Paypal gift suddenly gallops from the back of the field as the most secure payment option.
I'm trying (and failing) to get a handle on the difference between potential leaks of data and guaranteed leaks of data.
The stories talk about being able to download private keys along with usernames and passwords.
As I understand, through a flaw you can download 64K chunks of data from the application.
What I can't seem to find out is -
Are these addressable chunks, random chunks, or do they all have the same memory offset?
Presumably the data memory downloadable is compiler dependent? (though I guess gcc does mem allocation in a fairly standard manner) So do all compilers / os / hardware platforms have the same vulnerable data in the same 64K segment?
Or am I misunderstanding something?
Just typed out a huge explanatory post and realised that I was likely just going to make things more confusing..
Look here for a decent technical explanation..
[url= http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html ]http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html[/url]
The upshot of it is, because of the nature of the bug, there is no way to know if or what has been stolen. Therefore you have to assume that EVERYTHING was stolen. Hence the calls for blanket revoking of SSL/TLS certificates and blanket changing of all passwords.
As the man said.. 'Nuke it from orbit, it's the only way to be sure!!'
Assuming the author can be trusted, the tweet on that explanation page is interesting.
@neelmehtaHeap allocation patterns make private key exposure unlikely for #heartbleed #dontpanic.
Though,
Neel Mehta has validated some of my concerns, but there are many reports of secret key discovery out there.
It is unlikely in most circumstances.
You have to remember though that by running a relatively simple script someone could have been monitoring the contents of that memory basically constantly for the last 2 years.!! It's not inconceivable to assume that the data collected in that time can be reconstructed to form critical data.
The key here and the one that I hope sites are going to take to heart is that there is no way to know what might have been taken. However unlikely, they are going to have to assume that the keys to the kingdom have been copied and respond accordingly.
Probably find the whole thing was a bug added by the NSA and they've been leaching data for years......
Interesting you should say that. OpenSSL is open source software and one of the key advantages of such is supposed to be that things like this don't happen due to the peer review like process that the code goes through. Given what everyone has been assuming about open source software for many years there has to be some serious questions asked about how it is written and maintained in mission critical situations. I can only imagine what kind of gleeful meetings they are having at Microsoft today. Their server infrastructure business might just have gotten a massive boost.
Nothing to stop the NSA anonymously checking in code to OS projects. They pretty much ran one of the encryption standards bodies and rigged one of the random number gens.
Look here for a decent technical explanation..http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
Thanks!
Nothing at all.. but in theory they should be prevented from checking in malicious code as it would be spotted by other coders who look at it and figure out what they were up to.. Clearly something that isn't working as well as it should in this case.
Oh and you are very welcome Ian. 🙂
My understanding is patching and new cents are required. I don't see how sticking an LB in front helps. Sure the LB depending on OpenSSL version itself may not be vulnerable but what's behind it is.
Happy to be corrected by someone more geeky 🙂
Don't see the point in changing passwords until it's verified all aspects of the vulnerability are removed.
In actual fact, changin passwords before the site is patched and certificate re-issued could actually make you MORE vulnerable. If the site is being monitored this way then you logging in to change your password makes you more likely to be caught than by simply staying away until it's fixed.. Basically everyone needs to unplug and go for a ride for a day or two until this is fixed..
+1 and the most sense I've heard all day
My understanding is that certificates are often reissued with the original issue date.if the issue date is before 7/4/2014 then the site cannot be considered safe
My understanding is that this is possible but is not the default way it works.
Yahoo for example has had a new certificate issued that started yesterday. I'm not up to speed with the way certificates are issued but I believe it may need to be issued as a new certificate because the private key needs to be regenerated, a standard re-issue of a cert would not regenerate this key. Seeing as the key is what's been stolen potentially, getting a new cert issued without a new key is totally pointless.
Please note I could be wrong on that point. However getting keys re-issued with the original start date is hardly going to help rebuild shattered confidence. I'd have thought affected sites would be trumpeting about their shiny new, secure certificate.
captainslow - depending on the load balancer config, that will normally terminate the ssl connection first then start the connection to the next destination, using its implementation of ssl (perhaps it is openssl or not), sometimes offloading the calculations to dedicated hardware cards.
e.g. my citrix load balancers run openssl, but dont run the affected versions (slightly older) so its all a-ok for me.
Where are all the open-source zealots today? 😯
oh if you have cisco read this: [url= http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed ]cisco[/url]
vsphere [url= http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225 ]this[/url]
Its just a ploy for us to take our eyes of the XP systems that will be getting pwoned today of course.
😆
If you believe the speculation, pwoned is an understatement. The theory is that the hacker groups have been saving up all the undocumented exploits, security holes and bugs in XP until today. Now that Microsoft has washed their hands of it, it's open season.!!
yup - theory. where are they all then?
The first of many I assume.
[img][/img]
Thx dh
well if you use strava you certainly might be asking questions...
[url= https://lastpass.com/heartbleed/?h=strava.com ]too busy with KOMs strava admin team?[/url]
I feel old.........
Here's another one.. glad to see that at least some sites are attacking this headon..
[url= https://www.wunderlist.com/blog/how-we-fixed-the-heartbleed-bug ]Wunderlist[/url]
Not sure if this makes it better or worse but it looks like there is some evidence that the bug has been exploited for at least several months... Better, because it looks like it may be possible to identify an attack (assuming you were logging to the right level), much much worse because it means that it was a known exploit in the community and has been used in anger.!!
[url= http://arstechnica.com/security/2014/04/heartbleed-vulnerability-may-have-been-exploited-months-before-patch/ ]Heartbleed may have been exploited[/url]
@Highlander -sorry been busy.
Most times if you're using a hardware (or 'clever' software) load balancer, you're going to terminate SSL on that device. While some lower end devices might use OpenSSL, the bigger payers will have something like a Cavium Nitrox SSL processing chip, which won't be vulnerable to this attack (but might be to others, of course). Better software load balancers might have a different proprietary stack also.
Often,the range of ciphers supported by hardware is smaller than OpenSSl so it's possible if the device is configured away from the default that it might fall back to OpenSSL, which could be a vulnerable version.
However, I'd say that in general sites which are using high end Application Delivery Controllers (posh load balancers) are less likely to be vulnerable to this and other TLS based attacks.
It would appear that both ebay and PayPal still have old certificates in place.
On a work related note I'm in for some headaches today.
There is some useful information about certificate issue dates here:
https://news.ycombinator.com/item?id=7563095
Our Digicert cert has been revoked, rekeyed, and reissued, retaining the original date. There are some other high profile sites who were previously vulnerable, and must surely have revoked and rekeyed, but have retained old issue dates. Lastpass.eu and stackoverflow for example.
I'm looking forward to work today. There's going to be more dancing around the issue than a Michael Flately production.
One thing to bear in mind that this is going to give the people who email you fake 'reset your password and give us your bank details' emails a field day. Everyone will believe they are genuine.
If you're going to reset your password as a result of an email notification type the url into a browser, don't follow a link.
If you're like me and have a passing interest into the background of this, but struggle to understand all the connected elements, I thought this was quite a good "plain-English" explanation of what has happened:
[url= http://www.newyorker.com/online/blogs/elements/2014/04/the-internets-telltale-heartbleed.html ]http://www.newyorker.com/online/blogs/elements/2014/04/the-internets-telltale-heartbleed.html[/url]
I am still getting a security warning when logging into STW -
[i]Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?[/i]
Never used to get this until the past week or so. Not computer savvy really. Is this related to the current problem or something else?
Thanks, rj2dj, good article.
As expected. Apparently our VPN having the vulnerability is 'not a big deal'.
🙄
That's what happens when you give something serious such an Emo name.
The coder has 'fessed up;
[url= http://big.assets.huffingtonpost.com/672443316256430888.gi f" target="_blank">
http://big.assets.huffingtonpost.com/672443316256430888.gi f"/> [/url]
It's not the fault of the open source process per se, it's just that there's too few people doing code reviews because no one will pay them to. Probably.
Just to add to this, I've just read this from Twitter, via Flipboard:
[b]More People Were Paid To Exploit Heartbleed For The NSA Than To Fix It[/b]
http://falkvinge.net/2014/04/11/more-people-were-paid-to-exploit-heartbleed-for-the-nsa-than-to-fix-it/
Does come as no surprise, really.
nice explanation
[img] 
[/img]
what complete cock up
Out of all the websites I am registered with, only iFTTT has emailed me about the issue. Imgur, which was shown to be susceptible, sent bollocks all.
*harumphs*
The first photo on the link rj2dj posted has some impressive cabling! God I'm sad...
The first photo on the link rj2dj posted has some impressive cabling! God I'm sad...
Fill your boots...
http://reddpics.com/r/cableporn
I am getting so frustrated with the vague and non-committal responses to queries on this subject.
To date I've only had 3-4 notifications that a site has been patched and is now safe or that they were not affected. Other than that I've been forced to email the company concerned (I have a password database of over 100 unique logins) to ask for clarification as to whether their systems are safe to start using again.
In most cases I get responses that are vague to the point of being useless in clarifying the situation..
For example, reply from Sony regarding their Entertainment Network (formerly playstation store)...
I can confirm that we have no information regards it affected our website, and we would like to re-assure you that your account is secured
Given that I asked them specifically the status of their SSL certificate that response tells me nothing.!! Grrrrr...
Still haven't been able to confirm that any of the online bike stores are safe yet either... there seems to be a great deal of 'heads in the sand' about this and it's not bloomin' good enough.. [/rant]
and breath.... 🙂