OpenSSL vulnerability

[onomatopoeia]

This potentially affects anyone that has a dedicated server or VPS with openSSL installed on it (e.g. it serves https web pages)

http://arstechnica.com/security/201...opens-two-thirds-of-the-web-to-eavesdropping/
http://heartbleed.com

to find out what version you are using, ssh in and type

openssl version

The second of the links above gives a list of which versions of openssl are vulnerable and which aren't.

For those running debian, squeeze is unaffected, wheezy has been patched and sid will be patched 'soon' (as at 14.47 today). Yes, I subscribe to debian-security

 

[DazJW]

Is this as catastrophic as it sounds?

 

[onomatopoeia]

Potentially, yes.

 

[srichards]

I've got 1.0.1e-fips Feb 2013 vintage.

 

[Marcel]

I thought I'd already replied to this.
Yeah it seems it could be. I've just checked TP and we're OK

 

[srichards]

Did a yum update as centos supposedly had released something but it said it's updated and promptly responds that it has exactly the same version as it did before I did the update

 

[DazJW]

Yahoo is apparently still vulnerable and people are just pulling Yahoo accounts for fun, is it worth a forum announcement about staying off Flickr? Especially as people hearing about it in the mainstream media are likely to have been told to go and change their passwords, which I gather is a bad idea unless you know a site is definitely fixed.

Going to be a massive pain finding out if sites are actually fixed before changing passwords.

 

[Marcel]

Pulling Yahoo accounts?
You mean people are actually exploiting the vulnerability on Yahoo on a large scale already?

 

[Dale_tem]

Is this a Linux bug? Windows is safe isn't it?

 

[arad85]

Is this a Linux bug? Windows is safe isn't it?

Ahahahahahaha.... I see what you did there

Yes, it's safe, unless like me you run a network of PCs running windows with:

$ openssl.exe version
OpenSSL 1.0.1e 11 Feb 2013

Not that any of them are accessible outside of my home network

 

[Dale_tem]

 

[srichards]

The checker thingy never comes back with a response so I have no idea whether it is vulnerable or not now as I've done a yum update openssl, done the cpanel system update software and several others and restarted.

The vps support are so switched on they have no idea what this SSL vulnerability even is or how to check for it. Jeez. I really must get round to moving providers!

 

[DazJW]

Pulling Yahoo accounts?
You mean people are actually exploiting the vulnerability on Yahoo on a large scale already?

http://www.cnet.com/uk/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

"We were able to scrape a Yahoo username & password via the Heartbleed bug," tweeted Ronald Prins of security firm Fox-IT, showing a censored example. Added developer Scott Galloway, "Ok, ran my heartbleed script for 5 minutes, now have a list of 200 usernames and passwords for yahoo mail...TRIVIAL!"

I was watching #heartbleed and #openssl on Twitter earlier and quite a few people were tweeting images showing what they were able to get from Yahoo.

Yahoo have patched it since I posted about it earlier though.

 

[pwhysall]

TP was vulnerable, and therefore all TP users should change their passwords, as this has been around for a couple of years.

And that goes for any accounts you may have on sites that were vulnerable, even if they are patched now.

Yes, this is going to be a massive ball-ache.

 

[onomatopoeia]

Just a thought .... Many ADSL modem / routers use linux kernels and include openssl to provide secure web pages for the management interface.

 

[neil_g]

indeed our work firewall provider issued an advisory yesterday. we dont currently have it set up for SSL however as it's mid phased roll out.

 

[srichards]

I need a thing that will go to every single site I've ever registered on and change the password to something unique then save it in FF.... someone start writing this!

 

[DazJW]

Still a struggle to find out whether certain sites have actually been patched so you can change your password, very little in the way of official communication about it and the test tools seem to be giving inconsistent reports.

Looks like another day of staying off any sites that aren't definitely fixed.

 

[big soft moose]

TP was vulnerable, and therefore all TP users should change their passwords, as this has been around for a couple of years.
.

