Guest LilBambi Posted April 13, 2014 Share Posted April 13, 2014 NSA denies Report that Agency knew and exploited Heartbleed Vulnerability - HackerNews Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 13, 2014 Share Posted April 13, 2014 A government that has lied so many times is really hard to believe about anything, whether it is true or not. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 13, 2014 Share Posted April 13, 2014 We will never know if this remains a he said/she said situation. There needs to be evidence of some sort that proves it. Let's talk about the steps needed to exploit this hole, despite it not being discussed very much in the "news." This heartbeat is a UDP/IP protocol addition to the TLS suite. I presume for the server to respond to the heartbeat that it would need to have a UDP TLS session active. This would not be difficult to set up. Once the session was created on UDP, I presume a malformed heartbeat could them be sent and get the 64K of data. This is my limited understanding of how this works. Am I way off base here? EDIT: Of COURSE the NSA denies it. Did we expect anything else? Their response is meaningless. Adam 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 13, 2014 Share Posted April 13, 2014 Heartbleed bug: Check which sites have been patched - CNET We compiled a list of the top 100 sites across the Web, and checked to see if the Heartbleed bug was patched. The Heartbleed Hit List: The Passwords You Need to Change Right Now - Mashable Although changing your password regularly is always good practice, if a site or service hasn't yet patched the problem, your information will still be vulnerable. Also, if you reused the same password on multiple sites, and one of those sites was vulnerable, you'll need to change the password everywhere. It's not a good idea to use the same password across multiple sites, anyway. We'll keep updating the list as new information comes in. Quote Link to comment Share on other sites More sharing options...
crp Posted April 13, 2014 Share Posted April 13, 2014 We will never know if this remains a he said/she said situation. There needs to be evidence of some sort that proves it. Let's talk about the steps needed to exploit this hole, despite it not being discussed very much in the "news." This heartbeat is a UDP/IP protocol addition to the TLS suite. I presume for the server to respond to the heartbeat that it would need to have a UDP TLS session active. This would not be difficult to set up. Once the session was created on UDP, I presume a malformed heartbeat could them be sent and get the 64K of data. This is my limited understanding of how this works. Am I way off base here? EDIT: Of COURSE the NSA denies it. Did we expect anything else? Their response is meaningless. Adam to get the exploited data, a legit user needs to log in and then your 'empty' has to be next login processed. If the 'empty' is being processed at same time as other login- if there is any overlap - then the exploit will not return enough usefull data. It is not clear if the memory range is not able to be overwritten by other processes nor is it clear how to guarantee the block of data the 'empty' gets back is all related to the login keyexchange process. in addition, if DDOS prevention is in place this will be much harder to pull off as the repeated attempts to get a clean 'empty' process would take some repetition. Question: why are sites reporting what version of OpenSSL are being used to begin with? ie: why is such query allowed? how many other things are being queried about my company servers that I don't know about? Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 13, 2014 Share Posted April 13, 2014 One of the key points about this exploit is that you have no idea what you will get. It will be up to 64KB of memory. In the original discovery and test attacks, SSL/TLS keys were recovered from outside a production server. Adam Quote Link to comment Share on other sites More sharing options...
ebrke Posted April 14, 2014 Share Posted April 14, 2014 (edited) For administration pages. They always encourage people to use https for configuration administration pages. Of course, makes sense now that someone told me. Can't seem to access my router that way, though, but it's pretty old and not one of the ones DLink said were affected, so probably doesn't have the libs. Edited April 14, 2014 by ebrke Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 14, 2014 Share Posted April 14, 2014 How the NSA shot itself in the foot by denying prior knowledge of Heartbleed vulnerability Please take this one with a large helping of salt. Adam Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 14, 2014 Share Posted April 14, 2014 BIG salt... Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 14, 2014 Share Posted April 14, 2014 Bruce Schneier discusses Heartbleed on TWiT: (~17 min) I did have a moment to think on the toilet this morning.... Assuming the NSA wanted to exploit SSL (duh), and they have the smart people to find these kinds of bugs (duh), they would have exploited it if they had found it. This would have popped up in the Snowden leaks, right? This would have been a prominent effort to decrypt the bulk encrypted data they have presumably collected. It would have been a huge revelation to expose, but since it was not disclosed, perhaps the NSA were not doing it. Just a thought. Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 14, 2014 Share Posted April 14, 2014 Have all the Snowden leaks been made public as yet? I think not. Would be good to see if there was any discussion about that in what was obtained. Of course he didn't get everything. With the lies and lies upon lies, I find it very hard to trust anything from the government any more, sadly. And I would certainly not be defending them without any true knowledge. Their word is not enough IMHO. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 14, 2014 Share Posted April 14, 2014 Bruce Schneier has always done some great work on Security over the years. Will have to try to watch it when I can. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 14, 2014 Share Posted April 14, 2014 Bruce Schneier discusses Heartbleed on TWiT: http://www.youtube.com/watch?v=Yokzan4k0Qw (~17 min) I did have a moment to think on the toilet this morning.... Assuming the NSA wanted to exploit SSL (duh), and they have the smart people to find these kinds of bugs (duh), they would have exploited it if they had found it. This would have popped up in the Snowden leaks, right? This would have been a prominent effort to decrypt the bulk encrypted data they have presumably collected. It would have been a huge revelation to expose, but since it was not disclosed, perhaps the NSA were not doing it. Just a thought. Adam Here's the page for this TWiT show; there is also audio available for those of us who have issues with streaming video bandwidth wise and all the links to the stories they talk about: This Week in Tech 453 Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 14, 2014 Share Posted April 14, 2014 in case you wonder why the private key is important, it is because, owning that, you can authoritatively state, i am indeed that website. (read, successful fishing attack on your browser.) Exactly. This is why revoking certificates (and making sure your browser follows suit- see other thread) is so important. There's no way to know if the cert is valid or not. Here's another trick. You can look at the certificate date for the sites you visit. If the cert was issued after last Monday the 7th, it is likely the website was vulnerable and patched themselves. TIme to change your password! Adam Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 14, 2014 Share Posted April 14, 2014 I did have a moment to think on the toilet this morning... Be careful what you think in there. The NSA has your iToilet under surveillance, iAdam. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 14, 2014 Share Posted April 14, 2014 My toilet is Ethernet-only. Adam Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 14, 2014 Share Posted April 14, 2014 It has begun. Crooks use Heartbleed exploit to steal 900 Canadian tax IDs :'( Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 15, 2014 Share Posted April 15, 2014 Yes... and it doesn't surprise me one bit... My toilet is Ethernet-only. Adam I would have thought you would use a VPN for that. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 15, 2014 Share Posted April 15, 2014 I would have thought you would use a VPN for that. HAHAHAHA! Please don't squeeze the network. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 15, 2014 Share Posted April 15, 2014 Yeah, I suppose I don't want the big utility company to know what I had for dinner. Data breaches are a HUGE problem. Adam Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 15, 2014 Share Posted April 15, 2014 OK, now that Eric has dragged this , time to get back on topic. Vicious Heartbleed bug bites millions of Android phones, other devices Something to consider. It's not just the servers that are vulnerable, but also end users who use openssl in their browser. Admittedly, the number is small, but those running Android 4.1.1 or 4.2.2 may be vulnerable. Also, Blackberry Messenger is vulnerable. Update your apps! Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 15, 2014 Share Posted April 15, 2014 From the article, Because Android is frequently customized for specific devices or manufacturers, it's possible some versions besides 4.1.1 and 4.2.2 are vulnerable. For that reason, Android users should download Heartbleed Detector, a free app developed by Lookout. In the vast majority of the tests Ars carried out, it found various Android versions contained a vulnerable version of OpenSSL, but that the Heartbeat extension that hosts the coding bug wasn't enabled, making the devices immune to attack. The sole exception was when Ars executed the app on a handset running version 4.1.1, which returned the screenshot below. BOLD emphasis mine. Quote Link to comment Share on other sites More sharing options...
zlim Posted April 15, 2014 Share Posted April 15, 2014 Fran, are you sure the app is safe? I looked at this for FF https://addons.mozilla.org/en-US/firefox/addon/heartbleed-checker/ but since it has not been reviewed by Mozilla, I backed away from installing it. There are just too many bogus apps and addons that either do nothing or do harm to a device. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 15, 2014 Share Posted April 15, 2014 If you are concerned about Heartbleed vulnerabilities, there are two things you can do to make sure you are safe. 1. Go to http://ssllabs.com and check the site you are interested in. They have a Heartbleed checking tool built in. 2. Examine the security certificate for the site you are interested in. If it was issued after Monday of last week Monday, April 7, it is likely the site was vulnerable and fixed the issue. Note: The SSL Labs report on a site's SSL security will also give you the certificate issue date. Adam Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 15, 2014 Share Posted April 15, 2014 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 17, 2014 Share Posted April 17, 2014 Fran, are you sure the app is safe? I looked at this for FF https://addons.mozil...tbleed-checker/ but since it has not been reviewed by Mozilla, I backed away from installing it. There are just too many bogus apps and addons that either do nothing or do harm to a device. Hi Liz, Yes, Lookout is a good company and has a very good reputation in the Google Play Store. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 17, 2014 Share Posted April 17, 2014 However, I used ESET Mobile. There is a new version on the Google Play Store: ESET Mobile Security & Antivirus too. Quote Link to comment Share on other sites More sharing options...
raymac46 Posted April 17, 2014 Share Posted April 17, 2014 BTW the RCMP have nailed the perpetrator of the Heartbleed affair at Canada Revenue. 19 year old script kiddie, computer science student at University of Western Ontario. Did not cover his tracks very well. His dad is a computer science prof so the kid should have known better, or at least how to cover his tracks better. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 17, 2014 Share Posted April 17, 2014 Alas, since there is no way to tell when a site is attacked (to my knowledge it leaves no traces), we have no way to know whether a site we've visited/registered for has been compromised or not. Adam Quote Link to comment Share on other sites More sharing options...
crp Posted April 17, 2014 Share Posted April 17, 2014 I have not had any of the web sites I frequent contact me suggesting I change my password. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.