OpenSSL vulnerability

big soft moose said:
This is a classic example if what I was saying about over hype - the argument isn't logically consistent, anything in the memory (of a system which hasn't been patched) may be vulnerable - but it doesn't follow that all of it has been compromised, as we don't even know if "the system" has been attacked.
Click to expand...
Fer crying out loud. I wheeled out one of the premier experts on computer security to point out that this IS actually a very big deal, and you're still arguing. Go post on his blog if you're so convinced he's wrong.

Me? I'm done.
 
Have emailed my hosts and they seemed oblivious to the whole thing...or at least the minion I was emailing. Says he will pass it to a higher level, but they don't seem to be in any particular rush...which is a tad annoying.
 
Yv said:
What is more important, is letting people know, in PLAIN ENGLISH, not techno babble, what they need to do, if anything, to reduce any risks.
Click to expand...
Bindun!

pwhysall said:
TP was vulnerable, and therefore all TP users should change their passwords, as this has been around for a couple of years.

And that goes for any accounts you may have on sites that were vulnerable, even if they are patched now.

Yes, this is going to be a massive ball-ache.
Click to expand...
 
big soft moose said:
Given that there's 24 years to fix it I can't get too excited , in 24 years time unix will be a dinosaur anyway (think where computers were 24 years ago against where they are today)
Click to expand...
Unix has been around for nearly 50 years, although only written in C for just over 40. It evolves to keep pace with changes in hardware is spreading - linux, OSX, FreeBSD etc are all unix like or unix forks. Routers use it. Freeview recorders use it. All sorts of embedded systems use it I have no idea how OSX stores its dates but 32 bit versions of linux certainly store the date as a signed 32 bit integer.

A few years ago I wrote "end of time" on the whiteboard at work where we note stuff that we need to code for. I wasn't referring to the arrival of four horsemen, I was referring to 19 January 2038.

It is a big deal.
 
Facebook say they patched before the announcement so they wouldn't have been at any more risk than they were before everyone knew about the vulnerability, but there could certainly be people trying passwords on Facebook that they've picked up from other sites since the announcement.
 
I think the point from earlier still stands though, a lot of people use the same passwords cross sites so even if Facebook is patched someone may get the details from another site.
 
That's what I meant, getting a password from a different site and then trying it on Facebook is probably happening an awful lot right now.
 
Which is easily defeated if you have the two factor authentication switched on.... if more sites offered that from access from new places there wouldn't be so much mileage in pinching passwords at all.
 
big soft moose said:
this



Is a classic example if what I was saying about over hype - the argument isn't logically consistent, anything in the memory (of a system which hasn't been patched) may be vulnerable - but it doesn't follow that all of it has been compromised, as we don't even know if "the system" has been attacked.

That argument is a bit like saying "Russia has nuclear weapons , and if they launch them at us we have no way of stopping them, therefore we have to assume that there's going to be a nuclear winter and we're all going to die... we're doooomed I say doooomed"

Assuming anything which is vulnerable is compromised is daft - assuming that some of what is vulnerable might be compromised and therefore we should take sensible steps to protect ourselves (like not using the same password on everything) is more realistic , but hey why bother with common sense when we have hyperbole
Click to expand...
Ffs Pete nobody is saying the end of the world is nigh but your personal details may be compromised. You may very well be perfectly secure but many, if not most, use the same email and password in multiple logins. For most the advice is good, after all no one is forcing you to change your password

Steve
 
The reason we're only hearing about it now, 2 years down the line is that it's gone unnoticed for that long.
It's a simple programming error, but it was such a simple error and it was in plain sight, nobody spotted it.

I read a great way of describing it last night.
Basically, when two machines are communicating, they send a signal back and forth...a heartbeat.
How it works is that Machine A (Client) sends a little note to Machine B (Server) with an instruction to "Here's some data 16k in size. Stick it in your memory, then send it back".

Server copies the information to it's memory, re-reads it and sends it back, Client says "yup, we're alright".

This in essence is the heartbeat.

But....what if the client is up to no good?
What if it says "Here's some data, it's 16k, stick it in your memory and send it back". But it only actually sends 1k, or even 0k.
What the server then does is copies the data it's received into it's memory (all 1k of it), then reads 16k back to send to the client.

This is the problem, we all know that when data is deleted on an HD, it doesn't actually erase the actual parts of the disk, it just marks them as available for use. The same goes for memory.
So now the server has just blindly read 16k from it's memory without even confirming that it put 16k in there in the first place.
It could be sending back 1k of the original heartbeat and 15k of blank memory, it could be sending back 1k of the heartbeat and a password that was used 10 minutes ago. Who knows.

The code has now been patched to perform the correct checks.

Edit : I've found it, it was on Gizmodo...Damn I didn't have to do all that typing lol
http://www.gizmodo.co.uk/2014/04/ho...code-behind-the-internets-security-nightmare/
 
BTW, That checker said TP was vulnerable. However, it wasn't. We have been running an unaffected version of OpenSSL, and our PHP was built including an unaffected version too.

Besides, we don't serve http for you guys over SSL. :) So there's nothing to worry about.
 
Fair point. It does make me wonder, have there been any documented cases yet of this vulnerability being used since it was introduced?
I know it leaves no trace though.
 
Marcel said:
Fair point. It does make me wonder, have there been any documented cases yet of this vulnerability being used since it was introduced?
I know it leaves no trace though.
Click to expand...
The latter part answers the former.

I find it inconceivable, given the potential for exploitation in the event of a vulnerability, that, in the secret underground lair of the evil hackers, an excruciatingly comprehensive pen test isn't conducted on every published version of OpenSSL.

And by "comprehensive" I mean "every possible client/server message is tested for buffer overflows, for starters".

The bad lads have known about this for ages, I reckon.
 
Agreed. I only just got around to reading the technical details today. It's an absolute horror show. Even *IF* it hasn't been actively exploited for the past couple of years it's been around (which would be a miracle), any moderately popular site that hasn't been patched will have been battered by every hacker on the planet slurping data. They'll be merrily creating and crunching through these huge datasets pulling out people's usernames and passwords for months.

It is safest to assume that the login for any website you have logged into in the past couple of years has been compromised. Whether or not you think you are 'important' enough for a hacker to bother with is immaterial. These are bulk details harvesting operations and your information will be chucked into the big bad black hats database and sold/exploited.
 
Marcel said:
Fair point. It does make me wonder, have there been any documented cases yet of this vulnerability being used since it was introduced?
I know it leaves no trace though.
Click to expand...

Yes, lots. Researchers have demonstrated pulling user/passwords off server in a matter of minutes.
 
Ouch. Got any links for me to read on that? Cheers :)
 
vintageman said:
P.S. Currently zenfolio are reporting a server down due to the need to patch heartbleed
Click to expand...
That's odd because on Wednesday evening Zenfolio support told me they weren't affected or had patched already (not sure which) - "Our engineers have let me know that they were made aware of the issue as soon as it was reported and verified that we were not using the vulnerable version of OpenSSL". And they were saying the same eighteen hours ago too - from their Facebook page, "Our engineers looked into this as soon as we were aware and we were not using the vulnerable version of OpenSSL".

Where did you read the report?
 
Last edited:
Being able to suck the private keys from a server remotely is disastrous, whether it takes 5 minutes or two days is immaterial :)

Two-factor authentication people....most services offer it now, make sure you set it up.
 
You know why Y2K came to nothing? Because people like me did an immense amount of work making sure that it came to nothing
Click to expand...
What a load of tosh, only someone who does not know what the Y2K bug was will believe you. Can you please enlighten us on how you prevented the Y2K bug?
 
There was no 'Y2k bug', there were just a variety of different ways in which a variety of different systems failed to handle a year rollover correctly, and needed remedial work.

As a 'thing' it was very much over hyped...but there was a lot of time and effort spent dealing with systems that didn't handle the rollover correctly.
 
It was all kicking off yesterday afternoon, reading datacentre(s) were getting hit by ddos around 4:30pm. Was about 30 mins of outage before it was shut down.

Not really related to heart bleed though.
 
Last edited:
You must log in or register to reply here.
Back
Top