Heartbleed exposes Internet data
It bleeds Computer and Internet Security
A newly discovered security bug nicknamed Heartbleed has exposed millions of usernames, passwords and reportedly credit card numbers — a major problem that hackers could have exploited during the more than two years it went undetected.
It’s unlike most of the breaches reported over the past few years, in which one Web site or another got hacked or let its guard down. The flaw this time is in code designed to keep servers secure — tens of thousands of servers on which data is stored for thousands of sites.
The Heartbleed Bug
What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable.
To know information about install OpenSSL
How about operating systems?enim$yum info openssl
-or-
enim$dpkg --print-avail openssl
Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)
I have posted in this section bcoz lots of sites seems to be affected. Later on Baldrick or Mods can transfer it to appropriate section.
If you are a server admin, please check it up!
Try StreamFab Downloader and download from Netflix, Amazon, Youtube! Or Try DVDFab and copy Blu-rays! or rip iTunes movies!
+ Reply to Thread
Results 1 to 19 of 19
Thread
-
Last edited by enim; 14th Apr 2014 at 02:17.
-
FWIW --- the owner of the quicksandy forum already has been alerted:
http://forum.doom9.org/showthread.php?t=170457 -
Actually the chance of it actually being exploited prior to this week is extremely low. It would require the hackers to have previously known about the bug and been able to exploit it. There's no evidence that this is the case.
However, since the researchers decided to take the reprehensible (in my opinion) step of publicly releasing enough information on Monday for everybody to exploit this, transactions are NOW at risk because some websites won't upgrade either through not knowing to do so or willful neglect. I know of no way for users to determine whether a particular website has been updated or not. -
I would have thought that enim could figure out that the latest video news has to be video related after a few of his posts to this section were moved elsewhere by a moderator, but I guess not.
-
as of now...
The analyzer tool suggested that Google, Microsoft, Twitter, Facebook, Dropbox, and Amazon remain safe, but Yahoo.com (Yahoo Services) is vulnerable.
These are main popular public websites, many other non-popular sites is also affected as this bug was floated in Dec 2011 and came into light now. Global Fix for these gonna take a while. Most of the sites will start declaring themselves clean to prevent users running away. But. as a user it is very hard to know which site is affected and which one is not. Better to stay away from on-line transaction activities and websites that uses SSL.. -
i never shop online. i have no faith in the security of the internet, nor from anybody who says their system is secure. however, i do shop online with amazon, but through the gift card route. when i see something i want, only then do i go out and purchase a gift card, plug in the number and purchase the item. usually left with a balance of a few dollars. that is about as secure as anyone can get in my opinion.
-
Canada netfile shutdown their site after finding about the exploit but late tax returns won't be penalized.
I think,therefore i am a hamster. -
in one of the main articles that gave a list of sites affected or vulnerable/not vulnerable.
I found this online tool which if you enter the site url will give it a scan to see if it is or is not affected by heartbleed.
obviously it may not be full proof, but if a certain site you may use is in question this tool may help a little
http://filippo.io/Heartbleed/ -
How to make sure in following case?
Heartbleed is all about SSL bleeding,
How to ensure that server is not bleeding something else?
as there are many communication protocols.Last edited by enim; 11th Apr 2014 at 08:53.
-
Being a Luddite is no solution, but whatever works for you...
Do note that if you ever use a credit card or debit card in a physical store/shop/restaurant that there is always a chance that your card can be compromised. Target got breached by outsiders who hacked their way into Target's HVAC supplier and used that system to jump over to the main system and put credit card copying software on all of their swipe stations. Restaurants almost always have the server take your card to a place where you have no visibility to run it through their swipe system and if said server uses a skimmer, your card just got copied. I suppose you can pay cash everywhere and good for you if you do that. One of my credit cards got used for fraudulent charges that were quickly caught and didn't cost me any money a few years ago. I went to another town to meet some old friends for lunch and I'm pretty sure either the waitress at the restaurant or the place where I bought gasoline had a skimmer and copied my card. If you use your cards at all, there is always risk. -
I went to another town to meet some old friends for lunch and I'm pretty sure either the waitress at the restaurant or the place where I bought gasoline had a skimmer and copied my card.
Every online banking, transactions and all payment gateways are through Internet only with some sort of encryption like SSL. Everything is not hard to hack.
Heartbleed is not limited to PC Users only, it is expanding to all smart devices as well which uses Android and other Operating Systems.
Security Breaches also keep increasing as technology expands. -
A comic Website XKCD explains heartbleed in a cartoon.
Originally posted by johns0
Canada netfile shutdown their site after finding about the exploit but late tax returns won't be penalized.
Heartbleed online security bug isn't easily fixed
The Canada Revenue Agency has a statement about its response to the Heartbleed security glitch on its website. The agency shut down access to online tax services Wednesday.
-
Although I make a lot of purchases and transactions online, I can definitely see Internet commerce coming to a screeching halt in the not too distant future. Internet security is an oxymoron.
It's like setting to sea on a screen bottom boat.......Got my retirement plans all set. Looks like I only have to work another 5 years after I die........ -
After reading too much on internet, I was just testing and tinkering my own web server remotely from a different PC as a man-in-middle. After couple of attempts, I was successful to get my own (CheapO Brand) SSL certificate information as under:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
xx : xx : xx : xx : xx : xx : xx : xx
Signature Algorithm: sha1WithRSAEncryption
C=XX, ST=XX, L=XXXXXXXXX, O=XXXX, OU=XXXX, CN=XXXXX/
emailAddress=xxxxx@xxxx.xxx
Validity
Not Before: Apr 14 05:48:27 2014 GMT
Not After : Apr 13 05:48:27 2015 GMT
Subject: C=XX, ST=XX, L=XXXXXXXXX, O=XXXX, OU=XXXX, CN=XXXXX/
emailAddress=xxxxx@xxxx.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (XXXX bit)
Modulus (XXXX bit):
00:ac:dc:65:c2:18:4e:7a:32:99:fe:6e:c0:e4:83:
19:fe:0e:34:7a:6e:90:ae:20:5e:3d:81:48:32:a0:
37:c4:85:e1:61:db:6b:09:ec:2f:fa:59:3a:60:d5:
9c:ac:2b:3e:c4:8a:c4:03:b4:cf:18:42:dd:8e:a6:
63:a6:ed:a1:f0:16:97:ab:fb:f2:9b:fa:4f:29:62:
ea:65:fc:b4:f8:0c:3d:20:d2:58:ac:d6:6c:15:cf:
8c:fc:b4:8a:2a:53:df:7a:a0:61:38:77:db:e2:1a:
c2:33:51:f9:35:30:3a:0b:29:88:88:21:e2:ec:88:
d6:08:97:02:6e:d6:55:6b:ec:e7:68:28:74:5d:92:
46:b9:ce:38:2c:92:4c:df:a2:35:68:5c:fd:a3:98:
b2:02:ab:15:ad:d0:ad:52:06:97:1e:32:19:7f:58:
2d:8b:48:c8:e3:32:55:f0:59:f5:20:2a:d8:56:1c:
7e:ec:94:d0:6e:52:92:31:29:b8:2e:43:9e:05:27:
09:3c:29:0d:ea:31:19:0b:cc:9f:38:50:54:41:81:
78:21:95:96:f7:64:ef:40:a8:19:21:c8:92:cf:55:
ad:26:1e:6b:90:93:9c:2f:66:d4:12:e0:3a:46:37:
73:24:8f:a6:f4:7b:59:c5:a5:c7:a6:0a:b5:cf:13:
96:e1
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
a2:09:dd:6d:08:6d:37:31:f6:9e:89:14:19:51:70:54:8c :90:
9e:e6:9c:29:4f:8c:be:3e:84:bc:46:0a:bf:f9:5b:ed:25 :0b:
bd:fa:34:e0:dc:af:b2:a5:1a:4a:d6:b3:67:4a:c3:d2:7b :48:
0d:55:71:41:94:ab:ae:8e:04:3a:82:9a:80:07:21:96:98 :eb:
2d:90:55:63:68:ed:c6:9f:77:8a:f8:82:5f:5a:74:24:67 :bb:
72:53:a0:7c:26:a3:39:34:f4:76:b9:07:64:3b:ce:a4:0f :75:
9b:c1:9a:6c:83:7f:bb:1e:bf:13:4b:f7:38:a6:5b:45:90 :30:
92:ab:0e:4a:2b:ed:9c:46:7c:6a:2f:91:a3:42:07:f8:3d :b9:
a0:d4:f3:4b:bc:67:09:a6:a4:e1:3d:79:72:8c:9c:92:bf :7e:
ed:38:27:d1:57:f7:ec:de:b2:92:29:aa:71:74:5b:9e:da :43:
87:40:ed:6f:88:48:0c:2d:3e:66:d9:c4:42:32:d7:c6:20 :04:
6e:83:a5:51:91:a0:03:40:dd:5e:24:8b:6d:d5:5e:8d:09 :b8:
4a:53:31:c9:ec:61:0d:3f:97:0b:ab:32:e1:76:12:78:b2 :cc:
59:65:1f:78:1b:7e:5f:45:27:ad:56:f6:73:38:b3:1f:d9 :e6:
1b:e0:24:4b
Further more...
