Members
  • Total Members: 12814
  • Latest: Rono
Stats
  • Total Posts: 28521
  • Total Topics: 8240
  • Online Today: 924
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Heartbleed flaw shakes The Internet  (Read 1181 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Heartbleed flaw shakes The Internet
« on: 10. April 2014., 20:04:01 »


LastPass has released a new tool to show you which of your supposedly secure online accounts are at risk of being compromised, as the Heartbleed fallout continues with numerous major sites admitting to being hit by the devastating bug.

Heartbleed: http://heartbleed.com/ is the recently disclosed programming flaw in OpenSSL: http://www.openssl.org/ that would allow attackers to read the contents of a server's memory, exposing critical information such as SSL site keys, usernames and passwords, and user data.

LastPass shows your bleeding hearts

Not content with letting users check Heartbleed-affected sites one by one with its individual site-checking tool, the LastPass password manager now has an automated solution for its users: https://lastpass.com/heartbleed/
If you're using LastPass in your browser, just tap on the LastPass icon and go to Tools > Security Check.

This will redirect you to the LastPass website, where the service will scan your password vault and come up with a list of sites affected by Heartbleed. The list will also tell you how old your password is, when the site last updated its security certificates, and whether you should change your password.

That last point is crucially important, because there's no sense in changing your password on an affected site until it has been patched, as explained in PCWorld's guide to staying protected from Heartbleed: http://www.pcworld.com/article/2141602/the-heartbleed-bug-and-you-a-users-guide.html

I'm a longtime LastPass user. When I ran the security check against my own vault, it showed a number of accounts that needed to have their password changed. While helpful, the LastPass tool wasn't perfect, however. It advised me to wait before changing my Tumblr password, for example, even though Tumblr publicly advised users to change their passwords before the new LastPass security check was publicly available.

Nevertheless, as a quick way to head off potential problems, the LastPass integrated tool is a great place to start a Heartbleed self-audit.

Heartbleed highlights

A number of major sites have recently admitted they were affected by Heartbleed and issued fixes for their services, including:

- Amazon Web Services: https://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/

- Dropbox: https://twitter.com/dropbox_support/status/453673783480832000

- Facebook: http://www.npr.org/templates/story/story.php?storyId=300813985

- GitHub: https://github.com/blog/1818-security-heartbleed-vulnerability

- GoDaddy: http://godaddyblog.com/open-ssl-heartbleed-weve-patched-servers/

- Google: http://googleonlinesecurity.blogspot.co.il/2014/04/google-services-updated-to-address.html

- LastPass: http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

- OKCupid: http://www.reddit.com/r/OkCupid/comments/22ixkm/okcupid_is_vulnerable_to_heartbleed_bug_do_not/

- Soundcloud: http://blog.soundcloud.com/2014/04/09/heartbleed/

- Tumblr: http://staff.tumblr.com/post/82113034874/urgent-security-update

- Turbo Tax: http://blog.turbotax.intuit.com/2014/04/09/turbotax-is-secured-against-the-heartbleed-internet-vulnerability/

- Yahoo: https://www.yahoo.com/tech/heres-what-you-need-to-know-about-the-heartbleed-bug-82120054478.html

(PCW)


P.S.

Just as you think, SCforum (hosted at Hostgator: http://scforum.info/index.php/topic,8415.0.html ) is safe:
https://support.hostgator.com/articles/pre-sales-policies/security-abuse/heartbleed-vulnerability

Quote
"Hostgator currently has patched OpenSSL for all Shared and Reseller servers."

Samker's Computer Forum - SCforum.info

Heartbleed flaw shakes The Internet
« on: 10. April 2014., 20:04:01 »




devnullius

  • SCF VIP Member
  • *****
  • Posts: 3507
  • KARMA: 152
  • Gender: Female
    • SCForum.info
Re: Heartbleed flaw shakes The Internet
« Reply #1 on: 10. April 2014., 20:13:26 »
Long-time user of lastpass here too :)

Not gonna run the check: as far as I understood, the flaw is only available in the wild since 1 week. I'll take the gamble (changing my passwords again...? Sigh, no. Not for another year or two ;p)

It really smells like an "NSA feature", this bug. It's so huge, so essential and yet so unnoticed... One would get paranoid! :)

More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Heartbleed flaw shakes The Internet
« Reply #2 on: 10. April 2014., 20:28:05 »
...

It really smells like an "NSA feature", this bug. It's so huge, so essential and yet so unnoticed... One would get paranoid! :)




Pez

  • SCF VIP Member
  • *****
  • Posts: 723
  • KARMA: 116
  • Gender: Male
  • Pez
Related article!

‘Heartbleed’ Vulnerability Opens the Door to SSL Heartbeat Exploits

Update: 4/11/2014

McAfee’s Heartbleed Test tool has been posted and enables users to test sites for the presence of this vulnerability.

———-

A recent vulnerability in OpenSSL is causing quite a stir. Documented as CVE-2014-0160, this vulnerability has a significant impact on the perceived security of a number servers across the globe.

One of the keys to this vulnerability is SSL heartbeats, which are used to keep messages alive without the need to renegotiate the SSL session. Heartbeat messages can be sent without authenticating with the server.

The exploit

Taking advantage of this vulnerability, attackers can dump up to 64KB of memory near the memory allocated for the SSL heartbeat packet on an infected machine. The attackers won’t know what information they might gather but because the attack can be repeated many times, they can retrieve many 64KB chunks. The memory chunks could contain sensitive information such as passwords, session IDs, private keys, or any other type of data left in memory on the affected server.

One of the factors that makes this such a critical vulnerability is there are no files to detect. It’s completely network borne, and leaves no trace that a system has been attacked. For this reason, network tools are the primary means for mitigating this type of attack.

Further detail

This excerpt from http://Heartbleed.com provides more information:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM), and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names, and passwords of the users and the actual content. This in turn may allow attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Only products that use OpenSSL Versions 1.0.1a through 1.0.1f are vulnerable. This bug was introduced in OpenSSL in December 2011 and has been in the wild since OpenSSL 1.0.1 appeared, on March, 14, 2012. OpenSSL Version 1.0.1g, released on April 7, fixes the bug.

CVE-2014-0160

The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle heartbeat extension packets. This error allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, also known as the Heartbleed bug.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

CERT/CC Vulnerability Note VU#720951
 OpenSSL heartbeat extension read overflow discloses sensitive information.
http://www.kb.cert.org/vuls/id/720951

CWE-119
 Weakness Class Improper Restriction of Operations within the Bounds of a Memory Buffer (119).
http://cwe.mitre.org/data/definitions/119.html

Here is the general consensus about what is vulnerable and what is not. We’ll update this list as more information appears.

Vulnerable:
  • The full list of clients in not yet known
  • Android
  • Browsers on Linux platforms could be vulnerable
  • Third-party code using Python/Ruby/Perl OpenSSL libs may be vulnerable
  • Windows programs linked against vulnerable versions of OpenSSL may be vulnerable
  • OpenVPN
  • Many vendors are currently evaluating their position
  • Applications using OpenSSL 1.0.1

Not vulnerable:
  • Internet Explorer, Firefox, Chrome: all use the Windows Crypto implementation
  • Internet Information Server
  • Applications using OpenSSL 1.0.1g or later

Here’s a snapshot of the exploit in action:



The Metasploit module for CVE-2014-0160 (openssl_heartbleed.rb) is in use. Settings allow for the tweaking of TLS Versions 1.0 to 1.2 as well as ports, connection timeouts, and more.

Recommendations
  • Customers must upgrade  to OpenSSL version 1.0.1g or install a version of OpenSSL configured with -DOPENSSL_NO_HEARTBEATS
  • Customers should be aware that server certificates that are or were protecting data could have been leaked. Attackers with compromised server certificates can perform a man-in-the-middle-attack
  • Ensure that Internet browsers are set to check for revoked certificates
  • Any self-signed certs should be regenerated using an updated version of OpenSSL, as previous certs could be compromised

Mitigation by McAfee products

Taken from our MTIS report:

Network Security Platform: Signature 45c04400, “UDS-SSL: OpenSSL TLS DTLS Heartbeat Extension Packets Information Disclosure,” provides coverage.

McAfee Vulnerability Manager: The FSL/MVM package of April 9 includes a vulnerability check to assess if your systems are at risk.

Firewall Enterprise: McAfee NGFW (Stonesoft) Update Package 574-5211, released April 8, provides coverage.


Original article:By Sanchit Karve on Apr 09, 2014
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Heartbleed flaw shakes The Internet
« Reply #4 on: 15. April 2014., 20:53:29 »
...

McAfee’s Heartbleed Test tool has been posted and enables users to test sites for the presence of this vulnerability.

...

Another proof that SCforum is S A F E: http://tif.mcafee.com/heartbleedtest?utf8=%E2%9C%93&q=http%3A%2F%2Fscforum.info&commit=Scan

Thanks P. :thumbsup:


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising