Go Back   Team-BHP > Around the Corner > Shifting gears > Gadgets, Computers & Software


Reply
 
Thread Tools Search this Thread
Old 10th April 2014, 14:50   #1
Senior - BHPian
 
foby.sebastian's Avatar
 
Join Date: Feb 2008
Location: KL-08 / KL-01
Posts: 2,448
Thanked: 1,102 Times
Default Heartbleed Bug / CVE-2014-0160

A major new vulnerability called Heartbleed could let attackers gain access to users' passwords and fool people into using bogus versions of Web sites A flaw in software that's widely used to secure Web communications means that passwords and other highly sensitive data could be exposed.

Internet users advised to change passwords due to 'Heartbleed' bug

http://www.latimes.com/business/tech...#axzz2yRefVfKm

An open-source software called OpenSSL that's widely used to encrypt Web communications. Heartbleed can reveal the contents of a server's memory, where the most sensitive of data is stored, including private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future.
Also one more thing those people who do or does online transaction or business , please don't do any online shopping or banking for a few days.
It will be highly risk not like a other vulnerabilities ,but this one is extremely serious.

The vulnerability is officially called CVE-2014-0160 but is known as Heartbleed.

Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

You can take the Heartbleedtest in the below link

http://filippo.io/Heartbleed/

There are quite a few operating system distributions that have shipped with potentially vulnerable OpenSSL version.
foby.sebastian is offline   Reply With Quote
Old 10th April 2014, 16:14   #2
BHPian
 
arsudarsan's Avatar
 
Join Date: Nov 2008
Location: Chennai
Posts: 91
Thanked: 13 Times
Default Re: Heartbleed Bug / CVE-2014-0160

Changing passwords is useless until the fix is adopted by everyone using OpenSSL since they would anyway be able to steal your passwords with the current system!
arsudarsan is offline   Reply With Quote
Old 10th April 2014, 16:16   #3
Team-BHP Support
 
Rehaan's Avatar
 
Join Date: Feb 2004
Location: Bombay
Posts: 22,229
Thanked: 21,890 Times
Default Re: Heartbleed Bug / CVE-2014-0160

^ True. Though most major sites have applied the fix already.


Here's a list of sites, which ones are/were vulnerable, and which ones have been fixed :
http://mashable.com/2014/04/09/heart...m-fb-main-link

cya
R
Rehaan is offline   Reply With Quote
Old 10th April 2014, 16:19   #4
Senior - BHPian
 
msdivy's Avatar
 
Join Date: Aug 2006
Location: Bangalore
Posts: 1,426
Thanked: 770 Times
Default Re: Heartbleed Bug / CVE-2014-0160

The affected versions are OpenSSL 1.0.1a to OpenSSL 1.0.1f and OpenSSL 1.0.2-beta. Should be a concern if you use these versions. Otherwise no worry.
Quote:
Originally Posted by foby.sebastian View Post
Internet users advised to change passwords due to 'Heartbleed' bug
It is recommended to change password after the server is updated with the fixed package of OpenSSL. Fix is either using OpenSSL 1.0.1g or compiling existing package with OPENSSL_NO_HEARTBEATS flag.
msdivy is offline   Reply With Quote
Old 11th April 2014, 10:36   #5
Senior - BHPian
 
msdivy's Avatar
 
Join Date: Aug 2006
Location: Bangalore
Posts: 1,426
Thanked: 770 Times
Default Re: Heartbleed Bug / CVE-2014-0160

Quote:
Originally Posted by foby.sebastian View Post
You can take the Heartbleedtest in the below link
http://filippo.io/Heartbleed/
Got info that the filippo site was showing few false positives (either the results were interpreted wrongly or the site didn't scale for the traffic). Fortunately SSL Labs have updated to detect heartbleed bug. Along with this, they do other comprehensive SSL checking. Link: https://www.ssllabs.com/ssltest/

The predominantly affected applications are Apache & Nginx web servers (which has affected versions OpenSSL package). The reason is these form the bulk of web servers used on Internet. Some estimate around 18% of web-server are vulnerable. Note that applications which don't use OpenSSL (like Microsoft) are not affected.

The curious thing about this bug it almost impossible to detect whether there has been a breach or not. So if somebody is using affected versions of OpenSSL, you have to,
1) Upgrade to fixed version of OpenSSL ASAP
2) Revoke old certificates & get fresh certificates
3) Advice your users to change their passwords.

It is scary to imagine this bug existed for 2 years.
msdivy is offline   Reply With Quote
Old 11th April 2014, 11:00   #6
Team-BHP Support
 
Samurai's Avatar
 
Join Date: Jan 2005
Location: B'lore-Manipal
Posts: 22,043
Thanked: 13,492 Times
Default Re: Heartbleed Bug / CVE-2014-0160

This affects all Linux OS and Linux web servers since they all use openssl. Please update quickly. Windows web server (IIS) doesn't use openssl, so users can breath easy.

I have many products using openssl in both Windows and Linux, but none of the openssl ones are open to public. That is a relief.
Samurai is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads
Thread Thread Starter Forum Replies Last Post
Ode to my bug-eyed toy -Santro XG. dot Long-Term Ownership Reviews 4 15th April 2011 13:39
Bug Fiat 1959 Naren4140 Post-War 34 14th March 2011 23:46
Need a good mechanic for a VW BUG 2L8uLoose Modifications & Accessories 11 26th February 2009 00:36
Gallardo, Continental GT, AC Schnitzer X5, Caractere VW bug spotted in same car park tanaypatel Super-Cars & Imports in India 20 18th November 2007 21:43
Bug Bites Bangalore PAVAN KADAM The Team-BHP Meet Section 0 22nd September 2007 12:21


All times are GMT +5.5. The time now is 17:23.

Copyright 2000 - 2017, Team-BHP.com
Proudly powered by E2E Networks