Major OpenSSL vulnerability discovered

[devil21]

According to the media, at least. Who knows how serious it really is or whether it's a real threat.

http://www.latimes.com/business/la-f...#axzz2yMDpu3wn

SAN FRANCISCO — The discovery of a significant flaw in software that was supposed to provide extra protection for thousands of websites has thrown the tech world into chaos as experts scrambled to understand the scope of the vulnerability.

On Tuesday, Tumblr, which is owned by Yahoo, became the largest website to disclose that it had been hit by the "Heartbleed Bug" and urged users to change not just the password for its site but for all others as well.

But signaling just how much uncertainty and confusion surrounds the glitch, security experts warned that such a gesture might actually be useless because if a site has not fixed the problem hackers could just as easily steal the new password.

Although security analysts wouldn't go as far as telling users to stay off the Internet completely, they said users should avoid doing anything sensitive like online banking. If it's necessary to go online, check to see whether a service has said whether they are affected or whether they have fixed the problem.

"The scope of this is immense," said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, a Salt Lake City cybersecurity company.
moreatlink
http://www.latimes.com/business/la-f...#ixzz2yMFAE5GQ

[newbitech]

this what you need to know.

http://heartbleed.com/

Is this a design flaw in SSL/TLS protocol specification?

No. This is implementation problem, i.e. programming mistake in popular OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services.

so if you don't use any services that use OpenSSL library you are fine. Even if you do use those services you might not know about it so it's a good idea to know who does.

There really isn't anything a user is going to be able to do about this except not use the services and contact the service provider and find out if they are using the patched library or if they even use OpenSSL in their implementation in the first place.

Most likely if you go to a website that has https:// that uses php code like RonPaulForums, they are implementing SSL with OpenSSL.

Changing your password could help, but if the patch is not in place then your new password is just as vulnerable.

Basically, make sure that anywhere you go on the internet that you give out personal info to, ask them about their SSL/TLS implementation. That's it.

[devil21]

Another NSA backdoor in encryption that was discussed recently? I don't remember specifics but there was some talk about NSA having backdoors to encryptions, not long ago.

[devil21]

Moved already?

Is it just me or is anyone else starting to feel "subforumed-to-death" on RPF?

[pcosmar]

Flaw was discovered,, and patched 2 days ago. if Sys Admins are on their job.

http://threatpost.com/openssl-fixes-...ability/105300
http://www.openssl.org/news/vulnerabilities.html

This is the real benefit of Open Source,, The flaws are fixed almost as immediately as they are found.

[specsaregood]

Flaw was discovered,, and patched 2 days ago. if Sys Admins are on their job.

http://threatpost.com/openssl-fixes-...ability/105300
http://www.openssl.org/news/vulnerabilities.html

This is the real benefit of Open Source,, The flaws are fixed almost as immediately as they are found.

Slight correction. The flaw was only publically discovered/disclosed 2 days ago. But has been in the wild for over 2 years; available for any enterprising black hat to discover, use and keep quiet. There are both benefits AND downsides to open source.

[CPUd]

Another NSA backdoor in encryption that was discussed recently? I don't remember specifics but there was some talk about NSA having backdoors to encryptions, not long ago.

Not this.

[devil21]

Not this.

Yes this. Of course NSA denies it but what is their denial worth these days? squat
http://www.zerohedge.com/news/2014-0...exposed-attack

[dannno]

Yes this. Of course NSA denies it but what is their denial worth these days? squat
http://www.zerohedge.com/news/2014-0...exposed-attack

http://www.bloomberg.com/news/2014-0...consumers.html

[CPUd]

Yes this. Of course NSA denies it but what is their denial worth these days? squat
http://www.zerohedge.com/news/2014-0...exposed-attack

The bug is in the implementations, which they or anyone else could have exploited. But it's not a "backdoor in encryption".

[fisharmor]

Slight correction. The flaw was only publically discovered/disclosed 2 days ago. But has been in the wild for over 2 years; available for any enterprising black hat to discover, use and keep quiet. There are both benefits AND downsides to open source.

One of the things the community is doing - voluntarily - is setting up honeypots to monitor. The OS community already thought of that, is doing the triage, and we'll know in a couple days how much it's getting exploited.