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (XXXX bit)
Modulus (XXXX bit):
00:ac:dc:65:c2:18:4e:7a:32:99:fe:6e:c0:e4:83:
19:fe:0e:34:7a:6e:90:ae:20:5e:3d:81:48:32:a0:
37:c4:85:e1:61:db:6b:09:ec:2f:fa:59:3a:60:d5:
9c:ac:2b:3e:c4:8a:c4:03:b4:cf:18:42:dd:8e:a6:
63:a6:ed:a1:f0:16:97:ab:fb:f2:9b:fa:4f:29:62:
ea:65:fc:b4:f8:0c:3d:20:d2:58:ac:d6:6c:15:cf:
8c:fc:b4:8a:2a:53:df:7a:a0:61:38:77:db:e2:1a:
c2:33:51:f9:35:30:3a:0b:29:88:88:21:e2:ec:88:
d6:08:97:02:6e:d6:55:6b:ec:e7:68:28:74:5d:92:
46:b9:ce:38:2c:92:4c:df:a2:35:68:5c:fd:a3:98:
b2:02:ab:15:ad:d0:ad:52:06:97:1e:32:19:7f:58:
2d:8b:48:c8:e3:32:55:f0:59:f5:20:2a:d8:56:1c:
7e:ec:94:d0:6e:52:92:31:29:b8:2e:43:9e:05:27:
09:3c:29:0d:ea:31:19:0b:cc:9f:38:50:54:41:81:
78:21:95:96:f7:64:ef:40:a8:19:21:c8:92:cf:55:
ad:26:1e:6b:90:93:9c:2f:66:d4:12:e0:3a:46:37:
73:24:8f:a6:f4:7b:59:c5:a5:c7:a6:0a:b5:cf:13:
96:e1
Exponent: 65537 (0x10001)
Attributes:
unstructuredName :XXXXXXXXXXXXXXXX
challengePassword :XXXXXXXX
Signature Algorithm: sha1WithRSAEncryption
4d:36:f3:64:c7:bc:6a:57:5e:53:90:3d:fe:3a:48:47:2c :4c:
e1:94:de:da:8a:37:df:41:ce:b4:a7:c2:15:7d:7e:7a:4e :6e:
ba:ce:cd:8f:72:90:02:14:f6:96:1a:06:c3:f2:a0:ae:54 :56:
cb:66:64:9f:01:d1:c6:d6:da:cf:b4:94:1f:c6:6c:81:9c :e1:
36:07:17:5a:16:80:8f:eb:10:1f:91:7f:93:56:ae:27:7a :3f:
10:19:32:08:b0:10:e3:b0:6a:f2:b2:5e:ce:52:91:24:4d :16:
26:16:69:37:5c:cf:35:03:82:ab:4b:79:f2:59:99:bc:bc :08:
80:f9:3f:5a:92:f8:22:ab:b2:83:1a:4c:0d:a5:2c:68:89 :55:
48:f9:7f:7d:e2:67:4a:c6:d2:3b:6b:13:dd:8b:8c:00:1c :0d:
ff:0c:ed:9b:bb:78:5b:28:6e:5b:35:31:7c:fa:cd:b8:26 :18:
1c:a9:88:3f:82:ad:e2:e1:35:8a:51:d7:27:dc:7c:a2:b8 :16:
b0:82:5d:45:bb:ac:da:e7:5a:db:52:d5:dc:80:57:96:bd :da:
94:f6:7b:05:77:f8:04:7e:4b:f5:d2:d8:f5:0d:ab:0b:3d :ba:
88:80:97:ba:fc:2d:a1:e0:fc:79:2c:63:3f:38:f7:39:09 :4b:
c8:ef:cd:dc
If you decipher and escalate root, this server will be your slave.
Some where I already asked Where and What should I patch?
Under rigorous exploit tests server started bleeding lot many things including SSL.
Heartbleed Bug - OpenSSL is just one issue out of many in the pot.
Buying an expensive SSL certificate will like giving steering wheel and key to someone else. Isn't it?
