Good morning all,

While looking at FB this morning it was passed on to me an article about the impacts of the heartbleed flaw. I didn't realize it until reading the article that many websites will require you to change your password once they have been patched:eek:.

I highly recommend everybody read this all the way through and review all the websites to see if you need to change your password.

On a side note, is Sawmillcreek affected???

Bryan

Oh ya, url....

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/#:eyJzIjoiZiIsImkiOiJfODAya2psZDk5enIxMm9mbCJ9

For those not up on the techie side of it, this puts it in simpler terms:

http://xkcd.com/1354/

Sawmill doesn't appear to use HTTPS on the main site at all so the main site at least would not be affected. Your username and password on login appear to be sent in clear text as it is on a lot of forums. IT doesn't bother me in the least if someone can see my login information for this site. I don't use the same login or password elsewhere.

I think people are overreacting by telling everyone to change every password on every website they use. They are assuming that every single server on the Internet got hit by the exploit.

Any server on the Internet that uses that version of OpenSSL is totally vulnerable. And that is a very large number of servers. So don't underplay the reach of this.
On the other hand, I wouldn't panic too much about someone exploiting my Facebook account. Or my login here for that matter.
So it is really serious and important.
But we need perspective.

Any server on the Internet that uses that version of OpenSSL is totally vulnerable. And that is a very large number of servers. So don't underplay the reach of this.
On the other hand, I wouldn't panic too much about someone exploiting my Facebook account. Or my login here for that matter.
So it is really serious and important.
But we need perspective.

Paul speaks true. People are out there telling you to change all your passwords this very second. Not much help if the site hasn't applied the patch yet or is not even vulnerable in the first place. Take a breath, assess and then do what's best for your situation.

Any server on the Internet that uses that version of OpenSSL is totally vulnerable. And that is a very large number of servers. So don't underplay the reach of this.

I understand there are millions of servers and devices that are/were vulnerable. The question is how many of them really got exploited?

For those not up on the techie side of it, this puts it in simpler terms:

http://xkcd.com/1354/

I love xkcd...

I understand there are millions of servers and devices that are/were vulnerable. The question is how many of them really got exploited?
OpenSSL is probably installed on any *nix based server on the Internet. That is both good and bad. Good because patching *nix based servers is probably much easier and less disruptive than patching a windows box. Much easier to automate or accomplish with a batch script.

As to Windoze boxes, I don't have enough experience with them as web (or web accessible) servers to know how many would be running OpenSSL. I know if I was running one, I would use OpenSSL as I am a proponent of open source. Patching them would be much more work, and much more intrusive.

As to how many were exploited, I doubt we will ever know.

Its been interesting watching the news, with uninformed people saying stuff like " this is why open source is so bad" or my personal favourite from a self proclaimed local expert " this sounds the death knell for open source!"

for crying out loud.

OpenSSL is probably installed on any *nix based server on the Internet. That is both good and bad. Good because patching *nix based servers is probably much easier and less disruptive than patching a windows box. Much easier OT automate or accomplish with a batch script.


Yes, it is on most Unix boxes if the admin hasn't removed it. just because the software is installed doesn't mean it is being used, or could be exploited. There would have to be an SSL server running on the server for it to possibly be vulnerable.

Yes, it is on most Unix boxes if the admin hasn't removed it. just because the software is installed doesn't mean it is being used, or could be exploited. There would have to be an SSL server running on the server for it to possibly be vulnerable.

You are quite right. But I suspect that most admins run OpenSSL. Or are there some alternatives I have completely zoned on? I am feeling particularly dumb today..

You are quite right. But I suspect that most admins run OpenSSL. Or are there some alternatives I have completely zoned on? I am feeling particularly dumb today..

There are many millions of unix servers out there. Only a portion of these run SSL of any kind and are accessible from the Internet. OpenSSL is installed on most servers by default and a lot of server admins just take the defaults. A good server admin will install the least amount of software packages to make the server work, but sometimes you really don't know what all needs to be installed so you choose everything.

Yeah, I guess so. We installed it on every server we built cause we were mostly command line admins. Hell, i don't think i could admin a server from a GUI. Generally wouldn't punch a hole it the firewall for it unless we needed to. We would close it once we were done.

I do all of my Unix server work from the command line too. The servers don't have a GUI installed. OpenSSL just installed on a server can't typically be exploited. It has to have Apache or some web server to actually serve up HTTPS pages. OpenSSL can also be used for SSL VPNs and other things, but the most common use would be for a web server.

We are on the same page. Of course, the web vulnerability is nasty. Gotta love that apparently the NSA knew about it for a very long time.

The problem with things made by man they can be broken by man, every time a bug/flaw/hack is fixed they find a new one or a new way to exploit it. but I like that XKCD that was pretty good.

