Author Topic: Are your websites secure? The heartbleed bug (Read 23250 times)

lanux128 · « **on:** April 08, 2014, 09:29 PM »

as it is already known, the heartbleed bug is a vulnerability in the OpenSSL library which seems to compromise the traffic flow at secure sites. the web admins everywhere are rushing to patch their servers with the latest bug-fix.

to check if your site's exposure level, you can go here to test. to learn more about the bug itself, click on the image below.

• http://heartbleed.com/

mouser · « **Reply #1 on:** April 08, 2014, 09:39 PM »

DC updated and tested as secure.

Thanks very much for that test page btw -- I looked for one unsuccessfully.

ewemoa · « **Reply #2 on:** April 09, 2014, 05:29 AM »

Thanks lanux128.

The following is from the last link:

What is leaked primary key material and how to recover?

These are the crown jewels, the encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption. All this has to be done by the owners of the services.

What is leaked secondary key material and how to recover?

These are for example the user credentials (user names and passwords) used in the vulnerable services. Recovery from this leaks requires owners of the service first to restore trust to the service according to steps described above. After this users can start changing their passwords and possible encryption keys according to the instructions from the owners of the services that have been compromised. All session keys and session cookies should be invalided and considered compromised.

mouser · « **Reply #3 on:** April 09, 2014, 05:34 AM »

A dc member also sent me this useful test page:
https://www.ssllabs....ssltest/analyze.html

Stoic Joker · « **Reply #4 on:** April 09, 2014, 11:37 AM »

Thanks guys!

Our 3rd party external network PCI compliance scan (last week) came back fine ...(even though the above tests said we suck)... So these tests are apparently checking much more thoroughly/deeper.

I'm currently trying to get my score above an A-.

Stoic Joker · « **Reply #5 on:** April 09, 2014, 01:55 PM »

Well apparently 2008 R2/IIS 7.5 is to old for an A+, but I did get it up to an A...so that'll have to do.

IIS A.jpg

Ath · « **Reply #6 on:** April 09, 2014, 02:20 PM »

ewemoa · « **Reply #7 on:** April 09, 2014, 08:52 PM »

Here are some links describing some steps involved in recovery...looks like there could be a fair bit of work if they are correct:

lanux128 · « **Reply #8 on:** April 10, 2014, 01:31 AM »

it seems that there are companies trying to take advantage of this bug as the linked article shows.

"StartCom Charges People To Revoke SSL Certs Vulnerable To Heartbleed"

• http://www.techdirt....-to-heartbleed.shtml

mouser · « **Reply #9 on:** April 10, 2014, 05:42 AM »

I'm a bit torn by that techdirt article.

I'm a huge fan of techdirt, but I've also written glowingly of StartCom.

Using StartCom is a decidedly unpleasant experience -- the website is a throwback to the worst days of the web, and the entire process is frustrating and confusing.

Nevertheless, the price and service are remarkable compared to the alternatives I've found. The ssl certificate industry as a whole feels like it's designed to leach money out of you like a vampire -- and like a club where only the rich can afford to be secure.

StartCom always struck me as a little independent outfit run by one guy who was doing much of it on his own with a small margin. If so, i think it's unfair to attack them as being corporate bigwigs profiting off the backs of tragedy -- and instead view it as a situation where they may simply not have the profit margin to provide so much help for free.

I really don't see a fundamental problem with charging people a "reasonable" amount to handle certificate revocation. Just my 2 cents.

When these big giant corporations are ripping people off hand over fist and rolling in money, they can afford to be generous in situations like this and benefit from the public relations coup. But if you turn to a small independent low-profit-margin ssl certificate service, i think it's unreasonable to expect them to be able to eat such costs.

Carol Haynes · « **Reply #10 on:** April 10, 2014, 05:57 AM »

Bit worrying that PayPal.com comes back as a fail: https://www.ssllabs....tml?d=www.paypal.com

Inconsistent server configuration!

