Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Heartbleed: How the Net Bug That Caught Tech Experts by Surprise Affects You
The Blaze ^ | 4-9-14 | Elizabeth Kreft

Posted on 04/09/2014 3:00:05 PM PDT by kingattax

This week web experts discovered a huge flaw in the security software used by millions of Web sites — including many banks, email and social media services. Some sites have likened the breach to leaving your front door unlocked, and anyone who knows how to open the door can intrude and expose your confidential information.

Unfortunately, the fix isn’t as simple as locking the door from inside your house. The code vulnerability exists within layers of secure Internet server coding.

So how does this affect you?

* This week web experts discovered a huge flaw in the security software used by millions of Web sites — including many banks, e-mail and social media services.

* While it is a serious concern for all web users, individual Internet users cannot take direct steps to fix the bug; it exists on Internet servers

* If a site you use is still vulnerable, any hacker who understands how to exploit the weakness will have access to names and passwords, email and message content — truly any data shared over the supposedly secure connection.

* This does not mean your information has already been affected or stolen, but it does mean your personal information is vulnerable to theft until the code fix is applied to each affected server.

(Excerpt) Read more at theblaze.com ...


TOPICS: News/Current Events
KEYWORDS: heartbleed; malware; openssl
Navigation: use the links below to view more comments.
first previous 1-2021-33 last
To: Fightin Whitey

Wrong side of the cage...


21 posted on 04/09/2014 4:50:08 PM PDT by Paladin2
[ Post Reply | Private Reply | To 18 | View Replies]

To: kingattax
Spent most of the day on it. What you do is patch OpenSSL on the affected servers and then apply new certs (the old ones could have been compromised). The problem with that is that the cert vendors have been absolutely swamped all day. I'm sitting on my thumb waiting for about a dozen at the moment. One ploy is to go to self-signed certs but that's only a temporary solution in our environment.

The way it works is simply that a remote user can grab memory from any server running OpenSSL in 64K chunks, as many times as he wants, and piece together anything that was there. Logins, passwords, account numbers, email, you name it. Any time for the past two years.

For the user, a change of password is mandatory for any site that uses SSL, which is practically anything where you'd pass money. Most of the bigger vendors are already patched but only since Monday. There's still that two-year window. This is a huge, gaping security hole.

Changing your password on an unpatched site/server is useless. The new one could be instantly compromised. HERE is a means you can use to test whatever site whose safety you need to verify.

22 posted on 04/09/2014 5:00:26 PM PDT by Billthedrill
[ Post Reply | Private Reply | To 1 | View Replies]

To: kingattax
I tested freerepublic.com, and the result came back: dial tcp 209.157.64.200:443: connection refused

Are the passwords here at risk? Were they previously? Or is this only for secure web sites?

23 posted on 04/09/2014 5:01:05 PM PDT by Defiant (Let the Tea Party win, and we will declare peace on the American people and go home.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Defiant

It’s only for secure web sites. Freerepublic runs on port 80, so there’s no listener on port 443, which is the https port.


24 posted on 04/09/2014 5:08:43 PM PDT by proxy_user
[ Post Reply | Private Reply | To 23 | View Replies]

To: Paladin2

You are right. Just showin’ a guy’s gotta be careful.

Must be a rural bank. Did you see that the tall drink of water has a serious case of man hands? Bit of a mannish suit too I would say...

lol


25 posted on 04/09/2014 5:14:51 PM PDT by Fightin Whitey
[ Post Reply | Private Reply | To 21 | View Replies]

To: kingattax

The exploit is diabolically simple.

Read about heartbeats in RFC 6520. A heartbeat consists of a type code, a length, some data, and at least 16 bytes of padding. You send this to the server, and it echoes back your data and resets the timeout timer.

Someone saw that in this implementation, no one was comparing the length field to what you actually sent. You could sent a heartbeat with a length field of 10K, but only have 2 characters of data. The server will put your 2 characters in memory, and then you back 10K starting at at the address of your 2 characters. That memory would have been recently released by other processes, and contains who know what.

Since a heartbeat resets your timeout, you could send heartbeats all day and collect enormous amounts of server memory, some of which would be bound to contain something interesting.


26 posted on 04/09/2014 5:15:38 PM PDT by proxy_user
[ Post Reply | Private Reply | To 1 | View Replies]

To: A_Tradition_Continues
CVE-2014-0076
CVE-2014-0160

Both of those from NIST.

Heartbleed Bug Website - pretty readable.

27 posted on 04/09/2014 5:20:42 PM PDT by Cboldt
[ Post Reply | Private Reply | To 7 | View Replies]

To: kingattax
Is heartbleed a Microsoft only problem ?

28 posted on 04/09/2014 5:52:14 PM PDT by Uri’el-2012 (Psalm 119:174 I long for Your salvation, YHvH, Your teaching is my delight.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: UriÂ’el-2012

No. It has nothing to do with Windows but with a particular software that handles particular types of net security, OpenSSL. Apparently, Windows is to the good on this one because Microsoft’s version of a web server, IIS, uses different software. However, if someone is running an Apache installation with OpenSSL on a Windows-based machine, the vulnerability could still be there but it wouldn’t have anything to do with Windows itself.


29 posted on 04/09/2014 5:56:38 PM PDT by Oceander
[ Post Reply | Private Reply | To 28 | View Replies]

To: Oceander
Thanks

30 posted on 04/09/2014 5:58:59 PM PDT by Uri’el-2012 (Psalm 119:174 I long for Your salvation, YHvH, Your teaching is my delight.)
[ Post Reply | Private Reply | To 29 | View Replies]

To: kingattax

Beck just got new Lifelock ad material.


31 posted on 04/09/2014 6:49:55 PM PDT by TurboZamboni (Marx smelled bad and lived with his parents .)
[ Post Reply | Private Reply | To 1 | View Replies]

To: palmer

Would https://secure.freerepublic.com/donate/ be an issue?
Just curious.


32 posted on 04/09/2014 7:10:31 PM PDT by moose07 (the truth will out ,one day.)
[ Post Reply | Private Reply | To 16 | View Replies]

To: proxy_user

Thanks, that’s good to know.


33 posted on 04/09/2014 11:18:45 PM PDT by Defiant (Let the Tea Party win, and we will declare peace on the American people and go home.)
[ Post Reply | Private Reply | To 24 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-33 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson