Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Critical Flaw in OpenSSL


  • Please log in to reply
21 replies to this topic

#1 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:34 PM

Posted 08 April 2014 - 05:25 PM

As reported all over the web by now, there was a critical flaw in OpenSSL. This flaw affects all of us, as it hits the authentication methods of about 2/3 of the webservers out there. The vulnerability has been dubbed "heartbleed" bug. The name refers tothe heartbeat extension by which it is caused. The heartbeat extension usually serves to keep a connection alive, but due to the bug it now allows others to recover data sent over SSL/TLS. This compromises the keys used to identify you to the server and allows to read the encrypted traffic you sent: name and passwords, most notably.
For more information visit: www.heartbleed.com


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


BC AdBot (Login to Remove)

 


#2 Stolen

Stolen

  • Members
  • 669 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:34 AM

Posted 08 April 2014 - 06:09 PM

Hi myrti. 

 

Thank you very much for posting the story and condensing the information. 

 

I am wondering about Online Certificate Status Protocol (OCSP) and how it compares or would be a possible alternative. I read about OCSP today at wiki, and I am just trying to understand all the implications for everyone...from individuals to large corporations. In a conference I attended last week, I learned about Bitcoin, and I believe even those transactions (sending and receiving Bitcoin) are handled in this way, so I wonder about financial transactions and PayPal. 

 

Thanks again for the link.  One more for further reading found here



#3 Ted Striker

Ted Striker

  • Members
  • 1,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:34 AM

Posted 08 April 2014 - 06:56 PM

I read about this briefly today.  Do major banks use OpenSSL?  Is there a way to find out?  It seems like this would be a major problem and banks should alert all of their customers if they're affected.



#4 StudyVIruses

StudyVIruses

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 08 April 2014 - 09:40 PM

Thanks for this 



#5 Darktune

Darktune

    Very Purple


  • Members
  • 1,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:04:34 PM

Posted 09 April 2014 - 03:23 AM

Wow. Thanks for the Information


It's very hard to imagine all the crazy things that things really are like. 

Electrons act like waves.. no they don't exactly, they act like particles.. no they don't exactly.

Words and ideas can change the world.


#6 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 09 April 2014 - 08:32 AM

Thank you for the info, it seems the best way to prevent anyone from getting your information is to avoid logging into the domain until their servers are updated. In other words: do not sign into any secure website until that site has been updated to a version of openssl that is not vulnerable.

 

After they update, log in, change your passwords etc.


Edited by zingo156, 09 April 2014 - 08:33 AM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#7 Darktune

Darktune

    Very Purple


  • Members
  • 1,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:04:34 PM

Posted 09 April 2014 - 08:35 AM

Thank you for the info, it seems the best way to prevent anyone from getting your information is to avoid logging into the domain until their servers are updated. In other words: do not sign into any secure website until that site has been updated to a version of openssl that is not vulnerable.

 

After they update, log in, change your passwords etc.

 

I'd hope that websites would prompt you to change your password. I only say this because when Sony had it's scare with PS3 it made it compulsory to change your Password. 


It's very hard to imagine all the crazy things that things really are like. 

Electrons act like waves.. no they don't exactly, they act like particles.. no they don't exactly.

Words and ideas can change the world.


#8 myrti

myrti

    Sillyberry

  • Topic Starter

  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:34 PM

Posted 09 April 2014 - 08:46 AM

Some more useful sites:

 

This site lets you check if a website is affected: http://filippo.io/Heartbleed/

This site lets you check if a certificate is affected: https://sslcheck.globalsign.com/en_US


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Darktune

Darktune

    Very Purple


  • Members
  • 1,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:04:34 PM

Posted 09 April 2014 - 08:53 AM

Awesome mytri - Turns out my bank is okay, phew


It's very hard to imagine all the crazy things that things really are like. 

Electrons act like waves.. no they don't exactly, they act like particles.. no they don't exactly.

Words and ideas can change the world.


#10 rp-57

rp-57

  • Members
  • 468 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:oklahoma
  • Local time:10:34 AM

Posted 09 April 2014 - 11:22 AM

I read about this on local news in my state, seems everytime you turn around you have to change passwords everyday for all your accts,

 

If the hackers don't get you now they will sooner or later.

 

 



#11 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 09 April 2014 - 11:44 AM

I wonder if using the test posted above: This site lets you check if a website is affected: http://filippo.io/Heartbleed/ would get anyone into trouble.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#12 Lehr

Lehr

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:34 AM

Posted 09 April 2014 - 06:39 PM

Welp, just changed my steam/gmail/facebook pass...

 

Let's hope this fixes it.

 

 

 

It said Google updated, Steam says they updated... Facebook as well... I hope this is right.

 

 

 

Edit v2: Wait, wait wait wait. Gmail/google/steam/Facebook are safe, right?


Edited by Lehr, 09 April 2014 - 07:02 PM.


#13 kelkay

kelkay

  • Members
  • 292 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:34 AM

Posted 09 April 2014 - 07:00 PM

What about Ebay?  I went to the hippo site, but it did not answer www.ebay.com when I checked.



#14 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:01:34 AM

Posted 09 April 2014 - 09:24 PM

Conspiracy or what?

How long has the CIA NSA and any other 3 letter spy agency known about this?

 

Summary: A serious conflict of interests that nobody in the media is talking about; Codenomicon is headed by Microsoft’s Howard A. Schmidt

SOMETHING fishy was in the news today (since early this morning), including articles from GNU/Linux-oriented journalists [1] and blogs [2], some of which pointed out that a vulnerability discovered and published irresponsibly by the firm headed by Microsoft’s former Chief Security Officer (we wrote about his actions before) are already “patched by all Linux distros”.

Read More Here

http://techrights.org/2014/04/08/howard-schmidt-codenomicon/


Edited by NickAu1, 09 April 2014 - 09:50 PM.


#15 myrti

myrti

    Sillyberry

  • Topic Starter

  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:34 PM

Posted 10 April 2014 - 02:50 AM

Hi,

 

as far as I know the bug was discovered not just by codenimcon but also by google researchers. In addition the flaw was first published by openSSL after a patch was released. From what I'm seeing also several big companies where contacted before hand and could update before the public release was made. This is what is called responsible disclosure.

 

It was not codenimcon that defined what date this flaw was published, but rather openSSL. Normally you send in your vulnerability and give people x days to reply to your concerns. Once they have replied you work with them and don't talk about the problem publicly until after the bug has been fixed. This has been done both by google and codenemicon.  If you check the official CVE number is CVE-2014-0160. This number has been "reserved" in December 2013. So chances are that the bug has been known since then. Possibly even that openn SSL has been aware of it since then. So according to the logic in your article it must be OpenSSL (and possibly google), that tried to badmouth linux.

 

The reason we're even talking about linux distro's being insecure at the moment is that openSSL comes preinstalled on most of them, whereas it isn't preinstalled on Windows. So Linux, by default, is affected by this bug and heartbleed.com lists a few that are safe to use and a few that are affected.

 

 

I highly doubt that the release date is in any way correlated to XP's death.

 

regards

myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users