sunrat Posted April 9, 2014 Share Posted April 9, 2014 This is big. Updated today in Debian Wheezy and hopefully all of the world's Linux servers will be updated asap. Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet I saw a t-shirt one time. “I’m a bomb disposal technician,” it read. “If you see me running, try to keep up.” The same sort of idea can be applied to net security: when all the net security people you know are freaking out, it’s probably an okay time to worry. 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 9, 2014 Share Posted April 9, 2014 Isn't this the same one that was fixed or a new one? Quote Link to comment Share on other sites More sharing options...
sunrat Posted April 9, 2014 Author Share Posted April 9, 2014 New one. Announced and emergency patch released by the OpenSSL team yesterday. Fixed in Debian today. It's all in the linked article which contains further links for more detail. There was also a security update for OpenSSH four days ago. Unrelated, I think. Quote Link to comment Share on other sites More sharing options...
crp Posted April 9, 2014 Share Posted April 9, 2014 Will an administrator please combine this with http://forums.scotsnewsletter.com/index.php?showtopic=69052 Quote Link to comment Share on other sites More sharing options...
Corrine Posted April 9, 2014 Share Posted April 9, 2014 Let's leave both threads for now to ensure everyone gets the message, particularly since there is nothing people can do to protect themselves if vulnerable websites are visited until the administrators of those websites have upgraded their software. Then, change your password. See The Heartbleed Bug, explained - Vox Quote Link to comment Share on other sites More sharing options...
raymac46 Posted April 9, 2014 Share Posted April 9, 2014 Canada Revenue has temporarily shut down the country's netfiling system for income tax returns. They hope to have everything back to normal by the weekend. Canadian banks have confirmed that they are not affected. Quote Link to comment Share on other sites More sharing options...
Corrine Posted April 9, 2014 Share Posted April 9, 2014 Check sites here: LastPass - LastPass Heartbleed checker. Also, if you use LastPass, see The LastPass Blog: LastPass Now Checks If Your Sites Are Affected by Heartbleed Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 9, 2014 Share Posted April 9, 2014 So, the NSA has all my passwords? I'm shocked. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 9, 2014 Share Posted April 9, 2014 Sigh... Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 9, 2014 Share Posted April 9, 2014 Also if you use LastPass: LastPass and the Heartbleed Bug: With news breaking on Monday, April 7th that the Heartbleed bug causes a vulnerability in the OpenSSL cryptographic library, which is used by roughly two-thirds of all websites on the Internet, we want to update our community on how this bug may have impacted LastPass and clarify the actions we’re taking to protect our customers. In summary, LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys. More in the article. Quote Link to comment Share on other sites More sharing options...
sunrat Posted April 9, 2014 Author Share Posted April 9, 2014 Will an administrator please combine this with http://forums.scotsn...showtopic=69052 I intentionally started both, one in BATL because of the Debian security update and in Security for those who don't read BATL. 1 Quote Link to comment Share on other sites More sharing options...
Corrine Posted April 10, 2014 Share Posted April 10, 2014 zlim added these at another site: Another checkerhttps://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt or head to filehippo and type in an url for a site here http://filippo.io/Heartbleed/] Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 10, 2014 Share Posted April 10, 2014 Here is a TECHNICAL explanation of the bug. How Heartbleed Works: The Code Behind the Internet's Security Nightmare- Gizmodo I am surprised to have found this explanation on Gizmodo. They are not known for their quality content. Adam 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 11, 2014 Share Posted April 11, 2014 A bad situation just got worse... http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed Quote Link to comment Share on other sites More sharing options...
ebrke Posted April 12, 2014 Share Posted April 12, 2014 Good grief :'( Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 12, 2014 Share Posted April 12, 2014 Yeah... it's really scary when you think of the number of Cisco (and non-Cisco) routers out there in the wild worldwide that utilize this software and... AND the fact that many don't even have active admins keeping a watch on them. Many routers are static. They sit in network closets of homes, businesses, schools, etc. for years without being accessed by an admin. They're only remembered when there's a problem. SCARY! Quote Link to comment Share on other sites More sharing options...