And Amazon.co.uk and .com come back as B

Even more worrying HSBC bank comes back as B and one of Barclays servers comes back as F !!!!

https://www.ssllabs....k&hideResults=on

SeraphimLabs · « **Reply #11 on:** April 10, 2014, 12:07 PM »

HSBC is always insecure. More than once now I've shut down phishing operations where someone copied HSBC's exact site layout and patched it onto their own backend. At one point I even managed to catch such an operation alive, and sent it intact to HSBC for analysis so they could fix their stuff.

I can't help but have my tinfoil hats out for this one though. This will be the first time that I have ever heard of Linux having a crippling security flaw that was not also found in Windows. And for it to exist in such a vital library that has been in use for such a long period of time, all I can say is NSA was here.

TaoPhoenix · « **Reply #12 on:** April 10, 2014, 02:30 PM »

I can't help but have my tinfoil hats out for this one though. This will be the first time that I have ever heard of Linux having a crippling security flaw that was not also found in Windows. And for it to exist in such a vital library that has been in use for such a long period of time, all I can say is NSA was here.
-SeraphimLabs (April 10, 2014, 12:07 PM)

Checking the Wiki page now...
http://en.wikipedia..../wiki/Heartbleed_bug
"The vulnerability has existed since December 31, 2011, and the vulnerable code has been in widespread use since the release of OpenSSL version 1.0.1 on March 14, 2012"

So I'm lost, sometimes we joke about the Agency social media programs being rudimentary or whatever, but however this bug got in there, it took two years to find?! I thought there were like 50 geniuses scattered around the world who spend their days proofing out big ticket code. Different from bugs not getting fixed, if it wasn't even found for two years...

Ow. I think I cut myself shaving with Occam's Razor.

TaoPhoenix · « **Reply #13 on:** April 10, 2014, 09:41 PM »

Ooh, right on time.

Slashdot's copy:

http://it.slashdot.o...as-an-honest-mistake

"The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake — despite suspicions from many that security services may have been behind it. OpenSSL logs show that German developer Robin Seggelmann introduced the bug into OpenSSL when working on the open-source project two and a half years ago, according to an Australian newspaper. The change was logged on New Year's Eve 2011. 'I was working on improving OpenSSL and submitted numerous bug fixes and added new features,' Seggelmann told the Sydney Morning Herald. 'In one of the new features, unfortunately, I missed validating a variable containing a length.' His work was reviewed, but the reviewer also missed the error, and it was included in the released version of OpenSSL."

Jibz · « **Reply #14 on:** April 11, 2014, 05:29 AM »

http://xkcd.com/1354/

Stoic Joker · « **Reply #15 on:** April 11, 2014, 07:07 AM »

I'm a bit torn by that techdirt article.

I'm a huge fan of techdirt, but I've also written glowingly of StartCom.
-mouser (April 10, 2014, 05:42 AM)

You sold me on StartCom back them, and I still use/like them (thanks for the tip!).

Using StartCom is a decidedly unpleasant experience -- the website is a throwback to the worst days of the web, and the entire process is frustrating and confusing.
-mouser (April 10, 2014, 05:42 AM)

I do make a point of not being in a hurry when dealing with their site for this exact reason, the site flows about as smoothly as a cement mixer.

Nevertheless, the price and service are remarkable compared to the alternatives I've found. The ssl certificate industry as a whole feels like it's designed to leach money out of you like a vampire -- and like a club where only the rich can afford to be secure.
-mouser (April 10, 2014, 05:42 AM)

I've never been a real fan of SSL (or encryption in general for that matter). It has always struck me as a magic bullet sales gimmick that encourages bad habits.

StartCom always struck me as a little independent outfit run by one guy who was doing much of it on his own with a small margin. If so, i think it's unfair to attack them as being corporate bigwigs profiting off the backs of tragedy -- and instead view it as a situation where they may simply not have the profit margin to provide so much help for free.

I really don't see a fundamental problem with charging people a "reasonable" amount to handle certificate revocation. Just my 2 cents.

