Jump to content


Massive Security Bug In OpenSSL


  • Please log in to reply
102 replies to this topic

#1 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,867 posts

Posted 08 April 2014 - 11:28 PM

This is big. Updated today in Debian Wheezy and hopefully all of the world's Linux servers will be updated asap.

Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet

Quote

I saw a t-shirt one time. “I’m a bomb disposal technician,” it read. “If you see me running, try to keep up.”
The same sort of idea can be applied to net security: when all the net security people you know are freaking out, it’s probably an okay time to worry.

registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#2 OFFLINE   Temmu

Temmu

    The Assimilator

  • Forum MVP
  • 12,546 posts

Posted 09 April 2014 - 02:18 AM

holy cow, batman!
what is scary about the patch release is that, how many people will bother to apply it!


thx for the notification and article, sunrat!
Posted Image

#3 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 09 April 2014 - 08:19 AM

Isn't this the same one that was fixed or a new one?
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#4 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,867 posts

Posted 09 April 2014 - 09:09 AM

New one. Announced and emergency patch released by the OpenSSL team yesterday. Fixed in Debian today. It's all in the linked article which contains further links for more detail.

There was also a security update for OpenSSH four days ago. Unrelated, I think.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#5 OFFLINE   crp

crp

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,159 posts

Posted 09 April 2014 - 04:03 PM

Will an administrator please combine this with http://forums.scotsn...showtopic=69052
Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis

#6 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,383 posts

Posted 09 April 2014 - 05:50 PM

Let's leave both threads for now to ensure everyone gets the message, particularly since there is nothing people can do to protect themselves if vulnerable websites are visited until the administrators of those websites have upgraded their software. Then, change your password.

See The Heartbleed Bug, explained - Vox
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#7 OFFLINE   raymac46

raymac46

    Discussion Deity

  • Forum MVP
  • 3,951 posts

Posted 09 April 2014 - 06:18 PM

Canada Revenue has temporarily shut down the country's netfiling system for income tax returns. They hope to have everything back to normal by the weekend. Canadian banks have confirmed that they are not affected.
Posted Image

#8 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,383 posts

Posted 09 April 2014 - 06:19 PM

Check sites here:  LastPass - LastPass Heartbleed checker.

Also, if you use LastPass, see The LastPass Blog: LastPass Now Checks If Your Sites Are Affected by Heartbleed
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#9 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,683 posts

Posted 09 April 2014 - 06:42 PM

So, the NSA has all my passwords? I'm shocked. :(
Posted Image

Posted Image

#10 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 09 April 2014 - 07:25 PM

Sigh...
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#11 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 09 April 2014 - 07:32 PM

Also if you use LastPass: LastPass and the Heartbleed Bug:

Quote

With news breaking on Monday, April 7th that the Heartbleed bug causes a vulnerability in the OpenSSL cryptographic library, which is used by roughly two-thirds of all websites on the Internet, we want to update our community on how this bug may have impacted LastPass and clarify the actions we’re taking to protect our customers.

In summary, LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.

More in the article.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#12 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,867 posts

Posted 09 April 2014 - 07:55 PM

View Postcrp, on 09 April 2014 - 04:03 PM, said:

Will an administrator please combine this with http://forums.scotsn...showtopic=69052
I intentionally started both, one in BATL because of the Debian security update and in Security for those who don't read BATL.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#13 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,383 posts

Posted 09 April 2014 - 08:28 PM

zlim added these at another site:

Quote

Another checker
https://github.com/m...er/top10000.txt

or head to filehippo and type in an url for a site here
http://filippo.io/Heartbleed/]

Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#14 OFFLINE   Temmu

Temmu

    The Assimilator

  • Forum MVP
  • 12,546 posts

Posted 10 April 2014 - 09:57 AM

View Postsunrat, on 09 April 2014 - 07:55 PM, said:

I intentionally started both, one in BATL because of the Debian security update and in Security for those who don't read BATL.

yes, around here, that is a good idea, as many in the batl section never leave it to read elsewhere & vice versa.
Posted Image

#15 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 10 April 2014 - 04:27 PM

Here is a TECHNICAL explanation of the bug. :)

How Heartbleed Works: The Code Behind the Internet's Security Nightmare- Gizmodo

I am surprised to have found this explanation on Gizmodo. They are not known for their quality content.