Why

What's the worst that can happen if someone has accessed my TP account password (which by the way is unique and not remotely related to any other password) ? Okay so they can hijack my TP account , but why would they want to do that as it contains no financial information and has no capacity to send spam other than by pm (which would just cause marcy to ban it)

Not only that but "they've" had the capacity to do that for the last couple of years but haven't - probably because they don't actually give a toss and are more concerned with online store accounts, bank accounts and credit cards

BFD

To me this has all the hallmarks of one of those "the end of the world is nigh" IT scares which are long on talk but short on substance - like the millennium bug for example

 

[Dale_tem]

Lots of people are silly enough to use the same password for everything. So getting hold of TP will lead them to email address, if that password works on email, they can reset any password anywhere as they will access the reset password emails.

 

[pwhysall]

To me this has all the hallmarks of one of those "the end of the world is nigh" IT scares which are long on talk but short on substance - like the millennium bug for example

You know why Y2K came to nothing? Because people like me did an immense amount of work making sure that it came to nothing.

This is easily one of the worst security breaches we've ever seen, both in its scope and reach; from user credentials to server certificates to session keys, across a huge swathe of the internet.

To downplay its effect is daft, especially when you have no clue whether or to what extent this exploit has been used by the kinds of people who don't post their antics on the internet, but who quietly get on with the serious business of identity theft.

 

[big soft moose]

You know why Y2K came to nothing? Because people like me did an immense amount of work making sure that it came to nothing.

or because it was massively over hyped in the first place - sure work needed to be done, but all that crap about how every computer would stop working was simply hype which turned out not to be true

To downplay its effect is daft, especially when you have no clue whether or to what extent this exploit has been used by the kinds of people who don't post their antics on the internet, but who quietly get on with the serious business of identity theft.

and to over play its effect is equally daft - everyone on TP should change their passwords because TP might have been vulnerable you say - again I sat Why ? , how would having my TP password help anyone steal my identity - oddly enough I didn't give marcel my bank details, date of birth (well I did, but not the correct one), mothers maiden name (which I don't use as a security question anyway) etc when I joined up to TP , so what possible reason could there be for a fraudster wanting to compromise my TP account.

At the end of the day having no clue whether or to what extent this exploit has been used means exactly that - we don't know , so stating a worst case scenario as though its a fact and urging everyone to change every password on every account is serious over kill. Certainly change the password on your finances if you think they've been compromised, but don't tit about changing them on forums for no good reason as that is simply a waste of energy

 

[Dale_tem]

and to over play its effect is equally daft - everyone on TP should change their passwords because TP might have been vulnerable you say - again I sat Why ? , how would having my TP password help anyone steal my identity - oddly enough I didn't give marcel my bank details, date of birth (well I did, but not the correct one), mothers maiden name (which I don't use as a security question anyway) etc when I joined up to TP , so what possible reason could there be for a fraudster wanting to compromise my TP account.

See my reply above

 

[neil_g]

pete, a large amount of revenue can be generated from spam and phishing. hijacking "just" an email account/social media account/forum account can result in a good payday from a scammer.

like i said, our corporate firewall uses the vulnerable software. it stands to reason that other corporate firewalls do also. im sure i dont need to tell you how much of an issue that could be.

 

[big soft moose]

Lots of people are silly enough to use the same password for everything. So getting hold of TP will lead them to email address, if that password works on email, they can reset any password anywhere as they will access the reset password emails.

so the appropriate advice here is not "rush around changing all your passwords on accounts that couldn't matter a toss" - the decent advice is "change the passwords on accounts that matter as a priority and don't be such a prat in future"

In my case my important accounts - bank, credit cards, amazon, ebay, paypal etc are not on the same email that I use for forums and social media , nor are the passwords the same (or the same as each other). Come to that although all my forum accounts are on the same email address, they also each have a separate password , so compromising my TP account (or any forum account) wouldn't give a identity thief anything useful - and even compromising a financial account wouldn't give automatic access to the others.

 

[big soft moose]

like i said, our corporate firewall uses the vulnerable software. it stands to reason that other corporate firewalls do also. im sure i dont need to tell you how much of an issue that could be.

Indeed - I'm not saying this isn't a problem , I'm saying that overhyping it isn't sensible because it just undermines the credibility - every time anything like this happens whether is Y2K, I love you, cryptolocker, etc etc its all oh the end is nigh , we're doooomed I say doooooomed - and every time this turns out not to actually be the case.

so yes people should practice decent internet security and financial security , but theres no need for people to rush around changing every password known to man - unless they've been stupid enough not to practice decent security in the first place

 

[pwhysall]

every time anything like this happens whether is Y2K, I love you, cryptolocker, etc etc its all oh the end is nigh , we're doooomed I say doooooomed -

Actually, every time something like this happens, someone pipes up like this to claim that "They" (this generally means IT professionals, like me) are saying " its all oh the end is nigh , we're doooomed I say doooooomed" (which of course we're not, we're just explaining what has actually happened, and what are the possible consequences, and what you can and should do to mitigate them).

In my case my important accounts - bank, credit cards, amazon, ebay, paypal etc are not on the same email that I use for forums and social media , nor are the passwords the same (or the same as each other). Come to that although all my forum accounts are on the same email address, they also each have a separate password , so compromising my TP account (or any forum account) wouldn't give a identity thief anything useful - and even compromising a financial account wouldn't give automatic access to the others.

So you're doing the right thing. That's genuinely great, but it's beside the point.

I'll wager a pint of the finest foaming ale that there are literally hundreds if not thousands of TP accounts which are using recycled usernames, email addresses, and passwords.

 

[srichards]

I wonder if dropbox and other cloud storage systems are also vulnerable?

 

[DazJW]

I wonder if dropbox and other cloud storage systems are also vulnerable?

Dropbox was but they've patched all their "user-facing" systems.

 

[big soft moose]

Actually, every time something like this happens, someone pipes up like this to claim that "They" (this generally means IT professionals, like me) are saying " its all oh the end is nigh , we're doooomed I say doooooomed" (which of course we're not, we're just explaining what has actually happened, and what are the possible consequences, and what you can and should do to mitigate them).
.

And you don't think that this might tell you something about the way IT professional communicate this to the masses ? - could it be that the reason people repeatedly claim this is because they are tired of being told that the IT world is going to end , when in actuality the issue while serious isn't really virtual Armageddon

Of course this is also exacerbated by the way the media report this kind of thing

to be fair its not just IT that suffer from this kind of thing , the other classic is medicine with you're all going to die of bird flu/swine flu/ebola/SARS etc ... when the reality is that while flu pandemic is serious its not the second coming of the black death

 

[st599]

Is this a Linux bug? Windows is safe isn't it?

No it isn't. It's a breach in the algorithms used to encrypt data on the internet. They haven't cracked the algorithm but found a way of downloading chunks of memory from the server where it is briefly available in plaintext.

It doesn't matter which OS you used to connect, the data you thought was secure (username, password, credit card number) was not.

 

[Jimmy_Lemon]

A lot of this stuff goes way over my head, but really not liking the results of this search on one of my sites - https://www.ssllabs.com/ssltest/analyze.html?d=liveoopnorth.co.uk&hideResults=on&ignoreMismatch=on - wtf is up with the certificate being for another domain?

 

[Dale_tem]

No it isn't. It's a breach in the algorithms used to encrypt data on the internet. They haven't cracked the algorithm but found a way of downloading chunks of memory from the server where it is briefly available in plaintext.

It doesn't matter which OS you used to connect, the data you thought was secure (username, password, credit card number) was not.

I run Windows servers in a few datacentres. I know the client OS is irrelevant here

 

[pwhysall]

Right, this bloke knows his security onions.

Bruce Schneier on the Heartbleed bug.

Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

Half a million sites are vulnerable, including my own. Test your vulnerability here.

The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.

At this point, the odds are close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.

This article is worth reading. Hacker News thread is filled with commentary. XKCD cartoon.

 

[arad85]

or because it was massively over hyped in the first place - sure work needed to be done, but all that crap about how every computer would stop working was simply hype which turned out not to be true

No, it wasn't true - only systems that stored years as 2 digits were vulnerable - which as some of them for sure, but no all...

IMHO, what is far more important is the Y2038 bug when Unix time "runs out". Most of the worlds IT systems run a Unix of some description. If I am still around in 2038, I'll be 74, so will probably be slightly less worried if the Internet stops working (unless my life support is dependent on a Unix machine to keep it going!). See: http://en.wikipedia.org/wiki/Year_2038_problem

 

[big soft moose]

this

Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

Is a classic example if what I was saying about over hype - the argument isn't logically consistent, anything in the memory (of a system which hasn't been patched) may be vulnerable - but it doesn't follow that all of it has been compromised, as we don't even know if "the system" has been attacked.