Bryan

PS while most of us tech savy folks don't use the same username/password you would be surprised at the percentage of users who do......

There are web apps that can check for this vulnerabilty. I checked all the sites where having my user credentials 'out there' would be a problem. All checked safe. A real issue would be if someone used one or a couple passwords for everything. Also, openSSL before a certain version was not vulnerable to this exploit. Here's the site I used:

http://filippo.io/Heartbleed/

The big web sites all have employees working basically 24x7 who can patch the site quickly in case of a security flaw like Heartbleed. It is likely that a number of the websites that test good yesterday or today would not have tested good earlier in the week. They just patched things right away. A few big web sites were given advance notice of the Heartbleed vulnerability and had things patched before the public announcement.

Does this look weird to anyone else? It's a major security flaw that "exposes" millions and millions, but yet there don't seem to be any reports that anything has been done with any of it. If they are swiping user data and passwords and encrypted stuff, wouldn't they be using it? You're not hearing about it at all. I wonder if this is part of the NSA issues, and this is one of the tools they implemented to help get them access to secure networks around the world, just to collect the data, not to use it to buy new shoes from Amazon. Then it's exposed and it's treated like some run of the mill virus out there that some unknown person dumped out there.

Just something to think about. If all the big names had their networks breached, then there would be millions and millions of people that had their data stolen over the last 2 years. But there's no reporting of that happening.

Something's fishy.....

I'm not sure there is any way to know if your server was compromised. At least that is the way one of my co-workers explained it.

Does this look weird to anyone else? It's a major security flaw that "exposes" millions and millions, but yet there don't seem to be any reports that anything has been done with any of it. If they are swiping user data and passwords and encrypted stuff, wouldn't they be using it? You're not hearing about it at all. I wonder if this is part of the NSA issues, and this is one of the tools they implemented to help get them access to secure networks around the world, just to collect the data, not to use it to buy new shoes from Amazon. Then it's exposed and it's treated like some run of the mill virus out there that some unknown person dumped out there.

Just something to think about. If all the big names had their networks breached, then there would be millions and millions of people that had their data stolen over the last 2 years. But there's no reporting of that happening.

Something's fishy.....

My understanding is that it was discovered by a company that searches for security vulnerabilities. Hopefully, this time the problem was found before the damage was done...

Scott, it sounds fishy because no one really knows what data you can get when you exploit the HeartBleed. Here is my understanding of how it works:

In HTTPS, you have to keep the conversation alive by sending continuous data packets back and forth (called 'heartbeats'). That is, if you have nothing of substance to say, you still have to say something. It goes like this:

your machine sends a heartbeat to the https server and it echos it back. As I understand it, the message looks like this: <length><some number of bytes>
So you might send <5><Scott>.
You would send <5><Scott> to the server and it would send <5><Scott> back to you. It copies "Scott" into a specific area of memory. Then it builds the reply.

The bug is that the number of bytes doesn't have to match the length. It turns out that there was no check to see if the length and the text matched.

Soooo... You can send <5000><Scott>. It copies 'Scott' into it's buffer for 5 bytes and then returns 5000 bytes of whatever it has.

That's like me saying, I want whatever is in the 1 square foot of the northeast corner of your shop. I might get your garbage. I might get your collection of router bits. Or I might get the cabinet that holds all your spare keys to your house and car.

So no one knows for sure what's in that buffer when it gets raided. I would guess that most of the time, it's garbage. Once in a while, you might get lucky and get a credit card number. If you get very, very, very lucky, you might get certificate data that would let you crack open the whole web site.




Does this look weird to anyone else? It's a major security flaw that "exposes" millions and millions, but yet there don't seem to be any reports that anything has been done with any of it. If they are swiping user data and passwords and encrypted stuff, wouldn't they be using it? You're not hearing about it at all. I wonder if this is part of the NSA issues, and this is one of the tools they implemented to help get them access to secure networks around the world, just to collect the data, not to use it to buy new shoes from Amazon. Then it's exposed and it's treated like some run of the mill virus out there that some unknown person dumped out there.

Just something to think about. If all the big names had their networks breached, then there would be millions and millions of people that had their data stolen over the last 2 years. But there's no reporting of that happening.

Something's fishy.....

It was only discovered that OpenSSL has a vulnerability int he past two or three weeks even the problem code was released in 2012. It is hard to exploit a vulnerability if nobody knows about it although somebody could have been exploiting it and didn't tell anyone. The NSA denies that they knew about the bug and had been using it to exploit websites.

The discovery of the exploit was kept secret for a number of days until a patch was ready. A few website hosting companies got early access to the patch and had their servers patched before the public announcement.