Linux Format forums Forum Index Linux Format forums
Help, discussion, magazine feedback and more
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

'Heartbleed Bug'

 
Post new topic   Reply to topic    Linux Format forums Forum Index -> Discussion
View previous topic :: View next topic  
Author Message
catgate
LXF regular


Joined: Wed Jul 19, 2006 7:45 pm
Posts: 1037
Location: Just over there, in that corner.

PostPosted: Fri Apr 11, 2014 10:31 pm    Post subject: 'Heartbleed Bug' Reply with quote

I have just had a "notification" from a company, who manufacture network items, that there is a thing on the loose known as 'Heartbleed Bug'.
It gave a link to a site heartbleed.com/. which claimed "Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11" was vulnerable.
Is this correct?
_________________
Oh, sod it.
Back to top
View user's profile Send private message
nelz
Site admin


Joined: Mon Apr 04, 2005 12:52 pm
Posts: 8453
Location: Warrington, UK

PostPosted: Fri Apr 11, 2014 10:48 pm    Post subject: Reply with quote

It's correct, but largely irrelevant. The bug largely affects servers, it's less important which version of OpenSSL you are running than the version run by the servers you connect to with HTTPS.

Since you have no idea which servers may have been compromised, the only prudent approach is to change all your web passwords.
_________________
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
Back to top
View user's profile Send private message
guy
LXF regular


Joined: Thu Apr 07, 2005 1:07 pm
Posts: 1070
Location: Worcestershire

PostPosted: Sat Apr 12, 2014 10:08 am    Post subject: Reply with quote

There has been a lot of hype about the heartbleed bug. It is a flaw in the OpenSSL service which theoretically allows encryption credentials to be harvested, thereby enabling user passwords to be recovered.

The scare story:
The flaw has been around for a good while and over half the secure services on the Internet use OpenSSL. It has been suggested that a script kiddie of the Raspberry Pi (aka Linux command shell) generation could successfully mount an attack. OMG! All the private information you so jealously guard on Facebook, Twitter et. al. is OUT THERE!!! Even you bank account is as open as if the guard cracked the vault and then went off for a pee!

Setting it in perspective
The flaw was discovered a good while ago and was kept quiet until a polite time after the fix had been made available to the major Internet services - online banking, Amazon and the like. There is no evidence (as yet?) that the flaw has ever been exploited. Client systems as such are not at risk, although the user obviously is. But what is that risk? Your "private" details are mostly out there anyway, yawn, script kiddies got no warning, so the only Black Hats to worry about are organised crime. What have you got that they might want? Cash, online shopping accounts, I can't think of anything else unless you have valuable commercial secrets online or are a Very Important Person with a valuable global presence.

Recommended action
Change the passwords on any accounts that could be used to drain your cash. But don't lose sleep over it, indeed it can be a good idea to wait a short while to give the service provider time to get off their ass and schedule in the fix - some big providers measure such "emergency response times" in weeks or even months. Since you are of course a wise person and change your passwords from time to time anyway, this is no big deal to you - right?
If you have commercial secrets or are a VIP, change the relevant passwords there, too. Best to do it ASAP, then check whether the provider has updated yet. If they haven't, wait until they have then change the password again.
_________________
Cheers,
Guy
The eternal help vampire
Back to top
View user's profile Send private message
wyliecoyoteuk
LXF regular


Joined: Sun Apr 10, 2005 11:41 pm
Posts: 3440
Location: Birmingham, UK

PostPosted: Sat Apr 12, 2014 11:24 am    Post subject: Reply with quote

My ISP, who run our virtual servers had the patched library in their local repositories before the announcement.
10:30 onwards the day after the announcement, port 443 on our Linux firewall/proxy (used for OWA relay from our Exchange server) got hammered.
As did port 443 on our VPS's later in the day.
Thankfully, I had run the update to patch and restarted the server as soon as I heard about it.
pretty good explanation here:
http://xkcd.com/1354/
_________________
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************
Back to top
View user's profile Send private message
Marrea
LXF regular


Joined: Fri Apr 08, 2005 10:32 pm
Posts: 1871
Location: Chilterns, West Hertfordshire

PostPosted: Sat Apr 12, 2014 11:39 am    Post subject: Reply with quote

I am grateful for the clarification re Ubuntu as I use 12.04 on one of my laptops. I had assumed it was servers which were affected rather than desktops but it’s good to have that confirmed.

Last Pass Heartbleed Checker (https://lastpass.com/heartbleed/) is telling me that many sites I use are “possibly vulnerable” and “possibly unsafe” and advises me to wait for the site to update before changing my password. What I am not sure about is how do I know when the site has updated? Is it a matter of checking the date of the SSL certificate, and if so how does one do that?

