Author Topic: OpenSSL and the Heartbleed issue  (Read 7597 times)

0 Members and 1 Guest are viewing this topic.

Offline Aaron Hulett

  • Administrator
  • Hero Member
  • *****
  • Posts: 1450
  • Schrödinger's cat walks into a bar... and doesn't.
    • View Profile
    • My Site
OpenSSL and the Heartbleed issue
« on: April 09, 2014, 08:26:16 PM »
This is a major problem.

Quote
the SSL standard includes a heartbeat option, which allows a computer at one end of an SSL connection to send a short message to verify that the other computer is still online and get a response back. Researchers found that it's possible to send a cleverly formed, malicious heartbeat message that tricks the computer at the other end into divulging secret information. Specifically, a vulnerable computer can be tricked into transmitting the contents of the server's memory, known as RAM.
http://www.vox.com/2014/4/8/5593654/heartbleed-explainer-big-new-web-security-flaw-compromise-privacy

My understanding: 1) I send a specially crafted packet to a server that is using a vulnerable version of OpenSSL, 2) the server sends me a 64k chuck of in-memory data (OUCH!), 3) there's no log of this at the server, and 4) I can send infinite requests for whatever period of time to get a capture of everything in memory, including a) public and private key information for the cert (cert is now compromised - I can decrypt all traffic encrypted with the cert), b) usernames and passwords (my credentials are now compromised - I can now log in as various users), c) contents of emails, documents and other items I have open (my PII is compromised), and d) anything (I have no idea what information of mine or security information for the server is in memory).

Of course what's in memory depends on what's going on at the server, but because I cannot know what information was in memory at the time, I must assume anything related to my interactions with the server are compromised - at a minimum my username and password, at maximum my banking information, emails or whatever other personal information I was accessing at that server. And even if server A is okay, and server B is not, if server B reaches out to server A (such as, idunno, financial management website B reaching out to bank server A to get my current financial info) and I access that information via server B, my information at server A is now potentially compromised.

I wonder if any trusted root certificates are affected. If there are any, that is HUGE. If I have that private info, I can issue certs that will be trusted until the root cert is revoked (either because it was discovered that the trusted root info was in memory on a system affected here, or we see in-the-wild certs chaining to the trusted root cert that weren't properly issued by the root cert authority).

The fix here requires three steps. 1) Affected OpenSSL installs need to be updated to patched/unaffected versions, 2) involved certificates (whether the actual cert used to encrypt traffic or on-the-box certs that had private key information potentially in memory) must be revoked and reissued, and 3) authentication details (user credentials, etc.) need to be reset. Until 1 and 2 are addressed, no need to do 3 as it will be pointless.

Stand by for a massive wave of cert revocations and reissues - good that we have this mechanism in place, bad that it'll be such a wide scale event.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: OpenSSL and the Heartbleed issue
« Reply #1 on: April 09, 2014, 09:18:49 PM »


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: OpenSSL and the Heartbleed issue
« Reply #2 on: April 09, 2014, 11:38:44 PM »
Added by a friend at another site:

Another checker:  https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt

or head to filehippo and type in an url for a site here:  http://filippo.io/Heartbleed/


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline JDBush61

  • Hero Member
  • *****
  • Posts: 4654
    • View Profile
Re: OpenSSL and the Heartbleed issue
« Reply #3 on: April 10, 2014, 12:41:41 AM »
Saw this news via CNN satellite this morning and what surprised me was that it received only 15 seconds airtime ... then on to sports.
I though to myself "Hmmm, that sounds like a big problem. Whoever blinked, missed the report. Amazing."

Corrine, your filippo link reported that google.com was not affected, yet yahoo is compromised. Do I need to change my yahoo password now, or wait ?
"In an age when mass society has rendered obsolete the qualities of individual courage and independent thought, the oceans of the world still remain, vast and uncluttered, beautiful but unforgiving, awaiting those who will not submit. Their voyages are not an escape, but a fulfillment."

~ THE SLOCUM SOCIETY ~

Offline Aaron Hulett

  • Administrator
  • Hero Member
  • *****
  • Posts: 1450
  • Schrödinger's cat walks into a bar... and doesn't.
    • View Profile
    • My Site
Re: OpenSSL and the Heartbleed issue
« Reply #4 on: April 10, 2014, 04:04:28 AM »
Short answer: go ahead and change it now.

Long answer: affected websites need to do two things. First, the OpenSSL installation needs to be updated so that the problem is fixed. Second, the SSL certificate that is used to secure the connection has to be reissued. In Yahoo's case, the web servers have been updated and the certificate reissued. You can check the website by using the link Corrine provided, and you can check the certificate by going to https://www.yahoo.com and then click the padlock in the address bar to view the certificate (it'll say Issued On / Valid From... - if it's 4/8/2014 or later it's a decent assumption that it's been reissued).

Offline JDBush61

  • Hero Member
  • *****
  • Posts: 4654
    • View Profile
Re: OpenSSL and the Heartbleed issue
« Reply #5 on: April 10, 2014, 04:45:02 AM »
Thank you, Aaron. I took your advice and changed my password.