I am too tired by now, leave it here.... up to you!
Seems like a BiG Joke to me.Last edited by enim; 14th Apr 2014 at 02:54.
-
I was thinking about some positive automated script to test and fix various website.
But, Hackers already did it to gain control.
Mainly they will target those websites bearing lots of traffic and transactions where they can get real monetary benefits.
Issue seems like out of control. -
According to CISCO 2014 Annual Security Report
The cybercrime network is expanding, strengthening, and, increasingly, operating like any legitimate, sophisticated business network. Today’s cybercriminal hierarchy is like a pyramid (see Figure 1). At the bottom are the nontechnical opportunists and “crimeware-as-a-service” users who want to make money, a statement, or both with their campaigns. In the middle are the resellers and infrastructure maintainers—the “middlemen.” At the top are the technical innovators—the major players who law enforcement seeks most, but struggles to find.
Basic Internet infrastructure has become a target for hackers.
Modern cybercriminals usually have clear business objectives when launching their exploits.
They know what information they’re seeking or what outcomes they want to achieve, and they
know the path they need to take to reach these goals. Adversaries will spend significant time
researching their targets, often through publicly available information on social networks, and
planning their objectives strategically.
Many actors in the so-called “shadow economy” also now send surveillance malware to
collect information about an environment, including what security technology is deployed, so
they can target their attacks. This pre-exploit reconnaissance is how some malware writers
can be sure their malware will work. Once embedded in a network, the advanced malware
they design can communicate with command-and-control servers on the outside and spread
laterally across infrastructure to carry out its mission—whether it’s the theft of vital data or the disruption of critical systems.
================================================== ============================
All anti-virus & anti-malware (protection) softwares are only effective for the virus & malwares which are known and already identified. Whom & which software to trust or not for internet security is a big deal now a days. I just surf for fun & to relax, nothing serious.Last edited by enim; 23rd Apr 2014 at 23:54.
-
CRA made contradictory statements in a recent news release.
Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.
The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach.
CRA online services are safe and secure. (???????). The CRA responded aggressively to successfully protect our systems. We have augmented our monitoring and surveillance measures, so that the security of the CRA site continues to meet the highest standards.
This question rings the bell in my mind all times , when it comes to Internet & Computer Security discussion.
According to security survey by private agency which states that at-least 62% web-servers are still affected by HeartBleed at the time of writing this. And, most funny part is, many web-site operators states that they took safety measure by replacing SSL certificate to prevent the users running away, but they never replaced it. That forces users to DooM.Last edited by enim; 1st May 2014 at 03:12. Reason: addition
-
HEART BLEED SAGA CONTINUES...
Keys left unchanged in many Heartbleed replacement certificates!
Although many secure websites reacted promptly to the Heartbleed bug by patching OpenSSL, replacing their SSL certificates, and revoking the old certificates, some have made the critical mistake of reusing the potentially-compromised private key in the new certificate. Since the Heartbleed bug was announced on 7 April, more than 30,000 affected certificates have been revoked and reissued without changing the private key.
Internet users rely on public key cryptography to verify the identity of secure websites: SSL certificates contain a public key that is generated from its associated private key. At the start of the secure connection, the server proves that it has the private key by decrypting messages encrypted with the public key, or by cryptographically signing its own messages. Keeping the private key secret is critical — if an attacker steals the private key, he can impersonate the secure website, decrypt sensitive information, or perform a man-in-the-middle attack.
Although we typically refer to "potentially-compromised" certificates when discussing the Heartbleed bug, the CA/Browser Forum adopts a much more cautious approach to its terminology. This group lays out the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, and they consider a private key to be "compromised" if there exists a practical technique by which an unauthorised person may discover its value — even if there is no evidence of such a technique having been exploited.
By reusing the same private key, a site that was affected by the Heartbleed bug still faces exactly the same risks as the those that have not yet replaced their SSL certificates — if the previous certificate had been compromised, then the stolen private key can still be used to impersonate the website's new SSL certificate, even if the old certificate has been revoked. Certificates that have been reissued with the same private key are easy to identify, as the new public key will also be identical to the old one.
Are you still thinking of bleeding your money for expensive SSL certificate?
---------------------------------------------------------------------------------------------------------------------------------------------------
Friday night party is just over with a shout "What da f**k Internet & Computer Security is?"
Just go home and sleep.... Zzzzzzz!Last edited by enim; 10th May 2014 at 01:23.