[specsaregood]

One of the things the community is doing - voluntarily - is setting up honeypots to monitor. The OS community already thought of that, is doing the triage, and we'll know in a couple days how much it's getting exploited.

They might get more bang from their buck spending their time looking at the code. so much for the more eyeballs theory. it seems everybody just assumed the code was safe instead of reviewing it.

From dannno's link:

The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found Heartbleed shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

[cjm]

this what you need to know.

http://heartbleed.com/



so if you don't use any services that use OpenSSL library you are fine. Even if you do use those services you might not know about it so it's a good idea to know who does.

There really isn't anything a user is going to be able to do about this except not use the services and contact the service provider and find out if they are using the patched library or if they even use OpenSSL in their implementation in the first place.

Most likely if you go to a website that has https:// that uses php code like RonPaulForums, they are implementing SSL with OpenSSL.

Changing your password could help, but if the patch is not in place then your new password is just as vulnerable.

Basically, make sure that anywhere you go on the internet that you give out personal info to, ask them about their SSL/TLS implementation. That's it.

heartbleed.com also lists which versions of openssl were vulnerable. The 0.9.8 branch that RPF is running does not have the flaw.

What versions of the OpenSSL are affected?

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

You can see the openssl version RPF is running (and your favorite web sites) here: http://toolbar.netcraft.com/site_rep...paulforums.com

Apache/2.0.63 Unix mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

[fisharmor]

They might get more bang from their buck spending their time looking at the code. so much for the more eyeballs theory. it seems everybody just assumed the code was safe instead of reviewing it.

From dannno's link:

But I don't understand what's worth getting worked up about there.
The spooks are spooking everyday Joes.
So what. We knew that. Nobody cares.

Open source software does a superb job at what it was designed to do: protect data from the non-state-sanctioned criminals.
The ones who don't have multi-million dollar budges to try to figure this stuff out.

If the NSA or some other state-sanctioned criminal organization wanted your passwords that badly they could just throw a black bag over your head, take you to an abandoned warehouse, and start pulling the tendons out of your fingers until you told them.
And even then, nobody would care.

[CPUd]

LastPass says they are OK because they have a zero knowledge policy, but they are getting new certs anyway:

http://blog.lastpass.com/2014/04/las...bleed-bug.html

also:

Update: April 8th, 4:46PM ET

We have built a tool to help LastPass users check whether other sites and services they use may have been affected by Heartbleed, you can check it out at: https://lastpass.com/heartbleed

[specsaregood]

The ones who don't have multi-million dollar budges to try to figure this stuff out.

If you think its only large government organizations monitoring code changes for security flaws to use for nefarious purpose then you are mistaken.

[Spikender]

Heartbleed makes my heartbleed at my job.

And I like how it's a "common task" for the NSA to steal passwords. $#@! them.

[fisharmor]

If you think its only large government organizations monitoring code changes for security flaws to use for nefarious purpose then you are mistaken.

What I'm asserting is that all the high-profile leaks that have happened in recent memory are all individual cases, not systemic.
Every time Target or Bank of America is "hacked" it's because of a lapse on the part of the victimized company. Either they didn't have their $#@! together technologically, or they suffered from a non-technological attack. It's simply much easier to impersonate an employee and get someone to read off an RSA key over the phone, or find a way in that isn't protected well.

I'll disclose for the record that I don't do security, and the reason why is because it's a full-time job that is changing every single day. Heartbleed is a much bigger problem to the media than it is to companies - it's pretty much just an annoyance to my employer and all our customers.

But don't you dare ever be even one day late on doing your yearly security training at any of these places... because they know the much greater threat is from people being stupid and leaving stuff out on their desks, or not having it shredded, or giving out passwords to people.

The market for hacking has figured that out, too. The only reason the NSA is cracking open OpenSSL is because they have unlimited resources. They're doing it for the same reason the Navy thinks they need F-35s... because it's the latest whiz-bang thing and it makes them look cool. But the reality, as usual, is that there are much more cost-effective ways to hack.

And I still maintain that if the NSA is coming after you, you're in over your head to begin with. Would it be nice if nobody had money to waste on preemptively finding exploits like this? Yes. So let's discuss the dismantling of the NSA. Let's not focus on how unlimited resources can pretty easily get you hacked into any system, because frankly, that's never going to change.