Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Heartbleed - Vast security breach on 2/3 of worlds servers


  • Please log in to reply
50 replies to this topic

#1 OldPhil

OldPhil

    Doppleganger


  • Members
  • 4,069 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island New York
  • Local time:09:47 PM

Posted 08 April 2014 - 11:44 PM

Tens of millions of servers were exposed to a security vulnerability called Heartbleed in OpenSSL, software used to encrypt much of the internet. While an emergency patch has been released, sites like Yahoo have raced to fortify security.
On Monday afternoon, the open-source OpenSSL project released an emergency security advisory warning of Heartbleed, a bug pulls in private keys to a server using vulnerable software, allowing operators to suck in data traffic and even impersonate the server.
As described by the Verge, Heartbleed allows an attacker to pull 64k at random from a given server's working memory. It's a bit like fishing attackers don't know what usable data will be in the haul but since it can be performed over and over again, there's the potential for a lot of sensitive data to be exposed. The server's private encryption keys are a particular target, since they're necessarily kept in working memory and are easily identifiable among the data. That would allow attackers to eavesdrop on traffic to and from the service, and potentially decrypt any past traffic that had been stored in encrypted form.
OpenSSL is used by around 66 percent of the web to encrypt data, according to LifeHacker. The software is used to protect usernames, passwords, and any sensitive information on secure websites.
According to reports, sites need to install updated, non-compromised software to vanquish further exposure to the bugs vulnerabilities. Tens of millions of servers were exposed to Heartbleed, according to Verge.
"It is catastrophically bad, just a hugely damaging bug," said International Computer Science Institute security researcher Nicholas Weaver.
Yahoo may have been the largest entity whose sites were exposed to Heartbleed, which is actually two years old but is only now gaining the attention of the broader public after detection by Google researcher Neel Mehta.
Yahoo said it has successfully updated its servers.
"Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the fix across the rest of our sites right now, Yahoo said in a statement.
As a result of Heartbleed, Yahoo reportedly leaked user information for most of the day. Any servers running OpenSSL on Apache or Nginx were also affected, implicating a multitude of common websites and services, according to The Verge.
Apple, Google, Microsoft, and major e-banking services do not appear affected.
The Tor Project said that "if you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle."
Yet experts have also suggested that even if a server is patched, private keys may have been compromised before the fix, allowing vulnerabilities to linger.
"I bet that there will be a lot of vulnerable servers a year from now," Weaver said. "This won't get fixed."

People in this reddit thread claim to have reliable #heartbleed exploit code against Yahoo mail, banks, other sites: http://t.co/zH1lPFvTd4
Eric Butler (@codebutler) April 8, 2014
Affected sites need new SSL certificates, which is expensive and time-consuming but necessary to purge Heartbleed. A safe SSL certificate should show an issued on date after the recent security patch.
Passwords on affected sites must be changed, experts say, but after a sites security is properly bolstered.
"These are really subtle bugs," Weaver says. "You might detect it if you ran it through a memory checker, but this is not the kind of thing that just shows up looking at the code."
There are tools that test sites for Heartbleed vulnerability. Yet susceptibilities will remain depending on the website.
Because individual servers have to be fixed manually, some sites might not get around to repairing the bug for quite a while, wrote The Wire. In other words, take Heartbleed on a site-by-site basis. Very few sites have offered comprehensive information on what to do about Heartbleed to its users.
Heartbleed has proved a bigger menace in scale of computers affected and the severity of the breach than GoToFail, a bug that hassled Apple earlier this year.

Honesty & Integrity Above All!


BC AdBot (Login to Remove)

 


#2 GB2064

GB2064

  • Members
  • 947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, Pennsylvania
  • Local time:09:47 PM

Posted 09 April 2014 - 12:52 PM

Here is some information on the "Heartbleed" security bug.

http://lifehacker.com/what-the-heartbleed-security-bug-means-for-you-1560801201



#3 GB2064

GB2064

  • Members
  • 947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, Pennsylvania
  • Local time:09:47 PM

Posted 09 April 2014 - 03:48 PM

Here is another Heartbleed vulnerability test site.