That argument is a bit like saying "Russia has nuclear weapons , and if they launch them at us we have no way of stopping them, therefore we have to assume that there's going to be a nuclear winter and we're all going to die... we're doooomed I say doooomed"

Assuming anything which is vulnerable is compromised is daft - assuming that some of what is vulnerable might be compromised and therefore we should take sensible steps to protect ourselves (like not using the same password on everything) is more realistic , but hey why bother with common sense when we have hyperbole

 

[big soft moose]

No, it wasn't true - only systems that stored years as 2 digits were vulnerable - which as some of them for sure, but no all...

IMHO, what is far more important is the Y2038 bug when Unix time "runs out". Most of the worlds IT systems run a Unix of some description. If I am still around in 2038, I'll be 74, so will probably be slightly less worried if the Internet stops working (unless my life support is dependent on a Unix machine to keep it going!). See: http://en.wikipedia.org/wiki/Year_2038_problem

Given that there's 24 years to fix it I can't get too excited , in 24 years time unix will be a dinosaur anyway (think where computers were 24 years ago against where they are today)

 

[Yv]

Gentlemen, it occurs to me that debating how 'important' this is, is a rather pointless exersize. What is more important, is letting people know, in PLAIN ENGLISH, not techno babble, what they need to do, if anything, to reduce any risks. Frankly, given I use totally different passwords all over the place, and I delete pm's regularly, including any with bank details, which have been very few, any access to my TP account is negligable risk... but what about banking, paypal, sites like dropbox, flickr and zenfolio.... anyone know if and how they are affected? Other stuff too...

So for example, I have cloud hosting for several sites, none of which use SSL anyway that I know of, and from the links around the place i am under the impression it is something for my service provider to deal with, if they/we[the customers] are at risk. However, none of the checkers will connect to my sites anyway - what does this mean? What about email? [Edit: apparently all my hosts servers are protected against the vulnerability. according to their updates]

Tom asked a question above, if anyone can help him....

A lot of this stuff goes way over my head, but really not liking the results of this search on one of my sites - https://www.ssllabs.com/ssltest/analyze.html?d=liveoopnorth.co.uk&hideResults=on&ignoreMismatch=on - wtf is up with the certificate being for another domain?

Finally, if this security issue has been around for 2 years, why on earth are we only just finding out about it, that is the bit that has really itched my bits :meh: :indifferent:

 

[arad85]

Given that there's 24 years to fix it I can't get too excited , in 24 years time unix will be a dinosaur anyway (think where computers were 24 years ago against where they are today)

Well... 24 years ago I was programming on... Unix systems using C. Today I program on..... Unix systems using C. What is true is there were far fewer around than there are today and it was unheard of a Unix system to be embedded in anything you use. Today you probably have a few unix computers in your house today (Sky/freeview box, possibly your TV, your phone....). If you don't, others will.

 

[DazJW]

I don't think there's much point in using the checkers, they seem to be giving inconsistent results. If you have a look on Twitter (who claim they weren't affected) someone will have posted "X site isn't vulnerable" but someone else has posted that it is. Yesterday PayPal and Google were being excluded from danger but now people are saying PayPal is affected and Google have posted about updating their systems today including the line "We are still working to patch some other Google services" so they must have been vulnerable and some aspect of their systems still is.

but what about banking, paypal, sites like dropbox, flickr and zenfolio.... anyone know if and how they are affected? Other stuff too...

All I've seen so far is:
Yahoo (Flickr/Tumblr) - patched
Dropbox - patched
Twitter - "not affected"
Facebook - patched before announcement
TsoHost - "protected against this vulnerability"
Google - patched/patching
Amazon Web Services (not the shop) - patched
Feedly - "not vulnerable"
Mozilla Persona and Firefox Accounts - patched (they were on AWS)
Zenfolio - "Our engineers have let me know that they were made aware of the issue as soon as it was reported and verified that we were not using the vulnerable version of OpenSSL."
Steam - patched

Most of these are coming out over Twitter (from the sites' own accounts, not just gossip) or through news articles which is pretty poor going. I've been actively looking for news about PayPal and Amazon.co.uk but haven't found anything other than gossip on Twitter, or news stories quoting the gossip on Twitter, so I'm staying well away from them for now.

Edit: Added Zenfolio to the list as I just got an e-mail back from support, and Steam because I forgot about them.