Heartbleed flaw in Secure web sites - most of Internet secure sites UNSAFE

matrixshaman

Flashlight Enthusiast
Joined
Jan 17, 2005
Messages
3,410
Location
Outside the Matrix
A MAJOR security flaw affecting a huge amount of secure web sites and services has been announced. CNN and most major news sites have info on this. This can affect your bank sites and other secure web sites and other secure services using SSL/TLS protocol (which is used in https:// web sites as well as other secure services). Smaller businesses may not yet be aware of this so if you have accounts with formerly secure info :laughing: it may be wise to contact those businesses immediately. But don't login with your password. Contact by any other means available. There is a web site listed in many news articles that is supposed to be able to check your sites to verify if they are safe or not. However it appears it is getting so many hits right now that it essentially useless. There are estimates that this effects around 80% of secure Internet web sites. Once this bug is fixed you will NEED to change your passwords at any sites effected. But don't do this until they are fixed.
 
I find it interesting that the day Windows XP loses support we get this news as well. It seems the system vulnerabilities are set up for a potential fire sale on the system. We have many of the country's power plants running on Windows XP and found out recently that it would only take 9 specific power plants destroyed to take down the entire grid. Most of the nation's infrastructure is dependent on electricity. Now we learn that our banking information isn't secure online. It wouldn't take much now for someone to hack the system and steal billions in cash and then take down the grid to get away during the chaos. Hopefully these weaknesses get patched up quick and we don't have to deal with a worst case scenario.
 
Last edited:
+

The OpenSSL bug doesn't care what OS you use.
 
Rather than create a "sky is falling" panic, it's good to recognize that only a portion of secure sites have (had) the potential for being compromised. The vulnerable OpenSSL, of which there were only two, and one was beta. were being used by less than 17% of secure sites. Of those vulnerable sites, certainly not all were affected.

The remedies were being quickly addressed.

Unless you're running a secured site under the vulnerable OpenSSL, there's not much you can do to protect yourself, since access has already occurred. It never hurts to change a password, though.

Hopefully, those that were vulnerable have the integrity to notify their users that they were, and to let their users know they've applied the patch.
 
The sky is falling with this one, for some sites

here is the bottom line
----
vulnerable openssl runs on boatload more websites than the press is saying. not everyone uses
old libssl.so.6, not everyone uses gnuTLS...many use the full openssl

yes they are being fixed rapidly, or openssl recompiled to turn off heartbeat. or not.

here is how the exploit works:
I run a script targeted at a website...from anywhere...just probing away...
this is designed to request large reply payloads from TLS heartbeat, and this is constantly running
I collect random chunks of data from memory with every request

Other people use the site normally, and this transaction data has to move in and out of the very same memory
space I happen to me mining. I have a better than zero chance of seeing unencrypted data

Now after some time by random chance I can look at the data I have collected and piece together
names, passwords, crack keys...etc. A lot is useless but when I get specific chunks I can then use that info
to gain access to accounts, or snoop ssl traffic.

Now, if you really 'get' it....and understand this heartbleed problem has existed since 2012...everyone
with any accounts or work or commerce done on ssl protected sites since 2012 really should change your passwords
after you verify the site owner is running a protected version, and you can test for that with your own script. Though
getting caught in the act of testing this might set off alarms as now almost all IDS, Snort, and other Analytics engines have
new scripts to detect 'heartbleed' snooping...but this is still 'gray' area and not always a real attack

It is a pretty big deal. the vulnerability can be turned off, but guess what ? I still have all your login data. You need
to change your own passwords or personal info...much was already stolen.
 
Last edited:
Top