It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Critical OpenSSL 'Heartbleed' bug puts encrypted communications at risk

page: 1
15
<<   2 >>

log in

join
share:

posted on Apr, 8 2014 @ 08:43 AM
link   


The flaw, nicknamed “Heartbleed,” is contained in several versions of OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. Most websites use either SSL or TLS, which is indicated in browsers with a padlock symbol.

The flaw, which was introduced in December 2011, has been fixed in OpenSSL 1.0.1g, which was released on Monday.

Critical OpenSSL 'Heartbleed' bug puts encrypted communications at risk

here we go again, too often we have websites that we frequent and trust with our information informing us that they goofed up and have exposed our info to anyone with the will to procure it, one more round of "change your passwords ASAP!"

and this one seams to be pretty large



Martin Odhelius ‏@modhelius 35m One of the biggest security bugs in history found in OpenSSL. If you've entered any password at ANY site the last 2 days, change it!

twitter.com...

couple this with the large amount of websites seeking to eliminate internet anonymity like facebook does, and you really cant feel safe on the web anymore,

at least when a website doesnt force you to verify you are who you say you are you then dont have to worry about your sensitive information being leaked like this,

facebook requires you to give your real name when you sign up, if they suspect you are using a fake name they ask for your phone number to verify your identity, if you refuse to provide that then they ask for a photo copy of your government issue id, do you really want that sort of info floating around the world wide web?

www.theblaze.com...

www.cnet.com...

www.zdnet.com...



it's not clear how widespread the bug is or was, but it is thought that at least two-thirds of websites could be affected, as the most notable software using OpenSSL are the open source webservers Apache and nginx.


www.theinquirer.net...
edit on 4/8/14 by pryingopen3rdeye because: added one last qoute/source



posted on Apr, 8 2014 @ 09:57 AM
link   
There's a lot more info on this on Heartbleed.com. This vulnerability has been exposed for over two years now and it's impossible to determine what has been compromised or not.

The worst thing is that in order to close the vulnerability, all corporations and users of OpenSSL software have to become aware of this and install the "fix"-release a.s.a.p.

So yeah, I guess it's time to change passwords again...



posted on Apr, 8 2014 @ 10:34 AM
link   

RationalDespair
There's a lot more info on this on Heartbleed.com. This vulnerability has been exposed for over two years now and it's impossible to determine what has been compromised or not.

The worst thing is that in order to close the vulnerability, all corporations and users of OpenSSL software have to become aware of this and install the "fix"-release a.s.a.p.

So yeah, I guess it's time to change passwords again...


thanks for the link,

and the bug has been around for 2 years but how long abusers have been aware of it is anyone's guess, this is like the biggest reason in support of internet anonymity, there will always be bugs in encryption, its never gonna be 100% secure, that's just the reality of technology,

this is of course not even mentioning the other best reason for internet anonymity, free speech, being able to speak your mind without worry of consequence, being able to voice dissent or whistle blow without worry.
edit on 4/8/14 by pryingopen3rdeye because: (no reason given)



posted on Apr, 8 2014 @ 11:13 AM
link   
How can you determine what SSL implementations are being used on various websites on the internet?
There are more products providing SSL features to webservers than just OpenSSL, look at PolarSSL for example (which has a much more clearly written code and easier to understand .. except its not always free to use afaik)



posted on Apr, 8 2014 @ 11:13 AM
link   
How do i delete a double reply? :X
edit on 8-4-2014 by YuriNL because: (no reason given)



posted on Apr, 8 2014 @ 02:33 PM
link   
Do you not think it strange that this was made public rather than going through the usual channels of find exploit-report-claim bounty-patch issued-reported on news sites? It just simply went public.

Do you not think it strange that heart bleed.com was registered in the first place? Almost as if it was planned in advance...

Do you not think it is strange that main stream media, whilst reporting on it are down playing it?

Do you not think it strange that tor, our magnificent champion of anonymous browsing (partly funded by usg) issued a statement saying "If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle." blog.torproject.org...

Do you not think this is a strange coincidence with XP support withdrawal?

The strange is strong in this one

Edit to add: this is massive, and most people do not realise it

edit on 8-4-2014 by RavenNinja because: (no reason given)



posted on Apr, 8 2014 @ 02:59 PM
link   
A security hole in SSL is a serious problem. The biggest issue is credit card and banking information is all secured using SSL.
This is a truly frightening problem. I just made some purchases online a few days ago. :/


Edit:From me research so far, it seems to be a man in the middle attack of sorts. Someone captures your SSL encrypted packets and stores them locally to decrypt the contents.

