Jump to content

Massive Security Bug In OpenSSL

sunrat

By sunrat
in Security & Networking

 Share

Recommended Posts

  • Replies 98
  • Created
  • Last Reply

Top Posters In This Topic

  • ross549

    26

  • V.T. Eric Layton

    16

  • crp

    6

  • sunrat

    5

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

sunrat
sunrat

This is big. Updated today in Debian Wheezy and hopefully all of the world's Linux servers will be updated asap.   Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet  

sunrat
sunrat

I intentionally started both, one in BATL because of the Debian security update and in Security for those who don't read BATL.

ross549
ross549

Here is a TECHNICAL explanation of the bug.   How Heartbleed Works: The Code Behind the Internet's Security Nightmare- Gizmodo   I am surprised to have found this explanation on Gizmodo. They are

ross549

ross549

Posted
Posted

We will never know if this remains a he said/she said situation. There needs to be evidence of some sort that proves it.

 

Let's talk about the steps needed to exploit this hole, despite it not being discussed very much in the "news."

 

This heartbeat is a UDP/IP protocol addition to the TLS suite.

 

I presume for the server to respond to the heartbeat that it would need to have a UDP TLS session active. This would not be difficult to set up. Once the session was created on UDP, I presume a malformed heartbeat could them be sent and get the 64K of data.

 

This is my limited understanding of how this works. Am I way off base here?

 

EDIT: Of COURSE the NSA denies it. Did we expect anything else? Their response is meaningless.

 

Adam

  • Like 1
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Heartbleed bug: Check which sites have been patched - CNET

 

We compiled a list of the top 100 sites across the Web, and checked to see if the Heartbleed bug was patched.

 

The Heartbleed Hit List: The Passwords You Need to Change Right Now - Mashable

 

Although changing your password regularly is always good practice, if a site or service hasn't yet patched the problem, your information will still be vulnerable.

 

Also, if you reused the same password on multiple sites, and one of those sites was vulnerable, you'll need to change the password everywhere. It's not a good idea to use the same password across multiple sites, anyway.

 

We'll keep updating the list as new information comes in.

Link to comment
Share on other sites
crp

crp

Posted
Posted

We will never know if this remains a he said/she said situation. There needs to be evidence of some sort that proves it.

 

Let's talk about the steps needed to exploit this hole, despite it not being discussed very much in the "news."

 

This heartbeat is a UDP/IP protocol addition to the TLS suite.

 

I presume for the server to respond to the heartbeat that it would need to have a UDP TLS session active. This would not be difficult to set up. Once the session was created on UDP, I presume a malformed heartbeat could them be sent and get the 64K of data.

 

This is my limited understanding of how this works. Am I way off base here?

 

EDIT: Of COURSE the NSA denies it. Did we expect anything else? Their response is meaningless.

 

Adam

to get the exploited data, a legit user needs to log in and then your 'empty' has to be next login processed. If the 'empty' is being processed at same time as other login- if there is any overlap - then the exploit will not return enough usefull data. It is not clear if the memory range is not able to be overwritten by other processes nor is it clear how to guarantee the block of data the 'empty' gets back is all related to the login keyexchange process. in addition, if DDOS prevention is in place this will be much harder to pull off as the repeated attempts to get a clean 'empty' process would take some repetition.

 

Question: why are sites reporting what version of OpenSSL are being used to begin with? ie: why is such query allowed? how many other things are being queried about my company servers that I don't know about?

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

One of the key points about this exploit is that you have no idea what you will get. It will be up to 64KB of memory. In the original discovery and test attacks, SSL/TLS keys were recovered from outside a production server.

 

Adam

Link to comment
Share on other sites
ebrke

ebrke

Posted
Posted (edited)

For administration pages. They always encourage people to use https for configuration administration pages.

Of course, makes sense now that someone told me. Can't seem to access my router that way, though, but it's pretty old and not one of the ones DLink said were affected, so probably doesn't have the libs. Edited by ebrke
Link to comment
Share on other sites
ross549

ross549

Posted
Posted

Bruce Schneier discusses Heartbleed on TWiT:

 

 

(~17 min)

 

I did have a moment to think on the toilet this morning.... Assuming the NSA wanted to exploit SSL (duh), and they have the smart people to find these kinds of bugs (duh), they would have exploited it if they had found it. This would have popped up in the Snowden leaks, right? This would have been a prominent effort to decrypt the bulk encrypted data they have presumably collected. It would have been a huge revelation to expose, but since it was not disclosed, perhaps the NSA were not doing it.

 

Just a thought.

