Jump to content
CCleaner Community Forums

Massive security bug in OpenSSL


hazelnut

Recommended Posts

  • Moderators

http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/

 

 

 

I saw a t-shirt one time. “I’m a bomb disposal technician,” it read. “If you see me running, try to keep up.”

The same sort of idea can be applied to net security: when all the net security people you know are freaking out, it’s probably an okay time to worry.

This afternoon, many of the net security people I know are freaking out.

 

Link to post
Share on other sites
  • Moderators

it's made it to be one of the leading news stories here now.

 

the 'security experts' being dug up and dumped in front of the cameras are saying to change all your passwords - which is pointless unless every piece of the puzzle between your PC and the info you are after gets their act together.

Link to post
Share on other sites
  • Moderators
"NSA knew about the bug for 2 years"

 

http://market-ticker.org/akcs-www?post=228928

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

Not suprising. NSA are by all means Black Hats, they're just the Black Hats that keep the other Black Hats at bay.

 

Link to post
Share on other sites
  • Moderators

Robin Seggelmann, a German software developer says he didn't create the SSL flaw deliberately.

 

 

 

''In one of the new features, unfortunately, I missed validating a variable containing a length,” he told the Herald. And his co-workers missed it, too.

For those who aren’t coders, the end result is this: Anyone aware of the glitch could “eavesdrop” on the ways that computer servers and sites communicate with each other and swipe information without being detected

 

http://blog.sfgate.com/techchron/2014/04/10/man-responsible-for-heartbleed-it-was-not-intended-at-all/

Link to post
Share on other sites
  • Moderators

The bug is (for the most part) server side, the comsumer cannot patch it. Only websites (vpns and access nodes included) are at risk, many will send letters out informing you either to change your password or that they were not effected. However the most security minded paranoid should change every password they've created in the past 5-to-10 years.

 

Link to post
Share on other sites
  • Moderators

There is no point in changing the password unless the site you are changing them for has applied the patch . However quite a few such as LastPass and DropBox already have.

 

Have heard of two phishing emails so far about this bug, pretending to be from sites most people would use 

Link to post
Share on other sites
  • Moderators

Here is a really great explanation of things. Just a few words I know, but everyone will be able to understand what the issue is all about after reading it. Also how to test if sites you use have still got the bug.

 

http://support.emsisoft.com/topic/14146-heartbleed-threat/?do=findComment&comment=107651

Link to post
Share on other sites
  • Moderators

Looks to me that MS considered - at least - one security issue too important to not wait with a security update.

 

Microsoft wasn't affected by the Heartbleed bug

 

http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx

Link to post
Share on other sites

Here is a really great explanation of things. Just a few words I know, but everyone will be able to understand what the issue is all about after reading it. Also how to test if sites you use have still got the bug.

 

http://support.emsisoft.com/topic/14146-heartbleed-threat/?do=findComment&comment=107651

That was good.

Another post there suggested

 

Posted 2 minutes ago

Heartbleed test - Which services are or have been exposed: (10 000 sites)

https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt

 

That list is defective.

 

After listing 639 vulnerable sites,

it list another group of 10,000 others which are mostly "Not Vulnerable" or "No SSL"

 

Banks that I use now or in the past are NOT shown as vulnerable,

Unfortunately they are shown as "No SSL" - INSTEAD IT SHOULD SAY UNTESTED,

because the home pages are HTTP, but as soon as you click LOGIN the site switched to HTTPS before you enter anything.

 

Must try harder :wacko:

 

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...