Hitron CDA3 (Software) OpenBSD + pf
|
to Zoder
Re: Heartbleed - zero day critical bug in OpenSSLArs has updated some information: Terrence Koeman of MediaMonks told Ars he found signs of attempts to use the exploit dating back to November 2013. He used the packet content of a successful exploit of the Heartbleed vulnerability to check inbound packets logged by his servers and found a number of incoming packets from a network suspected of harboring a number of bot servers that were apparently scans for the vulnerabilitysending Heartbleed-style requests to two different development servers in requests that were about five minutes apart. Originating article hereAs more areas analyze their logs we might indeed be capable of discerning how long this vulnerability has been targeted in the wild. |
|
|
to SixOfNine
SixofNine, how are you able to access the info in your screenshot? |
|
Ian1 Premium Member join:2002-06-18 ON |
Ian1
Premium Member
2014-Apr-10 11:38 am
Lastpass security check from the tools menu. |
|
DownTheShorePray for Ukraine Premium Member join:2003-12-02 Beautiful NJ |
to EdmundGerber
Just checked the Pale Moon forum and it confirmed that it has been patched: "Heartbleed" vulnerability plugged.
by Admin » Tue Apr 08, 2014 6:37 pm Just to let people know: All of Pale Moon's SSL-enabled services (forum login pages, XMPP server, etc. etc.) have been patched up to prevent exploitation of the heartbleed bug. » forum.palemoon.org/viewt ··· 2#p25202 |
|
SixOfNineBrake In A Ladylike Manner. Premium Member join:2001-08-30 Sterling, VA
1 recommendation |
to planet
said by planet:SixofNine, how are you able to access the info in your screenshot? What Ian1 said. Assuming that you're asking that as a fellow LastPass user, the Heartbleed check was added to their existing "security challenge," which provides a bunch of other useful information not related to Heartbleed. |
|
|
to Zoder
Heartbeat has me confused. I can see the server end, that's plain. Does it attack through the browser and also read info on your computer like the normal malware that wants you to download it, or just the infected server? Does it get DNS? or just hunt for accounts and passwords?
I'm asking as I must have about 50 aliases and different passwords all over the place. Yahoo, XDA and Android Central are the only questionable ones. I started the Yahoo account years ago when we had dialup and have not changed or given Yahoo any personal info, unless they read groups and know I have a certain DSLR camera or a 60mm telescope. I have no contacts in Yahoo mail, and only use it for companies I think might spam. No other personal info. Now HB is snooping through Yahoo server, it's not getting the info easily. Now I am over here and this site is not a problem. It has a different login and password. Do I have to change passwords for all these forum accounts with no real personal info? Or does Justin have the right idea?
I only do banking on Kubuntu - if I don't use Yahoo on that computer and the bank is safe, why do I have to change that password? I don't sync any computer or cell phone. I mostly surf and do fora on W7. I don't sync anything. I use a USB stick from one computer to another. I have 2 OFFLINE xp boxes so I can't sync them and it's just easier to use the USB on all. Our home computers are not networked. |
|
1 recommendation |
to Boooost
said by Boooost :I thought open source was supposed to prevent this sort of thing. Find. Not necessarily prevent. And it did. The many eyes found the problem, which was so obscure, no one noticed. |
|
howardfine |
to Link Logger
said by Link Logger:The next person who uses the phrase "many eyes make for shallow bugs" gets to buy drinks for everyone affected by the #OpenSSL bug. Except 1) it wasn't a shallow bug and 2) the many eyes DID find it. |
|
netboy34 Premium Member join:2001-08-29 Kennesaw, GA |
to Zoder
We are waiting on VMWare to release a patch (and we just updated to 5.5 two weeks ago) and internal scans also picked up some HP MFP's that the firmware they run are vulnerable as well. The main issue with that is talking to HP printer support to get it reported, ended up with "upgrade your firewall this isn't a printer issue. click" |
|
GuruGuy Premium Member join:2002-12-16 Atlanta, GA |
to Zoder
Tested » www.gmail.com at » www.ssllabs.com/ssltest/Got two ip addresses. Clicked on the first one and it says not vulnerable to heartbleed. Cert was issued: Valid from Wed Mar 12 09:51:57 UTC 2014 The second ip address was the same. How can it NOT be vulnerable if the cert hasn't been reissued? |
|
GuruGuy
3 recommendations |
to howardfine
said by howardfine:said by Link Logger:The next person who uses the phrase "many eyes make for shallow bugs" gets to buy drinks for everyone affected by the #OpenSSL bug. Except 1) it wasn't a shallow bug and 2) the many eyes DID find it. 2+ years later |