Best regards
"In an age when mass society has rendered obsolete the qualities of individual courage and independent thought, the oceans of the world still remain, vast and uncluttered, beautiful but unforgiving, awaiting those who will not submit. Their voyages are not an escape, but a fulfillment."

~ THE SLOCUM SOCIETY ~

Offline Basil

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 564
  • Formerly known as gr277
    • View Profile
Heartbleed bug
« Reply #6 on: April 10, 2014, 02:46:17 PM »
I have heard about this bug, but it is only today I came across a couple of articles.
Quote
Heartbleed is a catastrophic bug that affects thousands of sites and services across the internet, but what is it, and what do you need to do about it to protect yourself from cybercriminals?

According to security researchers, around half a million sites worldwide are rendered insecure by the bug. "Catastrophic is the right word," commented Bruce Schneier, an independent security expert. "On the scale of 1 to 10, this is an 11."

Heartbleed bug: what do you actually need to do to stay secure? | Technology | theguardian.com

Heartbleed bug: Am I at risk and do I really have to change my password? - Gadgets & Tech - Life & Style - The Independent

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
the Heartbeat vulnerability
« Reply #7 on: April 10, 2014, 05:02:42 PM »
Quote
... In essence, the bug potentially exposed your username and password on sites like Facebook, Google, Pinterest, and more.

Whats the best wisdom on how to respond to this currently?

I found this article from CNET:
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

this supposedly has a live updated listing of sites that have been patched.

Edit: sorry..  just found this topic now:
http://www.landzdown.com/web-news/openssl-and-the-heartbleed-issue/msg166001/#msg166001


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: OpenSSL and the Heartbleed issue
« Reply #8 on: April 10, 2014, 05:11:12 PM »
No problem.  I merged your post to the original topic. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Paddy

  • LandzDown Team
  • Hero Member
  • *****
  • Posts: 1575
    • View Profile
Re: OpenSSL and the Heartbleed issue
« Reply #9 on: April 10, 2014, 11:02:14 PM »
Heartbleed bug creates confusion on internet

http://www.bbc.co.uk/news/technology-26971363

Paddy.. :undecided:
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.

Offline Aaron Hulett

  • Administrator
  • Hero Member
  • *****
  • Posts: 1450
  • Schrödinger's cat walks into a bar... and doesn't.
    • View Profile
    • My Site
Re: OpenSSL and the Heartbleed issue
« Reply #10 on: April 10, 2014, 11:42:40 PM »
I'll try to simplify:

Do you use the Internet and enter passwords anywhere? You need to change your password at the affected sites (at some magical point when you know it's fixed). You also need to change your passwords everywhere else because you probably used the same password(s) everywhere.

I've never had to change my passwords everywhere at once before (I doubt my passwords everywhere given how a bunch of my accounts interconnect with other accounts: Microsoft account integration with Facebook, for example). I'm getting a password management tool... as soon as I figure out what one I want to go with.

What a mess.

//A

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: OpenSSL and the Heartbleed issue
« Reply #11 on: April 11, 2014, 12:30:37 AM »
I use a different password everywhere but do NOT accept the offer at sites to use my Facebook or other account to register. 

Of interest:  Microsoft Services unaffected by OpenSSL "Heartbleed" vulnerability.

Aaron, here's an option to add to the list of password management tools to consider:  F-Secure KEY | The personal assistant for all your login needs | F-Secure


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Aaron Hulett

  • Administrator
  • Hero Member
  • *****
  • Posts: 1450
  • Schrödinger's cat walks into a bar... and doesn't.
    • View Profile
    • My Site
Re: OpenSSL and the Heartbleed issue
« Reply #12 on: April 11, 2014, 05:09:32 PM »
F-Secure KEY looks cool but doesn't have a Windows Phone app. I'm current checking out LastPass - looks promising.

Offline JDBush61

  • Hero Member
  • *****
  • Posts: 4654
    • View Profile
Re: OpenSSL and the Heartbleed issue
« Reply #13 on: April 11, 2014, 10:35:28 PM »
F-Secure KEY looks cool but doesn't have a Windows Phone app. I'm current checking out LastPass - looks promising.

I've been a Norton 360 subscriber for years, yet have never (before now, that is) bothered to use the included Identity Safe password manager. Is it any good? ... and safe, in comparison to F-Secure and LastPass?
"In an age when mass society has rendered obsolete the qualities of individual courage and independent thought, the oceans of the world still remain, vast and uncluttered, beautiful but unforgiving, awaiting those who will not submit. Their voyages are not an escape, but a fulfillment."

~ THE SLOCUM SOCIETY ~

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: OpenSSL and the Heartbleed issue
« Reply #14 on: April 11, 2014, 11:07:45 PM »
Hopefully someone will know, John.  I've never used a Symantic product.  It is shown as being free and is another that doesn't support Windows Phone.  https://identitysafe.norton.com/features


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.