raymac46 Posted April 12, 2014 Share Posted April 12, 2014 If you have a D-Link router here's a good place to start. http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10022 Turns out my router is OK. I don't have any remote access enabled either. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 12, 2014 Share Posted April 12, 2014 A bad situation just got worse... http://tools.cisco.c...0409-heartbleed Sheesh! They should just give the names of the NON-vulnerable ones...that list is considerably smaller. Linksys Routers (now owned by Belkin) are not vulnerable: http://community.linksys.com/t5/Wireless-Routers/UPDATE-Heartbleed-OpenSSL-Vulnerability/td-p/807314 We are aware of the Heartbleed OpenSSL vulnerability, however after thorough testing of our product lines, we can confirm that our routers are not impacted. Linksys routers do use OpenSSL, however our product line uses another version that is not impacted by this vulnerability. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 12, 2014 Share Posted April 12, 2014 Engadget confirms Heartbleed bug affects routers too: http://www.engadget.com/2014/04/10/the-heartbleed-bug-is-affecting-routers-too/ And that ones like Linksys are not affected since they "don't use the affected versions of OpenSSL". Also confirms that Cisco and Juniper Networks is working on patches. Obviously not out there yet though. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 12, 2014 Share Posted April 12, 2014 Belkin routers also safe: https://getsatisfaction.com/belkinrouters/topics/update_heartbleed_openssl_vulnerability-1aevo1 Some other Cisco products were also affected; Cisco IP phones, some versions of WebEX, some versions of Juniper Networks VPN, Cisco's AnyConnect Secure Mobility Client app for iOS, one type of Cisco software that runs Internet switches also affected according to this article at CNN Money: http://money.cnn.com/2014/04/11/technology/security/heartbleed-gear/ That means for two years now, someone could have been able to tap your phone calls and voicemails at work, all your emails and entire sessions at your computer or iPhone. You also could have been compromised if you logged into work from home remotely. And you'll probably never know if you were hacked. From the same article, they indicate that Netgear has not made any comment about their routers as yet. Next time you need a new router, which one would you choose? I would choose the ones not affected first of course, but I would not trust the ones that are not speaking up to make people aware of the problems they have been dealing with for two years now. DD-WRT router software is also vulnerable apparently and it has to be rebult, not just restarted: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=890437&sid=91f2733c19ba7a64809a7e5b791fbfca Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 12, 2014 Share Posted April 12, 2014 Posted a blog posting about this here: Heartbleed, OpenSSL and Perfect Forward Secrecy - FransComputerServices Blog According to an article at Mashable where there is a Hit List posted in a table: Some big names that you might be happy to hear were not affected according to the Mashable article, the following were NOT hit: Apple, Microsoft, Amazon, eBay, PayPal, Target, Walmart, LinkedIn, Hulu, AOL email, Hotmail/MSN/Outlook.com emails and more. Like earlier, the NOT hit ones are likely easier to name... Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 12, 2014 Share Posted April 12, 2014 DD-WRT router software is also vulnerable apparently and it has to be rebult, not just restarted: http://www.dd-wrt.co...09a7e5b791fbfca Yikes! Adam Quote Link to comment Share on other sites More sharing options...
abarbarian Posted April 12, 2014 Share Posted April 12, 2014 An if you thought all the above was pretty shocking then read on, http://www.theregister.co.uk/2014/04/11/heartbleed_health_checking_services_may_be_illegal/ Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL's mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic. Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of third-party websites without permission. Testing to see what version of OpenSSL a site is running, and whether it is also supports the vulnerable Heartbeat protocol, would be legal. But doing anything more active – without permission from website owners – would take security researchers onto the wrong side of the law. You got to laugh Quote Link to comment Share on other sites More sharing options...
securitybreach Posted April 12, 2014 Share Posted April 12, 2014 DD-WRT router software is also vulnerable apparently and it has to be rebult, not just restarted: http://www.dd-wrt.co...09a7e5b791fbfca Well I just checked my ddwrt router and I have version 0.9.7m-6 installed. Since heartbleed affected version 1.0.1 through 1.01.f, ddwrt (mine) is not vulnerable. root@Baphomet:~# ipkg-opt install openssl Package openssl (0.9.7m-6) installed in root is up to date. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 12, 2014 Share Posted April 12, 2014 Not so sure about that Josh, http://www.openssl.org/news/secadv_20140407.txt Quote Link to comment Share on other sites More sharing options...
securitybreach Posted April 12, 2014 Share Posted April 12, 2014 Not so sure about that Josh, http://www.openssl.o...dv_20140407.txt That link says: Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 12, 2014 Share Posted April 12, 2014 Yes, and it also says, Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2. So you are saying that even though your version is OLDER than 1.0.1 that yours is OK, even though it says should upgrade to 1.0.1g and that 1.0.2 will be fixed in 1.0.2-beta2? Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 12, 2014 Share Posted April 12, 2014 Hmm... makes me wonder about all the ISP provided routers out there, like my Verizon Westell, for instance. Let's face it. The Internet is broken. We'll have to tear it all down and start again. This time it will only work with Linux operating systems, though. 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 12, 2014 Share Posted April 12, 2014 Quote Link to comment Share on other sites More sharing options...
ebrke Posted April 12, 2014 Share Posted April 12, 2014 Let's face it. The Internet is broken. We'll have to tear it all down and start again. This time it will only work with Linux operating systems, though. I've about given up. I no longer have the time, energy or patience to deal with most of this. My dLink router appears to be unaffected, probably because it's really old. If I can't get enough time to attempt a network install of openSUSE 13.1 soon on this XP machine, I'll have to shut it down and start sharing the win 7 laptop I just got for my mother. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.