'Heartbleed Bug'

Discussion topics, Linux related - not requests for help

Moderators: ChrisThornett, LXF moderators

'Heartbleed Bug'

Postby catgate » Fri Apr 11, 2014 9:31 pm

I have just had a "notification" from a company, who manufacture network items, that there is a thing on the loose known as 'Heartbleed Bug'.
It gave a link to a site heartbleed.com/. which claimed "Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11" was vulnerable.
Is this correct?
Oh, sod it.
catgate
LXF regular
 
Posts: 1072
Joined: Wed Jul 19, 2006 6:45 pm
Location: Just over there, in that corner.

Postby nelz » Fri Apr 11, 2014 9:48 pm

It's correct, but largely irrelevant. The bug largely affects servers, it's less important which version of OpenSSL you are running than the version run by the servers you connect to with HTTPS.

Since you have no idea which servers may have been compromised, the only prudent approach is to change all your web passwords.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8532
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby guy » Sat Apr 12, 2014 9:08 am

There has been a lot of hype about the heartbleed bug. It is a flaw in the OpenSSL service which theoretically allows encryption credentials to be harvested, thereby enabling user passwords to be recovered.

The scare story:
The flaw has been around for a good while and over half the secure services on the Internet use OpenSSL. It has been suggested that a script kiddie of the Raspberry Pi (aka Linux command shell) generation could successfully mount an attack. OMG! All the private information you so jealously guard on Facebook, Twitter et. al. is OUT THERE!!! Even you bank account is as open as if the guard cracked the vault and then went off for a pee!

Setting it in perspective
The flaw was discovered a good while ago and was kept quiet until a polite time after the fix had been made available to the major Internet services - online banking, Amazon and the like. There is no evidence (as yet?) that the flaw has ever been exploited. Client systems as such are not at risk, although the user obviously is. But what is that risk? Your "private" details are mostly out there anyway, yawn, script kiddies got no warning, so the only Black Hats to worry about are organised crime. What have you got that they might want? Cash, online shopping accounts, I can't think of anything else unless you have valuable commercial secrets online or are a Very Important Person with a valuable global presence.

Recommended action
Change the passwords on any accounts that could be used to drain your cash. But don't lose sleep over it, indeed it can be a good idea to wait a short while to give the service provider time to get off their ass and schedule in the fix - some big providers measure such "emergency response times" in weeks or even months. Since you are of course a wise person and change your passwords from time to time anyway, this is no big deal to you - right?
If you have commercial secrets or are a VIP, change the relevant passwords there, too. Best to do it ASAP, then check whether the provider has updated yet. If they haven't, wait until they have then change the password again.
Cheers,
Guy
The eternal help vampire
User avatar
guy
LXF regular
 
Posts: 1086
Joined: Thu Apr 07, 2005 12:07 pm
Location: Worcestershire

Postby wyliecoyoteuk » Sat Apr 12, 2014 10:24 am

My ISP, who run our virtual servers had the patched library in their local repositories before the announcement.
10:30 onwards the day after the announcement, port 443 on our Linux firewall/proxy (used for OWA relay from our Exchange server) got hammered.
As did port 443 on our VPS's later in the day.
Thankfully, I had run the update to patch and restarted the server as soon as I heard about it.
pretty good explanation here:
http://xkcd.com/1354/
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************
User avatar
wyliecoyoteuk
LXF regular
 
Posts: 3461
Joined: Sun Apr 10, 2005 10:41 pm
Location: Birmingham, UK

Postby Marrea » Sat Apr 12, 2014 10:39 am

I am grateful for the clarification re Ubuntu as I use 12.04 on one of my laptops. I had assumed it was servers which were affected rather than desktops but it’s good to have that confirmed.

Last Pass Heartbleed Checker (https://lastpass.com/heartbleed/) is telling me that many sites I use are “possibly vulnerable” and “possibly unsafe” and advises me to wait for the site to update before changing my password. What I am not sure about is how do I know when the site has updated? Is it a matter of checking the date of the SSL certificate, and if so how does one do that?

I have so far received a notification from only one of my banks reassuring me that they are not affected by the bug and that I can continue to use their online services securely as usual. As regards the others, I have no idea. Last Pass states they are all “possibly unsafe”, which is not very reassuring.
User avatar
Marrea
LXF regular
 
Posts: 1877
Joined: Fri Apr 08, 2005 9:32 pm
Location: Chilterns, West Hertfordshire

Postby catgate » Sat Apr 12, 2014 12:33 pm

Marrea wrote:I am grateful for the clarification re Ubuntu as I use 12.04 on one of my laptops. I had assumed it was servers which were affected rather than desktops but it’s good to have that confirmed.

What I am not sure about is how do I know when the site has updated? Is it a matter of checking the date of the SSL certificate, and if so how does one do that?



This more or less sums up my situation particularly the matter of which sites are " dangerous".
Oh, sod it.
catgate
LXF regular
 
Posts: 1072
Joined: Wed Jul 19, 2006 6:45 pm
Location: Just over there, in that corner.

Postby nelz » Sun Apr 13, 2014 11:29 am

guy wrote:There is no evidence (as yet?) that the flaw has ever been exploited.


That is one of the things that makes this exploit so scary. It leaves no trace is system logs, there is no forensic trail. With most exploits, even systems that have been using the vulnerable code have been able to reassure users that no data has been compromised, there is no way to do this with Heartbleed.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8532
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby catgate » Tue Apr 15, 2014 9:30 am

nelz wrote:
That is one of the things that makes this exploit so scary. It leaves no trace is system logs, there is no forensic trail. With most exploits, even systems that have been using the vulnerable code have been able to reassure users that no data has been compromised, there is no way to do this with Heartbleed.


It is like Ongibongi flu then?
It has no symptoms, no effect, you do not know if you have got it and there is no known cure or antidote.
Oh, sod it.
catgate
LXF regular
 
Posts: 1072
Joined: Wed Jul 19, 2006 6:45 pm
Location: Just over there, in that corner.

Postby guy » Tue Apr 15, 2014 9:35 am

catgate wrote:It is like Ongibongi flu then?
It has no symptoms, no effect, you do not know if you have got it and there is no known cure or antidote.


Except when a hacker kindly posts on your SSL-protected website that you have been heartbled. :(
Cheers,
Guy
The eternal help vampire
User avatar
guy
LXF regular
 
Posts: 1086
Joined: Thu Apr 07, 2005 12:07 pm
Location: Worcestershire

Postby nelz » Tue Apr 15, 2014 9:51 am

It's more like being a carrier for a disease, there are no symptoms but those who come into contact are affected.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8532
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby catgate » Tue Apr 15, 2014 10:44 am

Ah! I see. It's a bit like a P.M.'s "pledge" or "the shoots of economic recovery"?
Oh, sod it.
catgate
LXF regular
 
Posts: 1072
Joined: Wed Jul 19, 2006 6:45 pm
Location: Just over there, in that corner.

Postby nelz » Tue Apr 15, 2014 12:15 pm

Not at all, it exists.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8532
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby lok1950 » Tue Apr 15, 2014 2:16 pm

We have had an incident here in Canada our Canada Revenue Agency was hit so 900 citizens had there S.I.N. numbers compromised,they are not sure how many businesses had data taken.

Enjoy the Choice :)
User avatar
lok1950
LXF regular
 
Posts: 1037
Joined: Tue May 31, 2005 5:31 am
Location: Ottawa


Return to Discussion

Who is online

Users browsing this forum: No registered users and 1 guest