Jump to content
CCleaner Community Forums
hazelnut

Massive security bug in OpenSSL

Recommended Posts

http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/

 

 

 

I saw a t-shirt one time. “I’m a bomb disposal technician,” it read. “If you see me running, try to keep up.”

The same sort of idea can be applied to net security: when all the net security people you know are freaking out, it’s probably an okay time to worry.

This afternoon, many of the net security people I know are freaking out.

 

Share this post


Link to post
Share on other sites

it's made it to be one of the leading news stories here now.

 

the 'security experts' being dug up and dumped in front of the cameras are saying to change all your passwords - which is pointless unless every piece of the puzzle between your PC and the info you are after gets their act together.

Share this post


Link to post
Share on other sites

yeah, wait until the sites have announced a patch (or whether or not one is needed for them) before changing your passwords.

Share this post


Link to post
Share on other sites

Yep, that's the gist of it. Also worth noting that this only works because it dumps the additional characters from memory, where they're stored plaintext

Share this post


Link to post
Share on other sites

nice find with the graphic Shane, that should explain it even to my wife :huh:

Share this post


Link to post
Share on other sites
"NSA knew about the bug for 2 years"

 

http://market-ticker.org/akcs-www?post=228928

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

Not suprising. NSA are by all means Black Hats, they're just the Black Hats that keep the other Black Hats at bay.

 

Share this post


Link to post
Share on other sites

MS did put out a security update for Windows 7 on april 12/13. Was this the patch for this security bug ?

Share this post


Link to post
Share on other sites

Robin Seggelmann, a German software developer says he didn't create the SSL flaw deliberately.

 

 

 

''In one of the new features, unfortunately, I missed validating a variable containing a length,” he told the Herald. And his co-workers missed it, too.

For those who aren’t coders, the end result is this: Anyone aware of the glitch could “eavesdrop” on the ways that computer servers and sites communicate with each other and swipe information without being detected

 

http://blog.sfgate.com/techchron/2014/04/10/man-responsible-for-heartbleed-it-was-not-intended-at-all/

Share this post


Link to post
Share on other sites

The bug is (for the most part) server side, the comsumer cannot patch it. Only websites (vpns and access nodes included) are at risk, many will send letters out informing you either to change your password or that they were not effected. However the most security minded paranoid should change every password they've created in the past 5-to-10 years.

 

Share this post


Link to post
Share on other sites

There is no point in changing the password unless the site you are changing them for has applied the patch . However quite a few such as LastPass and DropBox already have.

 

Have heard of two phishing emails so far about this bug, pretending to be from sites most people would use 

Share this post


Link to post
Share on other sites

Looks to me that MS considered - at least - one security issue too important to not wait with a security update.

Share this post


Link to post
Share on other sites

Here is a really great explanation of things. Just a few words I know, but everyone will be able to understand what the issue is all about after reading it. Also how to test if sites you use have still got the bug.

 

http://support.emsisoft.com/topic/14146-heartbleed-threat/?do=findComment&comment=107651

That was good.

Another post there suggested

 

Posted 2 minutes ago

Heartbleed test - Which services are or have been exposed: (10 000 sites)

https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt

 

That list is defective.

 

After listing 639 vulnerable sites,

it list another group of 10,000 others which are mostly "Not Vulnerable" or "No SSL"

 

Banks that I use now or in the past are NOT shown as vulnerable,

Unfortunately they are shown as "No SSL" - INSTEAD IT SHOULD SAY UNTESTED,

because the home pages are HTTP, but as soon as you click LOGIN the site switched to HTTPS before you enter anything.

 

Must try harder :wacko:

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...