VideoHelp Forum
+ Reply to Thread
Results 1 to 19 of 19
Thread
  1. Heartbleed exposes Internet data

    It bleeds Computer and Internet Security


    A newly discovered security bug nicknamed Heartbleed has exposed millions of usernames, passwords and reportedly credit card numbers — a major problem that hackers could have exploited during the more than two years it went undetected.

    It’s unlike most of the breaches reported over the past few years, in which one Web site or another got hacked or let its guard down. The flaw this time is in code designed to keep servers secure — tens of thousands of servers on which data is stored for thousands of sites.

    The Heartbleed Bug

    What versions of the OpenSSL are affected?

    Status of different versions:
    OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable.
    To know information about install OpenSSL
    enim$yum info openssl
    -or-
    enim$dpkg --print-avail openssl
    How about operating systems?

    Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
    Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
    Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
    CentOS 6.5, OpenSSL 1.0.1e-15
    Fedora 18, OpenSSL 1.0.1e-4
    OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
    FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
    NetBSD 5.0.2 (OpenSSL 1.0.1e)
    OpenSUSE 12.2 (OpenSSL 1.0.1c)

    I have posted in this section bcoz lots of sites seems to be affected. Later on Baldrick or Mods can transfer it to appropriate section.
    If you are a server admin, please check it up!
    Last edited by enim; 14th Apr 2014 at 03:17.
    Quote Quote  
  2. DECEASED
    Join Date
    Jun 2009
    Location
    Heaven
    Search Comp PM
    FWIW --- the owner of the quicksandy forum already has been alerted:

    http://forum.doom9.org/showthread.php?t=170457
    Quote Quote  
  3. I'm a MEGA Super Moderator Baldrick's Avatar
    Join Date
    Aug 2000
    Location
    Sweden
    Search Comp PM
    I'm not using any ssl at all...
    Quote Quote  
  4. Banned
    Join Date
    Oct 2004
    Location
    Freedonia
    Search Comp PM
    Originally Posted by enim View Post
    Heartbleed exposes Internet data

    A newly discovered security bug nicknamed Heartbleed has exposed millions of usernames, passwords and reportedly credit card numbers — a major problem that hackers could have exploited during the more than two years it went undetected.
    Actually the chance of it actually being exploited prior to this week is extremely low. It would require the hackers to have previously known about the bug and been able to exploit it. There's no evidence that this is the case.

    However, since the researchers decided to take the reprehensible (in my opinion) step of publicly releasing enough information on Monday for everybody to exploit this, transactions are NOW at risk because some websites won't upgrade either through not knowing to do so or willful neglect. I know of no way for users to determine whether a particular website has been updated or not.
    Quote Quote  
  5. Member
    Join Date
    Aug 2006
    Location
    United States
    Search Comp PM
    I would have thought that enim could figure out that the latest video news has to be video related after a few of his posts to this section were moved elsewhere by a moderator, but I guess not.
    Quote Quote  
  6. as of now...
    The analyzer tool suggested that Google, Microsoft, Twitter, Facebook, Dropbox, and Amazon remain safe, but Yahoo.com (Yahoo Services) is vulnerable.

    These are main popular public websites, many other non-popular sites is also affected as this bug was floated in Dec 2011 and came into light now. Global Fix for these gonna take a while. Most of the sites will start declaring themselves clean to prevent users running away. But. as a user it is very hard to know which site is affected and which one is not. Better to stay away from on-line transaction activities and websites that uses SSL..
    Quote Quote  
  7. Member vhelp's Avatar
    Join Date
    Mar 2001
    Location
    New York
    Search Comp PM
    i never shop online. i have no faith in the security of the internet, nor from anybody who says their system is secure. however, i do shop online with amazon, but through the gift card route. when i see something i want, only then do i go out and purchase a gift card, plug in the number and purchase the item. usually left with a balance of a few dollars. that is about as secure as anyone can get in my opinion.
    Quote Quote  
  8. I'm a Super Moderator johns0's Avatar
    Join Date
    Jun 2002
    Location
    canada
    Search Comp PM
    Canada netfile shutdown their site after finding about the exploit but late tax returns won't be penalized.
    I think,therefore i am a hamster.
    Quote Quote  
  9. in one of the main articles that gave a list of sites affected or vulnerable/not vulnerable.
    I found this online tool which if you enter the site url will give it a scan to see if it is or is not affected by heartbleed.

    obviously it may not be full proof, but if a certain site you may use is in question this tool may help a little

    http://filippo.io/Heartbleed/
    Quote Quote  
  10. How to make sure in following case?