If they had the ability to do it once, whats to stop them from doing it again?
edit on 4/8/2014 by shaneslaughta because: (no reason given)



posted on Apr, 8 2014 @ 03:28 PM
link   

shaneslaughta
A security hole in SSL is a serious problem. The biggest issue is credit card and banking information is all secured using SSL.
This is a truly frightening problem. I just made some purchases online a few days ago. :/


Edit:From me research so far, it seems to be a man in the middle attack of sorts. Someone captures your SSL encrypted packets and stores them locally to decrypt the contents.

If they had the ability to do it once, whats to stop them from doing it again?
edit on 4/8/2014 by shaneslaughta because: (no reason given)


Maybe they could do it again but they would need to find another way. The idea is that this particular hole is now plugged (assuming you've patched.) I've also been busy today getting re-issued certs for our web servers.



posted on Apr, 8 2014 @ 03:37 PM
link   
reply to post by an0maly33
 


I just found out about it, havent had time to do anything yet. Looking into things now. I have multiple machines different setups. different os too. I have my work cut out for me. I dont have ssl certs. No need for them on my sites. Though i was planning an online store, things like this make me not want to do anything big like that. Too much responsibility with customer data.



posted on Apr, 8 2014 @ 03:44 PM
link   


facebook requires you to give your real name when you sign up, if they suspect you are using a fake name they ask for your phone number to verify your identity, if you refuse to provide that then they ask for a photo copy of your government issue id, do you really want that sort of info floating around the world wide web?


My name on facebook is 100% not my name, I have given them no phone number even though they have asked and I've never given them any ID..... FB account is still active.

Put the blame where it should be, on the users heads, they are the ones who use it the way they do.
edit on 8-4-2014 by aivlas because: (no reason given)



An easy-to-use exploit that is being widely traded online allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL “libssl” library in chunks of 64kb at a time. As CERT notes, an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets.

krebsonsecurity.com...
edit on 8-4-2014 by aivlas because: (no reason given)


i.imgur.com...
from
blog.fox-it.com...
edit on 8-4-2014 by aivlas because: (no reason given)



random pulls from the Q&A at the heartbleed site

Is this a MITM bug like Apple's goto fail bug was?

No this doesn't require a man in the middle attack (MITM). Attacker can directly contact the vulnerable service or attack any user connecting to a malicious service. However in addition to direct threat the theft of the key material allows man in the middle attackers to impersonate compromised services.

Who found the Heartbleed Bug?

This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. Codenomicon team found heartbleed bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team.


What versions of the OpenSSL are affected?

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

How about operating systems?

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
SUSE Linux Enterprise Server
FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)



edit on 8-4-2014 by aivlas because: (no reason given)



RavenNinja
Do you not think it strange that this was made public rather than going through the usual channels of find exploit-report-claim bounty-patch issued-reported on news sites? It just simply went public.

Do you not think it strange that heart bleed.com was registered in the first place? Almost as if it was planned in advance...

Do you not think it is strange that main stream media, whilst reporting on it are down playing it?

Do you not think it strange that tor, our magnificent champion of anonymous browsing (partly funded by usg) issued a statement saying "If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle." blog.torproject.org...


No
No, disclourse on an open source project - who.is...
No
No
edit on 8-4-2014 by aivlas because: (no reason given)


Bonus link
github.com...

Disclaimer: This scan was performed around April 8, 12:00 UTC, so please stop sending pull requests to remove your site!

edit on 8-4-2014 by aivlas because: (no reason given)



posted on Apr, 8 2014 @ 03:52 PM
link   

shaneslaughta
reply to post by an0maly33
 


I just found out about it, havent had time to do anything yet. Looking into things now. I have multiple machines different setups. different os too. I have my work cut out for me. I dont have ssl certs. No need for them on my sites. Though i was planning an online store, things like this make me not want to do anything big like that. Too much responsibility with customer data.