|
GuruGuy |
to Zoder
There are way to many media outlets and websites reporting conflicting information. It's just making the confusion all that much worse. |
|
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC
2 recommendations |
to Zoder
The Heartbleed Hit List: The Passwords You Need to Change Right Now» mashable.com/2014/04/09/ ··· ffected/ |
|
AsherN Premium Member join:2010-08-23 Thornhill, ON
1 recommendation |
to carpetshark3
said by carpetshark3:Heartbeat has me confused. I can see the server end, that's plain. Does it attack through the browser and also read info on your computer like the normal malware that wants you to download it, or just the infected server? Does it get DNS? or just hunt for accounts and passwords? Neither. It is not "active" malware. It was a bug in the heartbeat code in OpenSSL. The heartbeat goes like this: when idle, the client sends a request for heartbeat to the web server, and the web server returns it, keeping the connection alive. The request contains 2 things: a payload of data, and the size of the payload. The bug was that you could send a 1K payload and claim a 64K size. The server would return a 64K payload. Your 1K and the next 63K of the server memory. The returned data is random. It may contain user IDs and/or password, likely encrypted or hashed. It may contain the certificate decryption keys. You can't know what will come back. It gets nothing from the client, it just returns data from the server. |
|
FickeyTerrorists target your backbone join:2004-05-31 |
to Mele20
said by Mele20:Did you also disable the bad cipher suite that the test site you reference says Fx 24 ESR uses? I could not pass the test until I also disabled that one SSL cipher suite.
I tried disabling TLS1.0 (as well as SSL3) and found that I can't connect to ebanking ... Yes, disabled the mentioned cipher, but left SSL3 as the min because I was leery of what you experienced (and I'm not smart enough to eschew SSL3, etc). |
|
GuruGuy Premium Member join:2002-12-16 Atlanta, GA |
to siljaline
Looking at your link, I'll say it again as I did above. I tested gmail earlier and the cert date was March 12th. If gmail has "fixed" the problem, why is the cert not updated? |
|
|
to howardfine
said by howardfine:said by Link Logger:The next person who uses the phrase "many eyes make for shallow bugs" gets to buy drinks for everyone affected by the #OpenSSL bug. Except 1) it wasn't a shallow bug and 2) the many eyes DID find it. The quote refers to the fact that with the supposed "many eyes" such "deep" bugs become "shallow". Your statement further reinforces that this is in fact not true. Yes, the "many eyes" did find it. Well over 2 years later. |
|
dib22 join:2002-01-27 Kansas City, MO 1 edit |
to GuruGuy
said by GuruGuy:Looking at your link, I'll say it again as I did above. I tested gmail earlier and the cert date was March 12th. If gmail has "fixed" the problem, why is the cert not updated? I am wondering the same... notice that google doesn't even recommend changing passwords... until they release a statement as to why... we can guess? I am guessing that they tested and on their weird mesh networking system it never kicked out cert details or username/passwords? I mean the google web systems are not like normal single boxen... they are running on a mesh os. |
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX |
to Shady Bimmer
So howardfine owes a bunch of people a round of drinks? @howard: I prefer Murphy's, but I'll take Michelob if you're strapped after buying so many drinks. |
|
justin..needs sleep Mod join:1999-05-28 2031 Billion BiPAC 7800N Apple AirPort Extreme (2011)
|
to Chubbzie
said by Chubbzie:As more areas analyze their logs we might indeed be capable of discerning how long this vulnerability has been targeted in the wild. The flip side of this is that after a week or two if nobody puts their hand up with *clear* evidence, then people (on the server side) can stop worrying about what walked out the door and people on the user side can stop thinking someone has their passwords. Because this isn't subtle. It would be very clearly in logs, visible retrospectively, for anyone that logged packet sizes, ports and headers, over time. |
|
SnowyLock him up!!! Premium Member join:2003-04-05 Kailua, HI |
Snowy
Premium Member
2014-Apr-10 7:50 pm
said by justin:The flip side of this is that... Playing the devils advocate... The flip side of that is I don't see IT security rushing to the podium declaring: " Yes, we've (you) probably been compromised" |
|
|
to GuruGuy
said by GuruGuy:There are way to many media outlets and websites reporting conflicting information. It's just making the confusion all that much worse. Lots of news reporters have been calling it a virus rather than a bug. All my coworkers are afraid of catching it now and want to protect their computer from it. |
|
justin..needs sleep Mod join:1999-05-28 2031 Billion BiPAC 7800N Apple AirPort Extreme (2011)
3 recommendations |
to Snowy
I'm not expecting a company at risk of lawsuits to step up, but there are a ton of open source groups, researchers, and even a few honest companies who I would say for the greater good, yes it appears it was used. And we only need one to disprove the optimistic proposition that the exploit was not known. PS: have we democratically decided the NSA (taxpayer funded) has absolutely no obligation to report problems this widespread, if it finds them first? By keeping them secret are they not doing more damage to other branches of the government and the economy? secure infrastructure is sort of fundamental to everything can they really float above it simply because it makes their job easier? Is this page just an empty gesture? » www.nsa.gov/ia/mitigatio ··· ts.shtml |
|
SnowyLock him up!!! Premium Member join:2003-04-05 Kailua, HI |
Snowy
Premium Member
2014-Apr-10 8:32 pm
said by justin:I'm not expecting a company at risk of lawsuits to step up, but there are a ton of open source groups, researchers, and even a few honest companies who I would say for the greater good, yes it appears it was used. From analysis to legal to marketing to disclosure,... that's a process that hasn't necessarily had the time to run its course. said by justin:And we only need one to disprove the optimistic proposition that the exploit was not known. Getting back to the 'process', that one had better be damned sure of it too. I wouldn't expect to find anything there that couldn't be leveraged by the NSA in the absence of being there. |
|
|
to justin
said by justin:It would be very clearly in logs, visible retrospectively, for anyone that logged packet sizes, ports and headers, over time. And how many folks have logging enabled, keep logs, look at logs or even understand logs? Snort just added some rules around this today so perhaps those folks will let us know how active this attack is. If admins actually enabled, kept, looked at and understood their logs, this attack might have been discovered a long time ago, but it wasn't which means most admins don't log. To use the same argument you have about seeing no Heartbleed damage, I don't see any evidence that the NSA is behind this security train wreck. Blake |
|
1 recommendation |
to Zoder
|
|
OZO Premium Member join:2003-01-17 |
OZO to justin
Premium Member
2014-Apr-10 9:56 pm
to justin
said by justin:PS: have we democratically decided the NSA (taxpayer funded) has absolutely no obligation to report problems this widespread, if it finds them first? By keeping them secret are they not doing more damage to other branches of the government and the economy? secure infrastructure is sort of fundamental to everything can they really float above it simply because it makes their job easier? It's very good point. I think we all are creating an image of NSA as an agency, that is allowed to do everything it wants without any report to the public (who BTW is funding it). IMHO, it's a very dangerous tendency and it should be stopped ASAP... |
|
SnowyLock him up!!! Premium Member join:2003-04-05 Kailua, HI |
to Link Logger
said by Link Logger:If admins actually enabled, kept, looked at and understood their logs, this attack might have been discovered a long time ago, but it wasn't which means most admins don't log. "...which means most admins don't log."Your argument is contradictory. 1. On one level you argue that many admins either don't understand the logs or actively analyze them, which I tend to agree with. 2. But you can't also conclude that most admins don't enable logging as the reason this could have flown under radar. It's simply not possible to not understand or not analyze logging that isn't enabled. |
|
|
to Zoder
Here's another list of sites. » mashable.com/2014/04/09/ ··· ffected/Includes some financial sites. (Best source for financial sites is a statement from the company itself on its own website, I think.) |
|
SnowyLock him up!!! Premium Member join:2003-04-05 Kailua, HI |
to jaykaykay
It's almost like a teenager declaring " Well Johnny did it too... when justifying an action or inaction that we've all come to expect as normal teenage behavior, but Yahoo! playing that game? " Developers rushed out patches to fix affected web servers when they disclosed the problem, which affected companies from Amazon.com Inc and Google Inc to Yahoo Inc." Note how Yahoo! mentions Google & Amazon as being affected before it named themselves in the release. Grow up Yahoo! |
|