    Heartbleed is all about SSL bleeding,
    How to ensure that server is not bleeding something else?
    as there are many communication protocols.
    Last edited by enim; 11th Apr 2014 at 09:53.
    Quote Quote  
  11. Banned
    Join Date
    Oct 2004
    Location
    Freedonia
    Search Comp PM
    Originally Posted by vhelp View Post
    i never shop online. i have no faith in the security of the internet, nor from anybody who says their system is secure. however, i do shop online with amazon, but through the gift card route. when i see something i want, only then do i go out and purchase a gift card, plug in the number and purchase the item. usually left with a balance of a few dollars. that is about as secure as anyone can get in my opinion.
    Being a Luddite is no solution, but whatever works for you...

    Do note that if you ever use a credit card or debit card in a physical store/shop/restaurant that there is always a chance that your card can be compromised. Target got breached by outsiders who hacked their way into Target's HVAC supplier and used that system to jump over to the main system and put credit card copying software on all of their swipe stations. Restaurants almost always have the server take your card to a place where you have no visibility to run it through their swipe system and if said server uses a skimmer, your card just got copied. I suppose you can pay cash everywhere and good for you if you do that. One of my credit cards got used for fraudulent charges that were quickly caught and didn't cost me any money a few years ago. I went to another town to meet some old friends for lunch and I'm pretty sure either the waitress at the restaurant or the place where I bought gasoline had a skimmer and copied my card. If you use your cards at all, there is always risk.
    Quote Quote  
  12. I went to another town to meet some old friends for lunch and I'm pretty sure either the waitress at the restaurant or the place where I bought gasoline had a skimmer and copied my card.
    Some where in 2008, someone skimmed mi VISA for $156 in a different country and different city which I never visited at Gas Station for filling up gas-tank and some other purchases. Anyway I resolved the issue with VISA, and then after No More Credit Cards.

    Every online banking, transactions and all payment gateways are through Internet only with some sort of encryption like SSL. Everything is not hard to hack.

    Heartbleed is not limited to PC Users only, it is expanding to all smart devices as well which uses Android and other Operating Systems.
    Security Breaches also keep increasing as technology expands.
    Quote Quote  
  13. A comic Website XKCD explains heartbleed in a cartoon.


    Originally posted by johns0
    Canada netfile shutdown their site after finding about the exploit but late tax returns won't be penalized.
    -Thanks!

    Heartbleed online security bug isn't easily fixed
    The Canada Revenue Agency has a statement about its response to the Heartbleed security glitch on its website. The agency shut down access to online tax services Wednesday.


    Quote Quote  
  14. Member racer-x's Avatar
    Join Date
    Mar 2003
    Location
    3rd Rock from the Sun
    Search Comp PM
    Although I make a lot of purchases and transactions online, I can definitely see Internet commerce coming to a screeching halt in the not too distant future. Internet security is an oxymoron.

    It's like setting to sea on a screen bottom boat.......
    Got my retirement plans all set. Looks like I only have to work another 5 years after I die........
    Quote Quote  
  15. After reading too much on internet, I was just testing and tinkering my own web server remotely from a different PC as a man-in-middle. After couple of attempts, I was successful to get my own (CheapO Brand) SSL certificate information as under:

    Certificate:
    Data:
    Version: 1 (0x0)
    Serial Number:
    xx : xx : xx : xx : xx : xx : xx : xx
    Signature Algorithm: sha1WithRSAEncryption
    C=XX, ST=XX, L=XXXXXXXXX, O=XXXX, OU=XXXX, CN=XXXXX/
    emailAddress=xxxxx@xxxx.xxx
    Validity
    Not Before: Apr 14 05:48:27 2014 GMT
    Not After : Apr 13 05:48:27 2015 GMT
    Subject: C=XX, ST=XX, L=XXXXXXXXX, O=XXXX, OU=XXXX, CN=XXXXX/
    emailAddress=xxxxx@xxxx.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (XXXX bit)
    Modulus (XXXX bit):
    00:ac:dc:65:c2:18:4e:7a:32:99:fe:6e:c0:e4:83:
    19:fe:0e:34:7a:6e:90:ae:20:5e:3d:81:48:32:a0:
    37:c4:85:e1:61:db:6b:09:ec:2f:fa:59:3a:60:d5:
    9c:ac:2b:3e:c4:8a:c4:03:b4:cf:18:42:dd:8e:a6:
    63:a6:ed:a1:f0:16:97:ab:fb:f2:9b:fa:4f:29:62:
    ea:65:fc:b4:f8:0c:3d:20:d2:58:ac:d6:6c:15:cf:
    8c:fc:b4:8a:2a:53:df:7a:a0:61:38:77:db:e2:1a:
    c2:33:51:f9:35:30:3a:0b:29:88:88:21:e2:ec:88:
    d6:08:97:02:6e:d6:55:6b:ec:e7:68:28:74:5d:92:
    46:b9:ce:38:2c:92:4c:df:a2:35:68:5c:fd:a3:98:
    b2:02:ab:15:ad:d0:ad:52:06:97:1e:32:19:7f:58:
    2d:8b:48:c8:e3:32:55:f0:59:f5:20:2a:d8:56:1c:
    7e:ec:94:d0:6e:52:92:31:29:b8:2e:43:9e:05:27:
    09:3c:29:0d:ea:31:19:0b:cc:9f:38:50:54:41:81:
    78:21:95:96:f7:64:ef:40:a8:19:21:c8:92:cf:55:
    ad:26:1e:6b:90:93:9c:2f:66:d4:12:e0:3a:46:37:
    73:24:8f:a6:f4:7b:59:c5:a5:c7:a6:0a:b5:cf:13:
    96:e1
    Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
    a2:09:dd:6d:08:6d:37:31:f6:9e:89:14:19:51:70:54:8c :90:
    9e:e6:9c:29:4f:8c:be:3e:84:bc:46:0a:bf:f9:5b:ed:25 :0b:
    bd:fa:34:e0:dc:af:b2:a5:1a:4a:d6:b3:67:4a:c3:d2:7b :48:
    0d:55:71:41:94:ab:ae:8e:04:3a:82:9a:80:07:21:96:98 :eb:
    2d:90:55:63:68:ed:c6:9f:77:8a:f8:82:5f:5a:74:24:67 :bb:
    72:53:a0:7c:26:a3:39:34:f4:76:b9:07:64:3b:ce:a4:0f :75:
    9b:c1:9a:6c:83:7f:bb:1e:bf:13:4b:f7:38:a6:5b:45:90 :30:
    92:ab:0e:4a:2b:ed:9c:46:7c:6a:2f:91:a3:42:07:f8:3d :b9:
    a0:d4:f3:4b:bc:67:09:a6:a4:e1:3d:79:72:8c:9c:92:bf :7e:
    ed:38:27:d1:57:f7:ec:de:b2:92:29:aa:71:74:5b:9e:da :43:
    87:40:ed:6f:88:48:0c:2d:3e:66:d9:c4:42:32:d7:c6:20 :04:
    6e:83:a5:51:91:a0:03:40:dd:5e:24:8b:6d:d5:5e:8d:09 :b8:
    4a:53:31:c9:ec:61:0d:3f:97:0b:ab:32:e1:76:12:78:b2 :cc:
    59:65:1f:78:1b:7e:5f:45:27:ad:56:f6:73:38:b3:1f:d9 :e6:
    1b:e0:24:4b