Just paste the URL of any site  you want to check, and run the test.

https://www.ssllabs.com/ssltest/



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:47 PM

Posted 09 April 2014 - 05:08 PM

600,000 servers vulnerable to heartbleed
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 rp-57

rp-57

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:oklahoma
  • Local time:08:47 PM

Posted 11 April 2014 - 01:29 PM

Hello to all the good people at bleeping.com

I have been reading the info about the heartbleed bug, and I winder if any one here would suggest using a password manager to secure passwords with.

 

I was going to try the last pass website but would like to know your opinion.

 

Thankyou all for the wonderful info and help that you provide.

 

Much appreciation to you all.

 

From Gina :clapping:  :flowers:



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:47 PM

Posted 11 April 2014 - 01:40 PM


You can use an online Password Generator to create a random password:-- Note: Be careful where you store the passwords and do not write down or leave records of them anywhere that you would not leave the information that they are designed to protect.

Another option is to use a third party Password Manager which can generate random passwords:Best Password Managers: Top 4 Reviewed
Review: 7 password managers for Windows, Mac OS X, iOS, and Android
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Kilroy

Kilroy

  • BC Advisor
  • 3,335 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:08:47 PM

Posted 11 April 2014 - 01:42 PM

I highly recommend LastPass.  You will notice that they address Heartbleed on their main page.  You can learn a lot about LastPass from Security Now! - Episode 256 you can listen or read the transcripts.

 

I bookmarked 2014 Best Online Password Manager Reviews.  The one knock they had for LastPass was no on-line support chat.


Edited by RKilroy, 11 April 2014 - 01:47 PM.


#8 rp-57

rp-57

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:oklahoma
  • Local time:08:47 PM

Posted 11 April 2014 - 01:46 PM

Hello,

I have been reading lots of info about the last pass manager, seems to be right good but I have not tried it yet.

 

Thankyou for the quick reply

 

From Gina :love4u:



#9 rp-57

rp-57

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:oklahoma
  • Local time:08:47 PM

Posted 11 April 2014 - 01:48 PM

You can use an online Password Generator to create a random password:

-- Note: Be careful where you store the passwords and do not write down or leave records of them anywhere that you would not leave the information that they are designed to protect.

Another option is to use a third party Password Manager which can generate random passwords: Best Password Managers: Top 4 Reviewed
Review: 7 password managers for Windows, Mac OS X, iOS, and Android

 

OH Ok,

 

Thankyou , Quietman this is different info than what I had known before, realy good info that you supplied.

 

Thankyou so much,

 

From Gina :clapping:  :flowers:



#10 rp-57

rp-57

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:oklahoma
  • Local time:08:47 PM

Posted 11 April 2014 - 01:51 PM

Do you use a password manager? :guitar:



#11 Kilroy

Kilroy

  • BC Advisor
  • 3,335 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:08:47 PM

Posted 11 April 2014 - 02:00 PM

I use LastPass Premium with a Yubikey for two factor authentication on my home computer, work computer, iPad, iPhone, and Kindle FireHD.  I've been a user since August 2010.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:47 PM

Posted 11 April 2014 - 03:22 PM

I use Password Safe. In fact, I use the portable version here so I can carry it on a flash drive.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:06:47 PM

Posted 11 April 2014 - 03:27 PM

I am a KeePass user. I have it synched with my Android phone and use the Android app.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#14 rp-57

rp-57

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:oklahoma
  • Local time:08:47 PM

Posted 11 April 2014 - 03:35 PM

I use LastPass Premium with a Yubikey for two factor authentication on my home computer, work computer, iPad, iPhone, and Kindle FireHD.  I've been a user since August 2010.

Ok,

 

thankyou for the info, much appreciation. :flowers:



#15 rp-57

rp-57

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:oklahoma
  • Local time:08:47 PM

Posted 11 April 2014 - 03:37 PM

I use LastPass Premium with a Yubikey for two factor authentication on my home computer, work computer, iPad, iPhone, and Kindle FireHD.  I've been a user since August 2010.

Ok.

 

I never heard of yubikey,

 

sounds interesting, I will check that out.

 

Thankyou very much. :bounce:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users