If you're not using SSL then this problem doesn't affect you. This is specifically a vulnerability in certain versions of openSSL and only on certain OS's/versions. For example, the openSSL in Redhat Enterprise 5 is fine, but 6 needs patched.



posted on Apr, 8 2014 @ 03:59 PM
link   
reply to post by an0maly33
 


I do have ssl on my servers but i don't use it. i still want the vulnerability fixed. I want the capability to use it in the future.



posted on Apr, 8 2014 @ 10:50 PM
link   
This is a big deal. It is a ridiculously simple hack that script kiddies will have their hands all over in the days to come.

The exploit has been in the OpenSSL code for 2 years, but that was announced publicly for the first time today. There's no telling how long over the 2 years it's been exploited prior. This is a very serious problem and is almost undetectable by most measures.

The bigger problem is that it's possible that root certificates have been compromised. Most companies are going to have to throw away all of their certificates just to err on the side of caution. This in itself, could take weeks, even months for larger tech shops. Think of web hosting facilities that have tens of thousands of certs.

It also compromises routers and hardware appliances.

It doesn't impact most Microsoft systems, oddly. Most Microsoft systems don't run OpenSSL, but if they did, they would be vulnerable as well.

The only way to fix it is to patch the OpenSSL versions that are vulnerable and throw away all SSL certificates since there's no way to know whether or not they have been compromised. Once that's done, then you can monitor for attempts of those trying to attack, but until then, it's pointless.

There are a lot of shops out there that run old Linux systems and don't pay close attention to security bulletins, and it could be a long time before they realize that they are vulnerable and have been fully compromised.

Fire up the password generators!

~Namaste



posted on Apr, 8 2014 @ 11:26 PM
link   
Since I'm pretty much a box of rocks concerning computer security, may I ask a question about this issue?
I use my computer to cruise the net, do email, make pretty pictures, documents (mostly family history stuff) and play games. I don't use it to order stuff or for any financial stuff. I don't do any social networks. This site is about as social as I get.
My computer guru, the guy who built the machine for me, installs the security programs and updates them for me.
Should I be worried?
Thanks.



posted on Apr, 9 2014 @ 03:16 AM
link   

diggindirt
Since I'm pretty much a box of rocks concerning computer security, may I ask a question about this issue?
I use my computer to cruise the net, do email, make pretty pictures, documents (mostly family history stuff) and play games. I don't use it to order stuff or for any financial stuff. I don't do any social networks. This site is about as social as I get.
My computer guru, the guy who built the machine for me, installs the security programs and updates them for me.
Should I be worried?
Thanks.


is there anything handled by your computer that you wouldnt want a malevolent individual to have control over?
your real name in your email your web history of your browser, your contact list in your email, your accounts for your games, do run a vpn for any reason? some older games need a vpn to run if its like a windows 98 game,

realy to be safe, just change your passwords to anything online you have, might be wise to frequently change your passwords from here on since theirs no telling if the webhosts who hold your passwords have patched the hole yet.



posted on Apr, 9 2014 @ 04:00 PM
link   
here's a place you can use to check if a patch or fix has been used for "secure" sites you may use:
lastpass.com...



posted on Apr, 9 2014 @ 04:08 PM
link   
reply to post by pryingopen3rdeye
 


Thanks for the reply. Looks like I must be okay because I don't do any online games, don't have my name in my email, etc. When I first began exploring the cyberworld, my husband, who had far more knowledge of it than did I, explained to me that anyone with a will to do so could find anything in the machine with enough effort. His advice to me at the time was to conduct myself as though I was standing in the public square each time I entered cyberspace. At the same time he informed me that just as stuff can be extracted from the machine, it can also be added. That's more of a concern to me than someone finding information about me.
I did call my computer guy. He assures me that I'm good. He checked everything out just a week ago when the machine was in for a minor issue.



posted on Apr, 9 2014 @ 04:12 PM
link   
Here is a link to the Cisco Security Advisory if you are a NET or UC engineer .

tools.cisco.com...



posted on Apr, 10 2014 @ 08:18 AM
link   
Great opportunity to say "Hey theres this bug, click here to fix" (and then insert backdoor and send new passwords to NSA)

I joking thought the other day if the NSA invented "Selfies" - would be great for their facial recognition software..haha
edit on 10-4-2014 by Zenem because: part about the NSA was blank because I used extra DIV



posted on Apr, 11 2014 @ 04:34 PM
link   

Chamberf=6
here's a place you can use to check if a patch or fix has been used for "secure" sites you may use:
lastpass.com...



Thanks for the link. My server passes.




top topics



 
15
<<   2 >>

log in

join