    Further more...
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (XXXX bit)
    Modulus (XXXX bit):
    00:ac:dc:65:c2:18:4e:7a:32:99:fe:6e:c0:e4:83:
    19:fe:0e:34:7a:6e:90:ae:20:5e:3d:81:48:32:a0:
    37:c4:85:e1:61:db:6b:09:ec:2f:fa:59:3a:60:d5:
    9c:ac:2b:3e:c4:8a:c4:03:b4:cf:18:42:dd:8e:a6:
    63:a6:ed:a1:f0:16:97:ab:fb:f2:9b:fa:4f:29:62:
    ea:65:fc:b4:f8:0c:3d:20:d2:58:ac:d6:6c:15:cf:
    8c:fc:b4:8a:2a:53:df:7a:a0:61:38:77:db:e2:1a:
    c2:33:51:f9:35:30:3a:0b:29:88:88:21:e2:ec:88:
    d6:08:97:02:6e:d6:55:6b:ec:e7:68:28:74:5d:92:
    46:b9:ce:38:2c:92:4c:df:a2:35:68:5c:fd:a3:98:
    b2:02:ab:15:ad:d0:ad:52:06:97:1e:32:19:7f:58:
    2d:8b:48:c8:e3:32:55:f0:59:f5:20:2a:d8:56:1c:
    7e:ec:94:d0:6e:52:92:31:29:b8:2e:43:9e:05:27:
    09:3c:29:0d:ea:31:19:0b:cc:9f:38:50:54:41:81:
    78:21:95:96:f7:64:ef:40:a8:19:21:c8:92:cf:55:
    ad:26:1e:6b:90:93:9c:2f:66:d4:12:e0:3a:46:37:
    73:24:8f:a6:f4:7b:59:c5:a5:c7:a6:0a:b5:cf:13:
    96:e1
    Exponent: 65537 (0x10001)
    Attributes:
    unstructuredName :XXXXXXXXXXXXXXXX
    challengePassword :XXXXXXXX
    Signature Algorithm: sha1WithRSAEncryption
    4d:36:f3:64:c7:bc:6a:57:5e:53:90:3d:fe:3a:48:47:2c :4c:
    e1:94:de:da:8a:37:df:41:ce:b4:a7:c2:15:7d:7e:7a:4e :6e:
    ba:ce:cd:8f:72:90:02:14:f6:96:1a:06:c3:f2:a0:ae:54 :56:
    cb:66:64:9f:01:d1:c6:d6:da:cf:b4:94:1f:c6:6c:81:9c :e1:
    36:07:17:5a:16:80:8f:eb:10:1f:91:7f:93:56:ae:27:7a :3f:
    10:19:32:08:b0:10:e3:b0:6a:f2:b2:5e:ce:52:91:24:4d :16:
    26:16:69:37:5c:cf:35:03:82:ab:4b:79:f2:59:99:bc:bc :08:
    80:f9:3f:5a:92:f8:22:ab:b2:83:1a:4c:0d:a5:2c:68:89 :55:
    48:f9:7f:7d:e2:67:4a:c6:d2:3b:6b:13:dd:8b:8c:00:1c :0d:
    ff:0c:ed:9b:bb:78:5b:28:6e:5b:35:31:7c:fa:cd:b8:26 :18:
    1c:a9:88:3f:82:ad:e2:e1:35:8a:51:d7:27:dc:7c:a2:b8 :16:
    b0:82:5d:45:bb:ac:da:e7:5a:db:52:d5:dc:80:57:96:bd :da:
    94:f6:7b:05:77:f8:04:7e:4b:f5:d2:d8:f5:0d:ab:0b:3d :ba:
    88:80:97:ba:fc:2d:a1:e0:fc:79:2c:63:3f:38:f7:39:09 :4b:
    c8:ef:cd:dc

    If you decipher and escalate root, this server will be your slave.

    Some where I already asked Where and What should I patch?
    Under rigorous exploit tests server started bleeding lot many things including SSL.
    Heartbleed Bug - OpenSSL is just one issue out of many in the pot.
    Buying an expensive SSL certificate will like giving steering wheel and key to someone else. Isn't it?
    I am too tired by now, leave it here.... up to you!
    Seems like a BiG Joke to me.
    Last edited by enim; 14th Apr 2014 at 03:54.
    Quote Quote  
  16. I was thinking about some positive automated script to test and fix various website.
    But, Hackers already did it to gain control.