When these big giant corporations are ripping people off hand over fist and rolling in money, they can afford to be generous in situations like this and benefit from the public relations coup. But if you turn to a small independent low-profit-margin ssl certificate service, i think it's unreasonable to expect them to be able to eat such costs.
-mouser (April 10, 2014, 05:42 AM)

From what I saw on a quick skim, they only want 25$ for the revoke/reissue flip ... I really don't have a problem with them covering their costs for a spike in workload. Sure superficially it sounds like an easy task...but it still takes time. And the people who's time it takes don't come cheap.

Deozaan · « **Reply #16 on:** April 11, 2014, 03:00 PM »

LastPass will check your passwords to see if they're potentially affected by the HeartBleed vulnerability.

Yesterday we informed our community of the Heartbleed OpenSSL bug. In our blog post, we explained how this security issue impacted our service and what our users should know about the situation. We also built a tool to help our users start checking to see if their sites and services had reissued their certificates, so that users would know if it was safe to start updating passwords for those sites: https://lastpass.com/heartbleed

To help our users take action and protect themselves in the wake of Heartbleed, we've added a feature to our Security Check tool. LastPass users can now run the LastPass Security Check to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time.

The LastPass Security Check can be run from the LastPass Icon menu. Click the LastPass icon in the browser toolbar, click the Tools menu, and select the Security Check.

In the Security Check results, we alert you to sites affected by Heartbleed:

-http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html

SeraphimLabs · « **Reply #17 on:** April 11, 2014, 03:21 PM »

http://www.usatoday....sco-juniper/7589759/

Reports coming in from unconfirmed sources that the NSA has been utilizing Heartbleed for years.

Of course, I have to say I totally saw this coming. This is the kind of massive security breach that would explain their uncanny ability to get into any system anywhere at any time. A simple exercise in spreading disinformation to seed people's trust in the affected library and cover up the flaw would allow them to preserve it for so many years unnoticed.

Which means that all those people concealing their activities using SSH, Tor, and proxies? Yeah. The NSA was way ahead of them.

Deozaan · « **Reply #18 on:** April 12, 2014, 02:29 AM »

Reports coming in from unconfirmed sources that the NSA has been utilizing Heartbleed for years.

Of course, I have to say I totally saw this coming. This is the kind of massive security breach that would explain their uncanny ability to get into any system anywhere at any time. A simple exercise in spreading disinformation to seed people's trust in the affected library and cover up the flaw would allow them to preserve it for so many years unnoticed.

Which means that all those people concealing their activities using SSH, Tor, and proxies? Yeah. The NSA was way ahead of them.
-SeraphimLabs (April 11, 2014, 03:21 PM)

And if they allowed this vulnerability to be revealed now, what even better trick do they have up their sleeves?

app103 · « **Reply #19 on:** April 12, 2014, 02:59 AM »

It's not just websites that are vulnerable.

OpenSSL, in which the bug, known as Heartbleed, was found, is widely used in software that connects devices in homes, offices, and industrial settings to the Internet. The Heartbleed flaw could live on for years in devices like networking hardware, home automation systems, and even critical industrial-control systems, because they are infrequently updated.

Network-connected devices often run a basic Web server to let an administrator access online control panels. In many cases, these servers are secured using OpenSSL and their software will need updating, says Philip Lieberman, president of security company Lieberman Software. However, this is unlikely to be a priority. “The manufacturers of these devices will not release patches for the vast majority of their devices, and consumers will patch an insignificant number of devices.”

Cable boxes and home Internet routers are just two of the major classes of devices likely to be affected, says Lieberman. “ISPs now have millions of these devices with this bug in them,” he says.

The same issue likely affects many companies, because plenty of enterprise-grade network hardware and industrial and business automation system also rely on OpenSSL, and those devices are also rarely updated. Large-scale scans of Internet addresses have previously uncovered hundreds of thousands of devices, ranging from IT equipment to traffic control systems, that are improperly configured or have not been updated to patch known flaws (see “What Happened When One Man Pinged the Whole Internet”).