 

Adam

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Have all the Snowden leaks been made public as yet? I think not. Would be good to see if there was any discussion about that in what was obtained. Of course he didn't get everything.

 

With the lies and lies upon lies, I find it very hard to trust anything from the government any more, sadly. And I would certainly not be defending them without any true knowledge. Their word is not enough IMHO.

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Bruce Schneier discusses Heartbleed on TWiT:

 

http://www.youtube.com/watch?v=Yokzan4k0Qw

 

(~17 min)

 

I did have a moment to think on the toilet this morning.... Assuming the NSA wanted to exploit SSL (duh), and they have the smart people to find these kinds of bugs (duh), they would have exploited it if they had found it. This would have popped up in the Snowden leaks, right? This would have been a prominent effort to decrypt the bulk encrypted data they have presumably collected. It would have been a huge revelation to expose, but since it was not disclosed, perhaps the NSA were not doing it.

 

Just a thought.

 

Adam

 

Here's the page for this TWiT show; there is also audio available for those of us who have issues with streaming video bandwidth wise and all the links to the stories they talk about:

 

This Week in Tech 453

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

in case you wonder why the private key is important, it is because, owning that, you can authoritatively state, i am indeed that website. (read, successful fishing attack on your browser.)

 

Exactly. This is why revoking certificates (and making sure your browser follows suit- see other thread) is so important. There's no way to know if the cert is valid or not.

 

Here's another trick. You can look at the certificate date for the sites you visit. If the cert was issued after last Monday the 7th, it is likely the website was vulnerable and patched themselves. TIme to change your password!

 

Adam

Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

 

I did have a moment to think on the toilet this morning...

 

Be careful what you think in there. The NSA has your iToilet under surveillance, iAdam.

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Yes... and it doesn't surprise me one bit...

 

My toilet is Ethernet-only.

 

Adam

 

:hysterical:

 

I would have thought you would use a VPN for that. ;)

Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

 

I would have thought you would use a VPN for that. ;)

 

HAHAHAHA! :lol:

 

Please don't squeeze the network. ;)

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

Yeah, I suppose I don't want the big utility company to know what I had for dinner. Data breaches are a HUGE problem.

 

Adam

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

OK, now that Eric has dragged this :offtopic:, time to get back on topic. :D

 

Vicious Heartbleed bug bites millions of Android phones, other devices

 

 

Something to consider. It's not just the servers that are vulnerable, but also end users who use openssl in their browser. Admittedly, the number is small, but those running Android 4.1.1 or 4.2.2 may be vulnerable.

 

Also, Blackberry Messenger is vulnerable. Update your apps!

 

Adam

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

From the article,

 

Because Android is frequently customized for specific devices or manufacturers, it's possible some versions besides 4.1.1 and 4.2.2 are vulnerable. For that reason, Android users should download Heartbleed Detector, a free app developed by Lookout. In the vast majority of the tests Ars carried out, it found various Android versions contained a vulnerable version of OpenSSL, but that the Heartbeat extension that hosts the coding bug wasn't enabled, making the devices immune to attack. The sole exception was when Ars executed the app on a handset running version 4.1.1, which returned the screenshot below.

 

BOLD emphasis mine.

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

If you are concerned about Heartbleed vulnerabilities, there are two things you can do to make sure you are safe.

 

1. Go to http://ssllabs.com and check the site you are interested in. They have a Heartbleed checking tool built in.

2. Examine the security certificate for the site you are interested in. If it was issued after Monday of last week Monday, April 7, it is likely the site was vulnerable and fixed the issue.

 

Note: The SSL Labs report on a site's SSL security will also give you the certificate issue date.

 

Adam

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Fran, are you sure the app is safe?

 

I looked at this for FF

https://addons.mozil...tbleed-checker/

but since it has not been reviewed by Mozilla, I backed away from installing it.

There are just too many bogus apps and addons that either do nothing or do harm to a device.

 

Hi Liz,

 

Yes, Lookout is a good company and has a very good reputation in the Google Play Store.

Link to comment
Share on other sites
raymac46

raymac46

Posted
Posted

BTW the RCMP have nailed the perpetrator of the Heartbleed affair at Canada Revenue. 19 year old script kiddie, computer science student at University of Western Ontario. Did not cover his tracks very well. :oops:

His dad is a computer science prof so the kid should have known better, or at least how to cover his tracks better. :rolleyes:

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

Alas, since there is no way to tell when a site is attacked (to my knowledge it leaves no traces), we have no way to know whether a site we've visited/registered for has been compromised or not.

 

Adam

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...