    Mainly they will target those websites bearing lots of traffic and transactions where they can get real monetary benefits.
    Issue seems like out of control.
    Quote Quote  
  17. According to CISCO 2014 Annual Security Report



    The cybercrime network is expanding, strengthening, and, increasingly, operating like any legitimate, sophisticated business network. Today’s cybercriminal hierarchy is like a pyramid (see Figure 1). At the bottom are the nontechnical opportunists and “crimeware-as-a-service” users who want to make money, a statement, or both with their campaigns. In the middle are the resellers and infrastructure maintainers—the “middlemen.” At the top are the technical innovators—the major players who law enforcement seeks most, but struggles to find.
    Basic Internet infrastructure has become a target for hackers.

    Modern cybercriminals usually have clear business objectives when launching their exploits.
    They know what information they’re seeking or what outcomes they want to achieve, and they
    know the path they need to take to reach these goals. Adversaries will spend significant time
    researching their targets, often through publicly available information on social networks, and
    planning their objectives strategically.

    Many actors in the so-called “shadow economy” also now send surveillance malware to
    collect information about an environment, including what security technology is deployed, so
    they can target their attacks. This pre-exploit reconnaissance is how some malware writers
    can be sure their malware will work. Once embedded in a network, the advanced malware
    they design can communicate with command-and-control servers on the outside and spread
    laterally across infrastructure to carry out its mission—whether it’s the theft of vital data or the disruption of critical systems.

    ================================================== ============================
    All anti-virus & anti-malware (protection) softwares are only effective for the virus & malwares which are known and already identified. Whom & which software to trust or not for internet security is a big deal now a days. I just surf for fun & to relax, nothing serious.
    Last edited by enim; 24th Apr 2014 at 00:54.
    Quote Quote  
  18. CRA made contradictory statements in a recent news release.
    Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.

    The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach.

    CRA online services are safe and secure. (???????). The CRA responded aggressively to successfully protect our systems. We have augmented our monitoring and surveillance measures, so that the security of the CRA site continues to meet the highest standards.
    What is the highest De-facto standards for Internet & Computer Security?
    This question rings the bell in my mind all times , when it comes to Internet & Computer Security discussion.

    According to security survey by private agency which states that at-least 62% web-servers are still affected by HeartBleed at the time of writing this. And, most funny part is, many web-site operators states that they took safety measure by replacing SSL certificate to prevent the users running away, but they never replaced it. That forces users to DooM.
    Last edited by enim; 1st May 2014 at 04:12. Reason: addition
    Quote Quote  
  19. HEART BLEED SAGA CONTINUES...

    Keys left unchanged in many Heartbleed replacement certificates!

    Although many secure websites reacted promptly to the Heartbleed bug by patching OpenSSL, replacing their SSL certificates, and revoking the old certificates, some have made the critical mistake of reusing the potentially-compromised private key in the new certificate. Since the Heartbleed bug was announced on 7 April, more than 30,000 affected certificates have been revoked and reissued without changing the private key.

    Internet users rely on public key cryptography to verify the identity of secure websites: SSL certificates contain a public key that is generated from its associated private key. At the start of the secure connection, the server proves that it has the private key by decrypting messages encrypted with the public key, or by cryptographically signing its own messages. Keeping the private key secret is critical — if an attacker steals the private key, he can impersonate the secure website, decrypt sensitive information, or perform a man-in-the-middle attack.

    Although we typically refer to "potentially-compromised" certificates when discussing the Heartbleed bug, the CA/Browser Forum adopts a much more cautious approach to its terminology. This group lays out the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, and they consider a private key to be "compromised" if there exists a practical technique by which an unauthorised person may discover its value — even if there is no evidence of such a technique having been exploited.

    By reusing the same private key, a site that was affected by the Heartbleed bug still faces exactly the same risks as the those that have not yet replaced their SSL certificates — if the previous certificate had been compromised, then the stolen private key can still be used to impersonate the website's new SSL certificate, even if the old certificate has been revoked. Certificates that have been reissued with the same private key are easy to identify, as the new public key will also be identical to the old one.

    Are you still thinking of bleeding your money for expensive SSL certificate?

    ---------------------------------------------------------------------------------------------------------------------------------------------------
    Friday night party is just over with a shout "What da f**k Internet & Computer Security is?"
    Just go home and sleep.... Zzzzzzz!
    Last edited by enim; 10th May 2014 at 02:23.
    Quote Quote  
Visit our sponsor! Try DVDFab and backup Blu-rays!