I have so far received a notification from only one of my banks reassuring me that they are not affected by the bug and that I can continue to use their online services securely as usual. As regards the others, I have no idea. Last Pass states they are all “possibly unsafe”, which is not very reassuring.
Back to top
View user's profile Send private message
catgate
LXF regular


Joined: Wed Jul 19, 2006 7:45 pm
Posts: 1037
Location: Just over there, in that corner.

PostPosted: Sat Apr 12, 2014 1:33 pm    Post subject: Reply with quote

Marrea wrote:
I am grateful for the clarification re Ubuntu as I use 12.04 on one of my laptops. I had assumed it was servers which were affected rather than desktops but it’s good to have that confirmed.

What I am not sure about is how do I know when the site has updated? Is it a matter of checking the date of the SSL certificate, and if so how does one do that?



This more or less sums up my situation particularly the matter of which sites are " dangerous".
_________________
Oh, sod it.
Back to top
View user's profile Send private message
nelz
Site admin


Joined: Mon Apr 04, 2005 12:52 pm
Posts: 8453
Location: Warrington, UK

PostPosted: Sun Apr 13, 2014 12:29 pm    Post subject: Reply with quote

guy wrote:
There is no evidence (as yet?) that the flaw has ever been exploited.


That is one of the things that makes this exploit so scary. It leaves no trace is system logs, there is no forensic trail. With most exploits, even systems that have been using the vulnerable code have been able to reassure users that no data has been compromised, there is no way to do this with Heartbleed.
_________________
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
Back to top
View user's profile Send private message
catgate
LXF regular


Joined: Wed Jul 19, 2006 7:45 pm
Posts: 1037
Location: Just over there, in that corner.

PostPosted: Tue Apr 15, 2014 10:30 am    Post subject: Reply with quote

nelz wrote:


That is one of the things that makes this exploit so scary. It leaves no trace is system logs, there is no forensic trail. With most exploits, even systems that have been using the vulnerable code have been able to reassure users that no data has been compromised, there is no way to do this with Heartbleed.


It is like Ongibongi flu then?
It has no symptoms, no effect, you do not know if you have got it and there is no known cure or antidote.
_________________
Oh, sod it.
Back to top
View user's profile Send private message
guy
LXF regular


Joined: Thu Apr 07, 2005 1:07 pm
Posts: 1070
Location: Worcestershire

PostPosted: Tue Apr 15, 2014 10:35 am    Post subject: Reply with quote

catgate wrote:
It is like Ongibongi flu then?
It has no symptoms, no effect, you do not know if you have got it and there is no known cure or antidote.


Except when a hacker kindly posts on your SSL-protected website that you have been heartbled. Sad
_________________
Cheers,
Guy
The eternal help vampire
Back to top
View user's profile Send private message
nelz
Site admin


Joined: Mon Apr 04, 2005 12:52 pm
Posts: 8453
Location: Warrington, UK

PostPosted: Tue Apr 15, 2014 10:51 am    Post subject: Reply with quote

It's more like being a carrier for a disease, there are no symptoms but those who come into contact are affected.
_________________
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
Back to top
View user's profile Send private message
catgate
LXF regular


Joined: Wed Jul 19, 2006 7:45 pm
Posts: 1037
Location: Just over there, in that corner.

PostPosted: Tue Apr 15, 2014 11:44 am    Post subject: Reply with quote

Ah! I see. It's a bit like a P.M.'s "pledge" or "the shoots of economic recovery"?
_________________
Oh, sod it.
Back to top
View user's profile Send private message
nelz
Site admin


Joined: Mon Apr 04, 2005 12:52 pm
Posts: 8453
Location: Warrington, UK

PostPosted: Tue Apr 15, 2014 1:15 pm    Post subject: Reply with quote

Not at all, it exists.
_________________
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
Back to top
View user's profile Send private message
lok1950
LXF regular


Joined: Tue May 31, 2005 6:31 am
Posts: 1024
Location: Ottawa

PostPosted: Tue Apr 15, 2014 3:16 pm    Post subject: Reply with quote

We have had an incident here in Canada our Canada Revenue Agency was hit so 900 citizens had there S.I.N. numbers compromised,they are not sure how many businesses had data taken.

Enjoy the Choice Smile
Back to top
View user's profile Send private message
View previous topic :: View next topic  
Display posts from previous:   
Post new topic   Reply to topic    Linux Format forums Forum Index -> Discussion All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Linux Format forums topic RSS feed 


Powered by phpBB © 2001, 2005 phpBB Group


Copyright 2011 Future Publishing, all rights reserved.


Web hosting by UKFast