Free Shipping on All Orders 1-866-764-1801

Vist our Online Store
+ Reply to Thread
Results 1 to 11 of 11
  1. #1

    Member Sales Rating: (1)

    Join Date
    Oct 2008
    Location
    Descending toward the moon in the CLEM (Chinese Lunar Excursion Module), looking for Chang'e
    Posts
    11,462

    Default What about this Heartbleed Bug?

    In the news today, security breach that's, evidently, been around for hackers on MANY sites for over two years. Anyone know how bad this is? Have we ALL been pretty much "screwed"? See beginning of article below and links:

    http://money.cnn.com/2014/04/09/tech...eartbleed-bug/

    What is it?

    It's called the Heartbleed bug, and it is essentially an information leak.
    It starts with a hole in the software that the vast majority of websites on the Internet use to turn your personal information into strings of random numbers and letters. If you see a padlock image in the address bar, there's a good chance that site is using the encryption software that was impacted by the Heartbleed bug.
    "It's probably the worst bug the Internet has ever seen," said Matthew Prince, CEO of website-protecting service CloudFlare. "If a week from now we hear criminals spoofed a massive number of accounts at financial institutions, it won't surprise me."

    More info in the article link and others. Just google it.

    cnh
    Onkyo TX-SR 805 System #1 HT AVR
    Office Two Channel: LSi-7s (Nakamichi CA-5, NAD 214, Pioneer BDP51fd)
    Vintage Polks: Polk Monitor 5As, Monitor 7Bs [HK 730], Monitor 10As [Marantz 2265], SDA-2Bs [Jolida JD-303, Jolida MV-MK4]
    Headphones: HD600, Q701, ATH-M50s etc. Bravo Audio Ocean amp., Onkyo P-304, Adcom GFA-555, Technics Direct Drive TT

  2. #2

    Member Sales Rating: (0)

    Join Date
    Jan 2010
    Location
    Minnesota
    Posts
    507

    Default

    Rush said you do not need to reset passwords yet. Because when they build a patch . You will just have to do it again. Probly more Russian hacks like the last time? Peace

  3. #3

    Member Sales Rating: (0)

    Join Date
    Apr 2014
    Posts
    33

    Default

    If you haven't already, you should enable 2-factor authentication for all important accounts (banks and email, primarily). That way, a bad guy that knows your password still won't have access, since they won't have access to the second-factor device.

    http://en.wikipedia.org/wiki/Two-step_verification

  4. #4

    Member Sales Rating: (11)

    Join Date
    Apr 2004
    Location
    Chicagoland
    Posts
    2,352

    Default

    Its a serious, serious issue. On the scale of 1-10, this is an 11. Things which compromise SSL and DNS are the most serious global issues.

    What can you do?
    1) Changing your passwords will not help if a vulnerable site has not yet fixed their vulnerability.
    2) It does help to have different passwords on each account. Many of us use the same password across all sites. This is an issue. Say your yahoo username and password were discovered. What if an attacker tried that same username and password on every major bank... and it was the same?
    3) The flaw has existed for 2 years, but its not certain that it was exploited. We dont know. But what I do know is now that the news is out there, there are script kiddies snooping around for whatever they can find. So the risk now is much, much higher now.
    4) About all you can do is wait for an "all clear" from your bank or other service provider, and follow their advice if they suggest to change your password.

  5. #5

    Member Sales Rating: (4)

    Join Date
    Dec 2002
    Location
    Denial...it's in Egypt.
    Posts
    12,729

    Default

    This is not compromising SSL or DNS. It is an issue with a specific version set of OpenSSL.

    OpenSSL is not a way to encrypt websites it is a way to secure a data stream.

    On Monday, April 7, 2014, a vulnerability was publicly identified in OpenSSL 1.0.1 through 1.0.1f, encryption software that is widely used to secure websites, including the products that control or serve access to them. The flaw allows an attacker to download up to 64 kB of random, private memory from a server although an attacker cannot specify the location of the memory to read.

    The exploit is entirely random because it allows only 64 KB or random memory to be accessed. It's also not necessarily congruent. It has nothing to do with your immediate connection because it's allowing access to server memory and that includes every connection that is still held in memory. It may not even be your info that is accessed. The complete randomness of the access also makes it very, very difficult for an attacked to string together usable info from only 64 KB of memory outside of gigabytes worth of data that changes in time frames measured in milliseconds.

    Not every website uses OpenSSL. OpenSSL is an open source version of SSL. Yes, it is popular but there are other versions of SSL servers out there that do not have this issue. OpenSSL is very popular but it is not the only version of the transport protocol.

    Two stage verification will not do anything for you in this case. It has nothing to do with your actual connection.

    Changing your password is a good idea although the odds of your account and password being full extracted in this bug are slim. Servers have tens of gigabytes of memory. Sometimes hundreds. The bug will allow access to only 64 KB of that memory and it's random and not necessarily congruent. This is likely the biggest reason that it hasn't really been exploited. The information you can get out of it is unusable. Memory changes constantly and to get enough usable information out of memory, you'd have to have hundreds, maybe thousands of nodes that would all hit the exploit at once to read the entirety of the memory. But then you've essentially started a DDoS attack and you're going to shut down the network connection and shoot yourself in the foot anyway.

    This is not a sky falling event. The reason this is such a big deal is because, for one, OpenSSL is a security transport layer that isn't really secure. The other issue is that the sheer number of places using it either via primary user or as a secondary user due to using 3rd party software that uses it.

    The patch was out last Thursday. By now the majority of the users are patched and the risk is abated.

