1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Heartbleed OpenSSL Vulnerability.

Discussion in 'Serious' started by Unicorn, 10 Apr 2014.

  1. Unicorn

    Unicorn Uniform November India

    Joined:
    25 Jul 2006
    Posts:
    12,720
    Likes Received:
    446
    So, from what I've read this is pretty serious. I've changed quite a few passwords already and still have a few left. Anyone else changing everything just to be sure?
     
  2. aramil

    aramil One does not simply upgrade Forums

    Joined:
    10 Jul 2012
    Posts:
    961
    Likes Received:
    56
    Last edited: 10 Apr 2014
    boiled_elephant likes this.
  3. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,873
    Likes Received:
    248
    I think this whole scare is a overblown a bit. What it did was if someone knew the bug, and abused it, then your server might have leaked random parts of the memory. Which might have contained user cookies, hashes, keys.

    Now, that sounds kinda serious. Except :
    1) someone would have to know that that string of e78$csui123 is actually a password, or that other string is actually the SSL key.
    2) you would have to be unlucky for the hacker to get exactly your data.
    3) you would have to be unlucky for the hacker to actually be able to identify that that specific password belongs to that specific user, or that string is the SSL key.

    And even if someone applied the fix, that doesn't mean they changed the SSL key and regenerated the SSL certs - ok, you can check if they got new certs after 7th April, but you can't be sure the keys were exchanged too.

    So while you could have been affected, if that happened then someone would have already abused your account information. If it didn't happen until now, it is unlikely to be used later.

    So you can change password for peace of your mind, but that is pretty much the extent of it.
     
  4. RTT

    RTT #parp

    Joined:
    12 Mar 2001
    Posts:
    14,120
    Likes Received:
    74
    ^ Quite. A lot of this is corporate ass-covering. I patched anything in my control early last week as it has been on netsec mailing lists since around then.
     
  5. Risky

    Risky Well-Known Member

    Joined:
    10 Sep 2001
    Posts:
    4,095
    Likes Received:
    36
    It's about time I changed some of my standard ones, I guess.
     
  6. Kernel

    Kernel Likes cheese

    Joined:
    29 Sep 2003
    Posts:
    1,160
    Likes Received:
    29
  7. Guinevere

    Guinevere Mega Mom

    Joined:
    8 May 2010
    Posts:
    2,478
    Likes Received:
    176
    Unfortunately you're wrong. Private keys are 'relatively' easy to spot if you find the memory they live in. It's not a matter of having to guess which memory bits are the key. Sure you need the skills to do it but it can and WILL be done. This is a genuine issue.

    The biggest and most far reaching we've seen since we all became internet connected people.

    Don't take it lightly guys.

    Here's the REAL risk straight from the source:

     
  8. Guinevere

    Guinevere Mega Mom

    Joined:
    8 May 2010
    Posts:
    2,478
    Likes Received:
    176
  9. sparkyboy22

    sparkyboy22 Web Tinkerer

    Joined:
    3 May 2010
    Posts:
    738
    Likes Received:
    35
    Also you get a lot more text back in 64kb than that.
     
  10. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,413
    Likes Received:
    335
    NSA Said to Exploit Heartbleed Bug for Intelligence for Years.
    http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
     
  11. Umbra

    Umbra New Member

    Joined:
    18 Nov 2013
    Posts:
    636
    Likes Received:
    17
    Sometimes I question the value of the internet and just how it may be changing the way I think about the world, the first thing I thought about when I read of the Heartbleed bug was if the NSA/GCHQ knew about it and had used it themselves and now it seems they have been doing this for years, becoming so cynical of the world is depressing and makes me wonder if "Ignorance is bliss" was a better way to live:confused:
     
  12. law99

    law99 Custom User Title

    Joined:
    24 Sep 2009
    Posts:
    2,382
    Likes Received:
    59
    If they'd been using it for years they'd be a lot more successful than they are.

    They'll be using it now though.
     
  13. boiled_elephant

    boiled_elephant Whitelist Bit-Tech in your adblock!

    Joined:
    14 Jul 2004
    Posts:
    5,940
    Likes Received:
    435
    We wouldn't necessarily know about it or see evidence of their successes. By definition, a lot of successful attempts to spy, hack or farm information are invisible.

    Invisible successes are a real problem when trying to size up something like this. If, for instance, an enterprising hacker had found this exploit months ago and used it effectively, s/he would - we hope - have used it immediately, defrauding millions ($) from millions (of people). But if s/he was smarter than that, they might've just gradually, carefully siphoned off profit in countless small identity thefts, too small to raise the alarm on the nature of the original security hole. Which is what I'd have done, and I'm not even that smart or a hacker.

    Likewise for the NSA et al. If they had it and used it, there would be very little immediate evidence of it. If I were in their position I'd farm as much security information and passwords as possible early on and just keep them, to be discreetly used as and when it's most instrumental. That's the scary thing about digital security breaches - when they're done right, they're active and not discovered for years.

    Sleep tight :)
     

Share This Page