Heartbleed Bug Thread

Type Username Here

Type Username Here

Not a new member
Joined
Apr 30, 2012
Messages
16,368
Reputation
2,385
Daps
32,643
Reppin
humans
A newly discovered security bug nicknamed Heartbleed has exposed millions of usernames, passwords and reportedly credit card numbers — a major problem that hackers could have exploited during the more than two years it went undetected.

It’s unlike most of the breaches reported over the past few years, in which one Web site or another got hacked or let its guard down. The flaw this time is in code designed to keep servers secure — tens of thousands of servers on which data is stored for thousands of sites.

That’s why some experts were calling Heartbleed the worst bug yet, something that should worry everyone who frequents the Internet or does business on it.

It’s as if someone went on vacation not knowing the lock on the front door was broken. Could someone walk in? Yes. Will they? Did they? Who knows.

Codenomicon, the Finnish security firm that helped discover the bug offered a chilling illustration of its danger:

We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

While companies were scrambling to implement a fix this week, nobody seemed to know whether any damage had been done.

(For more, see “Heartbleed: What you should know” in the Morning Mix)

The bug was found in a type of software called OpenSSL, which is used on servers to encrypt sensitive information to protect people’s privacy. At least 500,000 servers were reportedly vulnerable.

“You should care about this because — whether you realize it or not — a hell of a lot of the security infrastructure you rely on is dependent in some way on OpenSSL,” Matthew Green, a cryptographer and research professor at Johns Hopkins University, said on his blog. “This includes many of the websites that store your personal information. And for better or for worse, industry’s reliance on OpenSSL is only increasing.”

Through the security flaw, which is said to be one of the most serious uncovered in recent years, Heartbleed can access the contents of a server’s memory where private data is stored.



“Once an attacker has a website’s encryption keys, anything is fair game,” wrote Jill Scharr at Yahoo Tech. “Instead of slipping through a proverbial crack in the wall, he can now walk in and out the front door.”

A fix was circulated, but it was unclear how quickly and widely it was being implemented. Conflicting advice was given to consumers by Web sites and technology writers, some advising people to change usernames and passwords and others saying that such changes would be a big mistake.

“If a website is vulnerable, I could see things like your password, banking information and healthcare data, which you were under the impression you were sending securely to your website,” Michael Coates, director of product security for Shape Security, toldReuters.

It also means hackers can get copies of a server’s digital keys, and then use those keys to impersonate servers or to decrypt communications.

Experts were deeply worried about the bug, as Greg Kumparak wrote at TechCrunch:

When all the net security people you know are freaking out, it’s probably an okay time to worry. This afternoon, many of the net security people I know are freaking out. A very serious bug in OpenSSL — a cryptographic library that is used to secure a very, very large percentage of the Internet’s traffic — has just been discovered and publicly disclosed.

Very, very sensitive data often sits in a server’s system memory, including the keys it uses to encrypt and decrypt communication (read: usernames, passwords, credit cards, etc.) This means an attacker could quite feasibly get a server to spit out its secret keys, allowing them to read to any communication that they intercept like it wasn’t encrypted it all. Armed with those keys, an attacker could also impersonate an otherwise secure site/server in a way that would fool many of your browser’s built-in security checks.

Codenomicon created a Web site to answer questions about the bug, though the site might be too technical for some readers. Several sites devoted to technology published questions and answers for consumers, among them LifeHacker.

Researchers with Google and Codenomicon discovered the vulnerability. That prompted the Department of Homeland Security (DHS) to warn businesses of the problem on Tuesday and advise them to review their servers to see if they were using the flawed version of OpenSSL.

In an alert issued Tuesday, DHS said the bug “could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys. … This may allow attackers to decrypt traffic or perform other attacks.”

Codenomicon said most Web users “are likely to be affected either directly or indirectly” because OpenSSL “is the most popular open source cryptographic library. … Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL,” the company said.​
Click to expand...

http://www.washingtonpost.com/news/...-heartbleed-exposes-data-across-the-internet/


http://heartbleed.com/
 
88m3

88m3

Fast Money & Foreign Objects
Joined
May 21, 2012
Messages
89,262
Reputation
3,727
Daps
158,957
Reppin
Brooklyn
I was actually pretty angry/livid thinking about it yesterday.


There's really not a lot I can do at the end of the day to change the situation.