    Does that mean this isn't a risk? No, it is a very real risk and it needs to be patched.

    Should you still change your passwords at affected places? Sure. Doesn't hurt to do that regularly at all.
    You're just jealous 'cause the voices don't talk to you!

  6. #6

    Member Sales Rating: (0)

    Join Date
    Apr 2014
    Posts
    33

    Default

    Jstas,

    That's an overly optimistic view on this particular bug. The bug allows an attacker to read a large chunk of memory of the process per request (and there's no limit to how many times they can try). Keep in mind that openssl does it's own memory management, so the buffer overrun is going to land you square in the area where the SSL keys are stored. It's extremely conceivable that a moderately skilled bad actor could get the server's private key that could then enable them to decrypt everything going into or out of that server.

    2 factor will certainly help in any case where your login credentials could have been compromised. If the malicious party does not have your second factor device, they cannot use your login credentials.

  7. #7

    Member Sales Rating: (4)

    Join Date
    Dec 2002
    Location
    Denial...it's in Egypt.
    Posts
    12,729

    Default

    A large chunk of memory? You're kidding, right?

    64 KB out of gigabytes worth of data is not large in any respect. Maybe in 1983 it was. Especially since it changes constantly. You get one chance to grab stuff before it changes and you can only grab random snippets at that. No matter how many times you can ping the exploit, the odds that you are going to get enough congruent data to complete a file are slim. That means, you get 64 different 1 KB snippets of memory blocks that have a small chunk of data in them that are very likely unrelated to each other. That's if your memory has it's blocking set up that way. It could be finer or it could be more coarse. So you might get a password but not a user name or you might get a user name but not a password. You might get a password reminder question but you won't get the answer. You might get connection information but that can be had via a utility like PortQuery or Wireshark.

    Encryption has not been compromised unless, by some small miracle, you actually managed to grab an ENTIRE certificate key. The odds of that are slim. Is it possible? Certainly.

    This isn't an optimistic view. This is realistic.

    I actually do this system security stuff for a living. I manage multiple SSL/TLS connected systems for transmitting encrypted data all day, every day. I've been dealing with this heartbleed stuff since we found out about it last Thursday night. They only pushed the public announcement on Monday after they figured out just how extensive the bug was so they could do damage control and have a patch ready when the announcement was made.



    And two-factor authentication will not help you because the server is what is affected. The heartbeat connection to keep the SSL port alive is where the issue is.

    Is two factor authentication a good idea? Yes. It is. But this bug has nothing to do with authentication. The risk isn't that accounts will be compromised but that this circumvents the entire encryption process completely. Anything you can pull out of memory is not secured and the real risk is that certificates can be pulled out of memory. Certificates are secret decoder rings for SSL. You get a certificate, all the two-factor authentication in the world isn't going to help because you can then bypass encryption and authentication on the server once you get in through the backdoor in the heart beat connection. It has nothing to do with the client side although the client side is where the hole starts due to the heartbeat issue.

    There is nothing you, as a user, can do to combat this. You just have to wait for the various sites you use that are affected to update OpenSSL to a different/newer version or patch the version they have. If you have software on your local system or your cellphone or whatever that uses OpenSSL and you see updates in the next few days, install the updates. Otherwise, not much you can do. Sorry.
    You're just jealous 'cause the voices don't talk to you!

  8. #8

    Member Sales Rating: (0)

    Join Date
    Apr 2014
    Posts
    33

    Default

    Jstas, I'm not a new to this computer stuff, either ;-)

    Since you're always getting openssl memory on each request, you're not talking about trying to find 4K out of 32G of memory. More like 4K out of a couple hundred K. Given enough data, it's really not hard to find a static 4K of data (the cert). That's what makes this so dangerous: private server keys don't change very often. You just need to look for a large block of data (the cert is always in contiguous memory) that shows up frequently. The constantly changing data falls out and the server private key is the only thing that's consistently there, even if it's only in 0.001% of requests, its static nature will make it easy to find.

  9. #9

    Member Sales Rating: (4)

    Join Date
    Dec 2002
    Location
    Denial...it's in Egypt.
    Posts
    12,729

    Default

    Here, you want to know what passwords you might have that should change:

    http://mashable.com/2014/04/09/heart...ites-affected/


    payneinthe...you just restated what I already said.
    You're just jealous 'cause the voices don't talk to you!

  10. #10

    Member Sales Rating: (0)

    Join Date
    Feb 2014
    Posts
    25

    Default

    There is definitely a lot of reaction (and panic) to this and not just the geek community. Here are a few links with additional information if you're interested.
    Google public announcement;
    http://googleonlinesecurity.blogspot...o-address.html

    “Non Geek” site communication to the general public via NPR (radio) and related story posted on the NPR website;
    http://hereandnow.wbur.org/2014/04/0...-security-flaw

    SANS info
    http://digital-forensics.sans.org/bl...utmk=154969841

    http://www.openssl.org/news/secadv_20140407.txt

  11. #11

    Member Sales Rating: (3)

    Join Date
    Feb 2007
    Posts
    2,251

    Default

    Quote Originally Posted by Jstas View Post
    Here, you want to know what passwords you might have that should change:

    http://mashable.com/2014/04/09/heart...ites-affected/


    payneinthe...you just restated what I already said.
    I was about to post this exact link. Sounds like they'll be adding/updating as they get more details, so I'll probably refresh next week and have another look.
    2007 Club Polk Football Pool Champ

    2010 Club Polk Fantasy Football Champ

    2011 Club Polk Football Pool Champ


    "It's like a koala bear crapped a rainbow in my brain!"

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

     

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts