Does it attack through the browser and also read info on your computer like the normal malware that wants you to download it, or just the infected server? Does it get DNS? or just hunt for accounts and passwords?

Neither.

It is not "active" malware. It was a bug in the heartbeat code in OpenSSL.

The heartbeat goes like this: when idle, the client sends a request for heartbeat to the web server, and the web server returns it, keeping the connection alive. The request contains 2 things: a payload of data, and the size of the payload.

The bug was that you could send a 1K payload and claim a 64K size. The server would return a 64K payload. Your 1K and the next 63K of the server memory.

The returned data is random. It may contain user IDs and/or password, likely encrypted or hashed. It may contain the certificate decryption keys.

You can't know what will come back.

It gets nothing from the client, it just returns data from the server.
Fickey
Terrorists target your backbone
join:2004-05-31

Fickey to Mele20

Member

to Mele20
said by Mele20:

Did you also disable the bad cipher suite that the test site you reference says Fx 24 ESR uses? I could not pass the test until I also disabled that one SSL cipher suite.

I tried disabling TLS1.0 (as well as SSL3) and found that I can't connect to ebanking ...

Yes, disabled the mentioned cipher, but left SSL3 as the min because I was leery of what you experienced (and I'm not smart enough to eschew SSL3, etc).

GuruGuy
Premium Member
join:2002-12-16
Atlanta, GA

GuruGuy to siljaline

Premium Member

to siljaline
said by siljaline:

The Heartbleed Hit List: The Passwords You Need to Change Right Now
»mashable.com/2014/04/09/ ··· ffected/

Looking at your link, I'll say it again as I did above. I tested gmail earlier and the cert date was March 12th. If gmail has "fixed" the problem, why is the cert not updated?
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer to howardfine

Premium Member

to howardfine
said by howardfine:

said by Link Logger:

The next person who uses the phrase "many eyes make for shallow bugs" gets to buy drinks for everyone affected by the #OpenSSL bug.

Except 1) it wasn't a shallow bug and 2) the many eyes DID find it.

The quote refers to the fact that with the supposed "many eyes" such "deep" bugs become "shallow". Your statement further reinforces that this is in fact not true.

Yes, the "many eyes" did find it. Well over 2 years later.

dib22
join:2002-01-27
Kansas City, MO

1 edit

dib22 to GuruGuy

Member

to GuruGuy
said by GuruGuy:

Looking at your link, I'll say it again as I did above. I tested gmail earlier and the cert date was March 12th. If gmail has "fixed" the problem, why is the cert not updated?

I am wondering the same... notice that google doesn't even recommend changing passwords... until they release a statement as to why... we can guess?

I am guessing that they tested and on their weird mesh networking system it never kicked out cert details or username/passwords? I mean the google web systems are not like normal single boxen... they are running on a mesh os.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to Shady Bimmer

Premium Member

to Shady Bimmer
So howardfine owes a bunch of people a round of drinks?

@howard: I prefer Murphy's, but I'll take Michelob if you're strapped after buying so many drinks.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin to Chubbzie

Mod

to Chubbzie
said by Chubbzie:

As more areas analyze their logs we might indeed be capable of discerning how long this vulnerability has been targeted in the wild.

The flip side of this is that after a week or two if nobody puts their hand up with *clear* evidence, then people (on the server side) can stop worrying about what walked out the door and people on the user side can stop thinking someone has their passwords.
Because this isn't subtle. It would be very clearly in logs, visible retrospectively, for anyone that logged packet sizes, ports and headers, over time.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by justin:

The flip side of this is that...

Playing the devils advocate...
The flip side of that is I don't see IT security rushing to the podium declaring:
"Yes, we've (you) probably been compromised"
graniterock
Premium Member
join:2003-03-14
London, ON

graniterock to GuruGuy

Premium Member

to GuruGuy
said by GuruGuy:

There are way to many media outlets and websites reporting conflicting information. It's just making the confusion all that much worse.

Lots of news reporters have been calling it a virus rather than a bug. All my coworkers are afraid of catching it now and want to protect their computer from it.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

3 recommendations

justin to Snowy

Mod

to Snowy
I'm not expecting a company at risk of lawsuits to step up, but there are a ton of open source groups, researchers, and even a few honest companies who I would say for the greater good, yes it appears it was used.

And we only need one to disprove the optimistic proposition that the exploit was not known.

PS: have we democratically decided the NSA (taxpayer funded) has absolutely no obligation to report problems this widespread, if it finds them first? By keeping them secret are they not doing more damage to other branches of the government and the economy? secure infrastructure is sort of fundamental to everything can they really float above it simply because it makes their job easier?

Is this page just an empty gesture?

»www.nsa.gov/ia/mitigatio ··· ts.shtml

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by justin:

I'm not expecting a company at risk of lawsuits to step up, but there are a ton of open source groups, researchers, and even a few honest companies who I would say for the greater good, yes it appears it was used.

From analysis to legal to marketing to disclosure,... that's a process that hasn't necessarily had the time to run its course.
said by justin:

And we only need one to disprove the optimistic proposition that the exploit was not known.

Getting back to the 'process', that one had better be damned sure of it too.
said by justin:

Is this page just an empty gesture?

»www.nsa.gov/ia/mitigatio ··· ts.shtml

I wouldn't expect to find anything there that couldn't be leveraged by the NSA in the absence of being there.

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to justin

MVM

to justin
said by justin:

It would be very clearly in logs, visible retrospectively, for anyone that logged packet sizes, ports and headers, over time.

And how many folks have logging enabled, keep logs, look at logs or even understand logs? Snort just added some rules around this today so perhaps those folks will let us know how active this attack is.

If admins actually enabled, kept, looked at and understood their logs, this attack might have been discovered a long time ago, but it wasn't which means most admins don't log.

To use the same argument you have about seeing no Heartbleed damage, I don't see any evidence that the NSA is behind this security train wreck.

Blake

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

1 recommendation

jaykaykay to Zoder

MVM

to Zoder
And so it goes on.......

»finance.yahoo.com/news/l ··· html?l=1
OZO
Premium Member
join:2003-01-17

OZO to justin

Premium Member

to justin
said by justin:

PS: have we democratically decided the NSA (taxpayer funded) has absolutely no obligation to report problems this widespread, if it finds them first? By keeping them secret are they not doing more damage to other branches of the government and the economy? secure infrastructure is sort of fundamental to everything can they really float above it simply because it makes their job easier?

It's very good point.

I think we all are creating an image of NSA as an agency, that is allowed to do everything it wants without any report to the public (who BTW is funding it). IMHO, it's a very dangerous tendency and it should be stopped ASAP...

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to Link Logger

Premium Member

to Link Logger
said by Link Logger:

If admins actually enabled, kept, looked at and understood their logs, this attack might have been discovered a long time ago, but it wasn't which means most admins don't log.

"...which means most admins don't log."
Your argument is contradictory.
1. On one level you argue that many admins either don't understand the logs or actively analyze them, which I tend to agree with.

2. But you can't also conclude that most admins don't enable logging as the reason this could have flown under radar.

It's simply not possible to not understand or not analyze logging that isn't enabled.
Frodo
join:2006-05-05

Frodo to Zoder

Member

to Zoder
Here's another list of sites.
»mashable.com/2014/04/09/ ··· ffected/
Includes some financial sites.
(Best source for financial sites is a statement from the company itself on its own website, I think.)

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to jaykaykay

Premium Member

to jaykaykay
said by jaykaykay:

And so it goes on.......

»finance.yahoo.com/news/l ··· html?l=1

It's almost like a teenager declaring "Well Johnny did it too... when justifying an action or inaction that we've all come to expect as normal teenage behavior, but Yahoo! playing that game?

"Developers rushed out patches to fix affected web servers when they disclosed the problem, which affected companies from Amazon.com Inc and Google Inc to Yahoo Inc."

Note how Yahoo! mentions Google & Amazon as being affected before it named themselves in the release.
Grow up Yahoo!