:manny:
 
JT-Money

JT-Money

Superstar
Joined
May 1, 2012
Messages
11,770
Reputation
3,900
Daps
51,127
Reppin
NULL
:mjlol:

http://www.theverge.com/us-world/20...-heartbleed-to-retrieve-private-security-keys

This morning, content distribution network Cloudflare gave some hope to those affected by the Heartbleed security flaw with an announcement that the bug might not be as bad as feared. In two weeks of testing, Cloudflare said, its researchers failed to exploit the bug to steal a website's private SSL keys, which secures the data sent to users. It issued a challenge to white-hat hackers to successfully retrieve the private security keys — and unfortunately for the web, one of them succeeded.

The hacker, Node.js team member Fedor Indutny, claimed on Twitter that he'd tracked down the SSL keys.

Just cracked @CloudFlare ’s challenge: https://t.co/8ZPSxyKF4D . I wonder when they’ll update the page.

— Fedor Indutny (@indutny) April 11, 2014


The implications for the web are significant. Even after a server is patched to fix the Heartbleed vulnerability, the private keys can continue to be used to access user data unless whoever is running the server updates its security certificate. The news also directly contradicts Cloudflare's earlier claim that it "may in fact be impossible" to retrieve the SSL keys. The company has yet to issue a statement, but, according to the challenge website, promises to offer details soon.

Update April 11, 10:02PM EST: Cloudflare now states that two hackers, Fedor Indutny and Illkka Mattila, both managed to obtain the private SSL key.
 
Hawaiian Punch

Hawaiian Punch

umop-apisdn
Supporter
Joined
Apr 30, 2012
Messages
18,515
Reputation
6,667
Daps
80,276
Reppin
The I in Team
I used to do fraud security for several years and the only thing I learned is everybody is vulnerable and it's only a matter of time. The saving grace is there is several hundred million people in the US, which lessens the chances of you being affected.
 
JT-Money

JT-Money

Superstar
Joined
May 1, 2012
Messages
11,770
Reputation
3,900
Daps
51,127
Reppin
NULL
I've done scans and still see countless web servers that are still vulnerable. Not to mention tons of appliances and networking equipment that are also vulnerable. This is gonna be exploited by hackers for awhile.

 
Y

Yapdatfool

Superstar
Joined
May 5, 2012
Messages
8,422
Reputation
1,134
Daps
22,127
Reppin
NULL
So, a severe bug got found in an up-to-date version of an open source application. Those who were lazy enough to NOT update to the affected versions are fine.
Note to self, don't update shyt, lol.

And I wasn't sleeping, I was too busy changing ALL my PW's.
 
JT-Money

JT-Money

Superstar
Joined
May 1, 2012
Messages
11,770
Reputation
3,900
Daps
51,127
Reppin
NULL
Yapdatfool said:
So, a severe bug got found in an up-to-date version of an open source application. Those who were lazy enough to NOT update to the affected versions are fine.
Note to self, don't update shyt, lol.

And I wasn't sleeping, I was too busy changing ALL my PW's.
Click to expand...

The bug has been there for 2 years already but was only recently discovered by everyone else. It's been proven that hackers may have known about it since last November. So who knows how many sites were compromised using the exploit before it was publicly known.

Heartbleed Bug Origin - Business Insider

"More than two years ago German developer Robin Seggelmann introduced a new feature to OpenSSL, the open-source encryption standard that a large chunk of websites use to transmit data. Now, a vulnerability discovered in that addition is responsible for what may be the biggest Internet security flaw in recent history—the Heartbleed bug"
 
Y

Yapdatfool

Superstar
Joined
May 5, 2012
Messages
8,422
Reputation
1,134
Daps
22,127
Reppin
NULL
JT-Money said:
The bug has been there for 2 years already but was only recently discovered by everyone else. It's been proven that hackers may have known about it since last November. So who knows how many sites were compromised using the exploit before it was publicly known.

Heartbleed Bug Origin - Business Insider

"More than two years ago German developer Robin Seggelmann introduced a new feature to OpenSSL, the open-source encryption standard that a large chunk of websites use to transmit data. Now, a vulnerability discovered in that addition is responsible for what may be the biggest Internet security flaw in recent history—the Heartbleed bug"
Click to expand...

The reviewer of the version of OpenSSL called the flaw "trivial", unbelieveable...

Luckily for me hotmail is unaffected:

The Heartbleed Hit List: The Passwords You Need to Change Right Now

But at least the NSA is on top of shyt:

Report: The NSA’s been exploiting the Heartbleed security bug for the past two years | PandoDaily

:what:
 
JT-Money

JT-Money

Superstar
Joined
May 1, 2012
Messages
11,770
Reputation
3,900
Daps
51,127
Reppin
NULL
You must log in or register to reply here.
Top