“Unlike servers being patched by armies of corporate IT staff, these Internet-enabled devices with vulnerable OpenSSL parts aren’t going to be getting the attention they may need,” says Jonathan Sander, strategy and research officer for STEALTHbits Technologies, which helps companies manage and track data access and leaks. “OpenSSL is like a faulty engine part that’s been used in every make and model of car, golf cart, and scooter.”

http://www.technolog...-fix-heartbleed-bug/

TaoPhoenix · « **Reply #20 on:** April 12, 2014, 08:45 AM »

http://www.usatoday....sco-juniper/7589759/

Reports coming in from unconfirmed sources that the NSA has been utilizing Heartbleed for years.

Of course, I have to say I totally saw this coming. This is the kind of massive security breach that would explain their uncanny ability to get into any system anywhere at any time. A simple exercise in spreading disinformation to seed people's trust in the affected library and cover up the flaw would allow them to preserve it for so many years unnoticed.

Which means that all those people concealing their activities using SSH, Tor, and proxies? Yeah. The NSA was way ahead of them.

-SeraphimLabs (April 11, 2014, 03:21 PM)

Yeah, just last year we were talking about the Agencies "looking dumb". How many Cheshire Cat levels does it take!? Look Dumb/Be Smart/Look Dumber/Be Smarter...

So if all those Tor/proxy tips never mattered anyway, then I guess I saved myself a chunk of time "just being dumb"...

Stoic Joker · « **Reply #21 on:** April 12, 2014, 08:57 AM »

Missing link from Apps article above added here to encourage reading: What Happened When One Man Pinged the Whole Internet.

This is precisely why I've always had a dim view of encryption. All of these systems are exposed to the internet soley because people are lead to reflexively thing Encryption =

Magical

Security ... And that is just so far from the truth that it is laughable. Encryption is - or rather should be - a last ditch effort used as a fall back after all other measures have failed. It never has, nor ever will be a front line solution to jack shit.

Outside of a dire emergency requested by scheduled appointment there is no rational justification for control systems to be exposed raw on the public interface of a network. That's just ludicrous. Here's an example: When the support people at WatchGuard wanted to access a customers router to assist with an issue. They asked me to grant access to the configuration interface of the router on the public side a specific and vary narrow address range so they could log in and have a look see. Nobody kicked anything wide open, the interface went from zero allowed, to 10 allowed, and then right back to zero. This is one of many reasons I've become a fan of WatchGuard. The fact that I had zero luck Socially Engineering my way past their support staff (and I'm really good at it) was also a huge point in their favor.

Deozaan · « **Reply #22 on:** April 12, 2014, 12:38 PM »

Missing link from Apps article above added here to encourage reading: What Happened When One Man Pinged the Whole Internet.
-Stoic Joker (April 12, 2014, 08:57 AM)

As best as I can tell, that article is almost a year old. And it says "In February last year" which would place the "personal census" he ran in February 2012. Why did he sit on that census for over a year before publishing his results?

Scary, either way.

Stoic Joker · « **Reply #23 on:** April 12, 2014, 01:20 PM »

Missing link from Apps article above added here to encourage reading: What Happened When One Man Pinged the Whole Internet.
-Stoic Joker (April 12, 2014, 08:57 AM)

As best as I can tell, that article is almost a year old. And it says "In February last year" which would place the "personal census" he ran in February 2012. Why did he sit on that census for over a year before publishing his results?

Scary, either way.
-Deozaan (April 12, 2014, 12:38 PM)

His attorney probably wanted him to wait to see if any of the LEOs "complaints" turned into charges before he posted what would then be incriminating evidence to the world. Remember the security of the public is far less important than a cop with egg on their face ... Image is everything in a gang...

Renegade · « **Reply #24 on:** April 14, 2014, 12:04 AM »

http://www.usatoday....sco-juniper/7589759/

Reports coming in from unconfirmed sources that the NSA has been utilizing Heartbleed for years.

Of course, I have to say I totally saw this coming. This is the kind of massive security breach that would explain their uncanny ability to get into any system anywhere at any time. A simple exercise in spreading disinformation to seed people's trust in the affected library and cover up the flaw would allow them to preserve it for so many years unnoticed.

Which means that all those people concealing their activities using SSH, Tor, and proxies? Yeah. The NSA was way ahead of them.

-SeraphimLabs (April 11, 2014, 03:21 PM)

What this shows is that the NSA is a blackhat, criminal organization.