HeartBleed Bug - SSL Vulnerability

Anything that doesn't have to do with luthiery can be discussed here. Please be moderate.

Moderators: kiwigeo, Jeremy D

Post Reply
User avatar
Allen
Blackwood
Posts: 5252
Joined: Thu Oct 11, 2007 5:39 pm
Location: Cairns, Australia
Contact:

HeartBleed Bug - SSL Vulnerability

Post by Allen » Wed Apr 09, 2014 10:26 am

I was sent an urgent email about this, and after a quick search it's all over the net today. If you are running your own website like I am, best look into this.

Here is the info from heartbleed.com

The Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

What leaks in practice?

We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

How to stop the leak?

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

Here is a website that has been set up to test for the vulnerability.

http://filippo.io/Heartbleed/
Allen R. McFarlen
https://www.brguitars.com
Facebook
Cairns, Australia

User avatar
peter.coombe
Blackwood
Posts: 723
Joined: Fri Oct 15, 2010 2:52 pm
Location: Bega, NSW
Contact:

Re: HeartBleed Bug - SSL Vulnerability

Post by peter.coombe » Thu Apr 10, 2014 12:31 pm

Any bug found in OpenSSL is a big deal. However, looks like the developers of OpenSSL were informed before this went public and have released a fix. Looks like the Aussie banks are ok and my web site is ok. Phew.

Peter
Peter Coombe - mandolin, mandola and guitar maker
http://www.petercoombe.com

User avatar
Allen
Blackwood
Posts: 5252
Joined: Thu Oct 11, 2007 5:39 pm
Location: Cairns, Australia
Contact:

Re: HeartBleed Bug - SSL Vulnerability

Post by Allen » Thu Apr 10, 2014 12:36 pm

Both mine and Micheal Connors credit card were compromised about a month ago now on the same day. I suspect someone got into one of our suppliers.

We managed to get that sorted out with new cards etc.

I see that the Canadian Revenue Service was vulnerable and they took their entire system off line until they can fix it.
Allen R. McFarlen
https://www.brguitars.com
Facebook
Cairns, Australia

User avatar
Nick
Blackwood
Posts: 3641
Joined: Thu Feb 26, 2009 11:20 am
Location: Christchurch, New Zealand
Contact:

Re: HeartBleed Bug - SSL Vulnerability

Post by Nick » Thu Apr 10, 2014 1:41 pm

Allen wrote:Both mine and Micheal Connors credit card were compromised about a month ago now
Weird, after years of owning a credit card and numerous online transactions mine too was compromised for the first time ever, around about the same time! :shock: Fortunately my bank/card services were on the ball and rung me after a couple of sus transactions were picked up by them, to see if I'd made them. One was to the U.S red cross, gotta watch these yanks :wink: :lol: :lol:
Thanks for the heads up on the warning though Allen, I'm hosted by an external company but I will still check that I haven't had data/info "mined" via them!
"Jesus Loves You."
Nice to hear in church but not in a Mexican prison.

User avatar
Bob Connor
Admin
Posts: 3132
Joined: Mon Jul 09, 2007 9:43 pm
Location: Geelong, Australia
Contact:

Re: HeartBleed Bug - SSL Vulnerability

Post by Bob Connor » Sat Apr 12, 2014 9:23 am

The server here was patched last as soon as the update was available.

Interesting that a simple code validation can cause so much grief.

Regards
Bob, Geelong
_______________________________________

Mainwaring and Connor Guitars

User avatar
kiwigeo
Admin
Posts: 10582
Joined: Sat Sep 29, 2007 5:57 pm
Location: Adelaide, Sth Australia

Re: HeartBleed Bug - SSL Vulnerability

Post by kiwigeo » Sat Apr 12, 2014 4:03 pm

The SSL story is fascinating....the group who write the code are largely volunteers working with stuff all funding. So we have the security of banking IT systems hinging on code written by a group of volunteers. Surely the banks and other companies using the code should be forking out a bit of dosh to fund these guys???

https://www.openssl.org/about/
Martin

User avatar
Allen
Blackwood
Posts: 5252
Joined: Thu Oct 11, 2007 5:39 pm
Location: Cairns, Australia
Contact:

Re: HeartBleed Bug - SSL Vulnerability

Post by Allen » Sun Apr 13, 2014 8:00 am

Here's something that while pretty disturbing, isn't surprising at all that the NSA new about this at least 2 years ago. And not to many commercial news outlets are going to be covering.

https://www.youtube.com/watch?list=PLTp ... skUMos81z0
Allen R. McFarlen
https://www.brguitars.com
Facebook
Cairns, Australia

Ormsby Guitars

Re: HeartBleed Bug - SSL Vulnerability

Post by Ormsby Guitars » Sun Apr 13, 2014 7:41 pm

This has been a known issue for two years, and there are zero cases of any compromises, so I wouldnt stress too much.

User avatar
kiwigeo
Admin
Posts: 10582
Joined: Sat Sep 29, 2007 5:57 pm
Location: Adelaide, Sth Australia

Re: HeartBleed Bug - SSL Vulnerability

Post by kiwigeo » Mon Apr 14, 2014 1:25 pm

Ormsby Guitars wrote:This has been a known issue for two years, and there are zero cases of any compromises, so I wouldnt stress too much.
That will change now that the vulnerability has been splashed all over the press. The companies who dont update to latest version of software will be open to exploitation.

I still cant believe that major corporations are relying on open source SSL software that is produced by a volunteer group. Im not bagging the quality of the product but how can you expect members of the group most of whom have day jobs to be able to devote their attention to preventing gaffs such as the one that resulted in the current situation? Many of these large companies need to stop penny pinching and invest a bit of money in funding the openSSL project.
Martin

Post Reply

Who is online

Users browsing this forum: No registered users and 43 guests