Feed
 

"Heartbleed" Vulnerability issues

Avatar Euan Williams
Among other references, practical information

from Reuters here,

and from CNET here.

Re: "Heartbleed" Vulnerability issues

Avatar Euan Williams
A variety of suggestions via the BBC here, from various sources

Re: "Heartbleed" Vulnerability issues

Avatar Euan Williams
Posts from apple.stackexchange.com suggest that users of Mavericks (and hence also earlier OSX versions?) do NOT have the faulty version of Open SSL installed.

Let's hope that's all there is to it for Apple users. If ISPs and other web servers are affected this might be false comfort. Any member clued up on this?

Re: "Heartbleed" Vulnerability issues

Avatar Mark Ford
... as it applies to Apple users
http://www.cultofmac.com/273524/heartbleed-security-bug-apple-users-need-know/

Re: "Heartbleed" Vulnerability issues

Avatar Euan Williams
As the web world clears up the mess from Heartbleed, (and Apple users feel comfy that the “good old” BSD in the Apple walled garden is more secure than some recent versions of OpenSSL) some members may like to check these background urls (among many others):

> http://heartbleed.com <
sober FAQs including tech stuff on the bug

> http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html <
understandable tech explanation and analysis with comments

> http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/ <
further discussions in Comments

> http://www.cnet.com/uk/news/which-sites-have-patched-the-heartbleed-bug/ <
running record of test results for top 100 websites

> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed <
clear explanation of problem and measures required to fix.

Re: "Heartbleed" Vulnerability issues

Avatar Mick Burrell
Should I panic?

Looking at it logically, if this was only discovered (by those that look after us) a few days ago but has been around for two years (see the Reuters link Euan posted) then is it not safe to assume that had it been used to hack millions of accounts, it would have been discovered earlier? if that's the case, hackers probably didn't discover it! I've been safely buying online for the last two years so the next few days doesn't seem much of a risk - at least, not to me.

Further, as soon as I found a site where you could put in a web address you wanted to check, I put in the online banking details for Lloyds, Barclays, HSBC, Nat West (RBS) and Nationwide and all gave the result "Passed or unaffected". Looks like they beat me to it!

Re: "Heartbleed" Vulnerability issues

Avatar Euan Williams
Very sensible, Mike!
From The Sydney Herald April 11th:
> a certain Dr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was "unfortunately" missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.
> "I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he said.
> "In one of the new features, unfortunately, I missed validating a variable containing a length."
> After he submitted the code, a reviewer "apparently also didn’t notice the missing validation", Dr Seggelmann said, "so the error made its way from the development branch into the released version." Logs show that reviewer was Dr Stephen Henson.
> Dr Seggelmann said the error he introduced was "quite trivial", but acknowledged that its impact was "severe".

A good explanation of how it works is this, from SmallDog's Kibbles & Bites #875 (Scott Markoski):

> The bug works by exploiting a flaw in the way heartbeat messages are handled in OpenSSL. A heartbeat message is nothing more than a tiny message from a client to the server that says, “Hey server, even though I’m not sending encrypted data right now, I’m still here, so don’t close my secure connection.” It does this because closing and reopening the connection takes work, so it’s more efficient to leave it open. These heartbeat messages typically contain some payload data and an indication of how big the payload data is. So a message might be “Hey server, I’m still here” and the payload size might say 32 bytes. The server hears this message and responds by returning the payload data and payload size to the client.

> In the exploitation of this transaction a malicious client would send a heartbeat message with a very small payload (say 10 bytes), but it would lie and say that the payload size was very large (50,000 bytes). When the server goes to respond by sending back the payload, it mistakenly grabs 50,000 bytes worth of data from its memory. This could include all kinds of data that this client should NOTknow about. It could be anything the server was working on at that time: other client secure data, passwords, or even encryption keys. This is all very bad, so we want to stop it from happening. <

So it's like a Doctor taking entirely random biopsy samples from someone and trying to establish that there might be thought processes going on there. (The hunt for the Malaysian Aircraft Black Boxes as the signals fade is infinitely more 'directed' in comparison.)

Re: "Heartbleed" Vulnerability issues

Avatar Drew McFarlane
I'm afraid It is all gobbledygook to me.

I have tried to read all that has been reported and cannot make any sense of it. What passwords do I change if any? All e-mail addresses - internet sites that I subscribe to?

I did phone my bank and was told "not to worry". E-Bay & PayPal say there is nothing to worry about.

Perhaps someone will explain in non technical terms.

Re: "Heartbleed" Vulnerability issues

Avatar Mick Burrell
I hesitate to say "this is what you should do" just in case but, for what it's worth, if you read my post above, you won't be surprised to learn I've not change any of my passwords or buying habits.

Re: "Heartbleed" Vulnerability issues

Avatar Drew McFarlane
Thank you Mick.

Re: "Heartbleed" Vulnerability issues

Avatar Eric Jervis
Just tested the co-op bank, which is not vulnerable.

Re: "Heartbleed" Vulnerability issues

Avatar Euan Williams
Apple have issued firmware update 7.7.3 for its 2013 Airport Extreme and Time Capsule base stations with 802.11ac-- NOT for Airport Express here.

Among other improvements this fixes the Heartbleed SSL/TLS vulnerability in these devices.
 
Feed