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#16 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,683 posts

Posted 11 April 2014 - 03:57 PM

A bad situation just got worse...

http://tools.cisco.c...0409-heartbleed
Posted Image

Posted Image

#17 OFFLINE   ebrke

ebrke

    Board Bigwig

  • Forum MVP
  • 2,859 posts

Posted 11 April 2014 - 08:23 PM

Good grief :'(

#18 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,683 posts

Posted 11 April 2014 - 08:41 PM

Yeah... it's really scary when you think of the number of Cisco (and non-Cisco) routers out there in the wild worldwide that utilize this software and... AND the fact that many don't even have active admins keeping a watch on them. Many routers are static. They sit in network closets of homes, businesses, schools, etc. for years without being accessed by an admin. They're only remembered when there's a problem. SCARY! :o
Posted Image

Posted Image

#19 OFFLINE   raymac46

raymac46

    Discussion Deity

  • Forum MVP
  • 3,951 posts

Posted 12 April 2014 - 08:00 AM

If you have a D-Link router here's a good place to start.
http://securityadvis...x?name=SAP10022

Turns out my router is OK. I don't have any remote access enabled either.
Posted Image

#20 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 12 April 2014 - 08:12 AM

View PostV.T. Eric Layton, on 11 April 2014 - 03:57 PM, said:

A bad situation just got worse...

http://tools.cisco.c...0409-heartbleed

Sheesh! They should just give the names of the NON-vulnerable ones...that list is considerably smaller.

Linksys Routers (now owned by Belkin) are not vulnerable:

http://community.lin...ity/td-p/807314

Quote

We are aware of the Heartbleed OpenSSL vulnerability, however after thorough testing of our product lines, we can confirm that our routers are not impacted.  Linksys routers do use OpenSSL, however our product line uses another version that is not impacted by this vulnerability.

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#21 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 12 April 2014 - 08:15 AM

Engadget confirms Heartbleed bug affects routers too:

http://www.engadget....ng-routers-too/

And that ones like Linksys are not affected since they "don't use the affected versions of OpenSSL".

Also confirms that Cisco and Juniper Networks is working on patches. Obviously not out there yet though.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#22 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 12 April 2014 - 08:27 AM

Belkin routers also safe:

https://getsatisfact...rability-1aevo1

Some other Cisco products were also affected; Cisco IP phones, some versions of WebEX, some versions of Juniper Networks VPN, Cisco's AnyConnect Secure Mobility Client app for iOS, one type of Cisco software that runs Internet switches also affected according to this article at CNN Money:

http://money.cnn.com...eartbleed-gear/

Quote

That means for two years now, someone could have been able to tap your phone calls and voicemails at work, all your emails and entire sessions at your computer or iPhone. You also could have been compromised if you logged into work from home remotely. And you'll probably never know if you were hacked.

From the same article, they indicate that Netgear has not made any comment about their routers as yet.

Next time you need a new router, which one would you choose? I would choose the ones not affected first of course, but I would not trust the ones that are not speaking up to make people aware of the problems they have been dealing with for two years now.

DD-WRT router software is also vulnerable apparently and it has to be rebult, not just restarted:

http://www.dd-wrt.co...09a7e5b791fbfca
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#23 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 12 April 2014 - 08:31 AM

Posted a blog posting about this here:

Heartbleed, OpenSSL and Perfect Forward Secrecy - FransComputerServices Blog

According to an article at Mashable where there is a Hit List posted in a table:

Some big names that you might be happy to hear were not affected according to the Mashable article, the following were NOT hit:

Apple, Microsoft, Amazon, eBay, PayPal, Target, Walmart, LinkedIn, Hulu, AOL email, Hotmail/MSN/Outlook.com emails and more.

Like earlier, the NOT hit ones are likely easier to name...
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#24 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 12 April 2014 - 10:08 AM

View PostLilBambi, on 12 April 2014 - 08:27 AM, said:

DD-WRT router software is also vulnerable apparently and it has to be rebult, not just restarted:

http://www.dd-wrt.co...09a7e5b791fbfca

Yikes!

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#25 OFFLINE   abarbarian

abarbarian

    Thread Kahuna

  • Forum MVP
  • 5,686 posts

Posted 12 April 2014 - 10:26 AM

An if you thought all the above was pretty shocking then read on,

http://www.theregist...may_be_illegal/


Quote

Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL's mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic.

Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of third-party websites without permission.




Testing to see what version of OpenSSL a site is running, and whether it is also supports the vulnerable Heartbeat protocol, would be legal. But doing anything more active – without permission from website owners – would take security researchers onto the wrong side of the law.

You got to laugh :devil:
Install ARCH
You'll never need to install it again
"I did and I'm really happy"

Posted Image~~~~~~~~~~~~~Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users