Jump to content

Massive security bug in OpenSSL


hazelnut

Recommended Posts

  • Moderators

http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/

 

 

 

I saw a t-shirt one time. “I’m a bomb disposal technician,” it read. “If you see me running, try to keep up.”

The same sort of idea can be applied to net security: when all the net security people you know are freaking out, it’s probably an okay time to worry.

This afternoon, many of the net security people I know are freaking out.

 

 

Support contact

https://support.piriform.com/hc/en-us/requests/new

support@ccleaner.com

 

Link to comment
Share on other sites

  • Moderators

it's made it to be one of the leading news stories here now.

 

the 'security experts' being dug up and dumped in front of the cameras are saying to change all your passwords - which is pointless unless every piece of the puzzle between your PC and the info you are after gets their act together.

Backup now & backup often.
It's your digital life - protect it with a backup.
Three things are certain; Birth, Death and loss of data. You control the last.

Link to comment
Share on other sites

  • Moderators

nice find with the graphic Shane, that should explain it even to my wife :huh:

Backup now & backup often.
It's your digital life - protect it with a backup.
Three things are certain; Birth, Death and loss of data. You control the last.

Link to comment
Share on other sites

Link to comment
Share on other sites

  • Moderators
"NSA knew about the bug for 2 years"

 

http://market-ticker.org/akcs-www?post=228928

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

Not suprising. NSA are by all means Black Hats, they're just the Black Hats that keep the other Black Hats at bay.

 

 

ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION

DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF.

Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark)

ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T.

CCLEANER, RECUVA, DEFRAGGLER AND SPECCY DOCUMENTATION CAN BE FOUND AT  https://support.piriform.com/hc/en-us and  https://www.ccleaner.com/docs

Pro users file a PRIORITY SUPPORT request at https://support.piriform.com/hc/en-us/requests/new

link to WINAPP2.INI explanation

Link to comment
Share on other sites

  • Moderators

Robin Seggelmann, a German software developer says he didn't create the SSL flaw deliberately.

 

 

 

''In one of the new features, unfortunately, I missed validating a variable containing a length,” he told the Herald. And his co-workers missed it, too.

For those who aren’t coders, the end result is this: Anyone aware of the glitch could “eavesdrop” on the ways that computer servers and sites communicate with each other and swipe information without being detected

 

http://blog.sfgate.com/techchron/2014/04/10/man-responsible-for-heartbleed-it-was-not-intended-at-all/

 

Support contact

https://support.piriform.com/hc/en-us/requests/new

support@ccleaner.com

 

Link to comment
Share on other sites

  • Moderators

The bug is (for the most part) server side, the comsumer cannot patch it. Only websites (vpns and access nodes included) are at risk, many will send letters out informing you either to change your password or that they were not effected. However the most security minded paranoid should change every password they've created in the past 5-to-10 years.

 

 

ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION

DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF.

Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark)

ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T.

CCLEANER, RECUVA, DEFRAGGLER AND SPECCY DOCUMENTATION CAN BE FOUND AT  https://support.piriform.com/hc/en-us and  https://www.ccleaner.com/docs

Pro users file a PRIORITY SUPPORT request at https://support.piriform.com/hc/en-us/requests/new

link to WINAPP2.INI explanation

Link to comment
Share on other sites

  • Moderators

There is no point in changing the password unless the site you are changing them for has applied the patch . However quite a few such as LastPass and DropBox already have.

 

Have heard of two phishing emails so far about this bug, pretending to be from sites most people would use 

 

Support contact

https://support.piriform.com/hc/en-us/requests/new

support@ccleaner.com

 

Link to comment
Share on other sites

  • Moderators

Here is a really great explanation of things. Just a few words I know, but everyone will be able to understand what the issue is all about after reading it. Also how to test if sites you use have still got the bug.

 

http://support.emsisoft.com/topic/14146-heartbleed-threat/?do=findComment&comment=107651

 

Support contact

https://support.piriform.com/hc/en-us/requests/new

support@ccleaner.com

 

Link to comment
Share on other sites

  • Moderators

Looks to me that MS considered - at least - one security issue too important to not wait with a security update.

 

Microsoft wasn't affected by the Heartbleed bug

 

http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx

 

Support contact

https://support.piriform.com/hc/en-us/requests/new

support@ccleaner.com

 

Link to comment
Share on other sites

Here is a really great explanation of things. Just a few words I know, but everyone will be able to understand what the issue is all about after reading it. Also how to test if sites you use have still got the bug.

 

http://support.emsisoft.com/topic/14146-heartbleed-threat/?do=findComment&comment=107651

That was good.

Another post there suggested

 

Posted 2 minutes ago

Heartbleed test - Which services are or have been exposed: (10 000 sites)

https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt

 

That list is defective.

 

After listing 639 vulnerable sites,

it list another group of 10,000 others which are mostly "Not Vulnerable" or "No SSL"

 

Banks that I use now or in the past are NOT shown as vulnerable,

Unfortunately they are shown as "No SSL" - INSTEAD IT SHOULD SAY UNTESTED,

because the home pages are HTTP, but as soon as you click LOGIN the site switched to HTTPS before you enter anything.

 

Must try harder :wacko:

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.