SA sites vulnerable to massive security bug

Napalm2880 said:
I'd be interested to see a list of SA sites which are affected and how long it takes for them to fix the vulnerability.
Click to expand...

Definitely. I would be interested in the banks, 22seven and so forth. I guess it will be a good time to be in the certificate business because even if companies ever ran a vulnerable version you have to get new certificates because nobody will know if they were compromised or not....

I am going to be careful logging onto sensitive websites for the next week until the patch rolls out completely.

If any malicious agency knew about this exploit for more than a couple of days I suspect we might be in for a bumpy ride. They mighty have stock-piled a lot of information i.e. It would have been relatively easy to scan just about every major bank in the world for this vulnerability and start to collect information for later use....
 
It is actually an awful time to be in the certificate business. Certificate re-issues are free if the certificate is still in its valid timeframe. So they have a metric ton of work to do, that they won't be paid for. And at least one of the well-known ones have to do it manually.
 
j4ck455 said:
Is there any chatter about whether or not the "bug" was deliberately introduced to create an exploitable vulnerability?
Click to expand...

Also made me question this - especially since the NSA seem to have established many "connections" to security appliance providers for backdoors. Patching your webservers is one thing, but also remember that most large companies (such as banks and telcos) use security appliances and caching services (such as F5's) as well as VPN for remote connections which under certain configurations would also run OpenSSL.

While impersonating a SSL service via this vulnerability (granted, that the attacker would have to manage to get the private key as part of the 64KB page and then create a site and luring visitors to it) is possible, it would require a lot of effort. More concerning is that via the same vulnerability access to VPNs, mail accounts (Yahoo) and instant messaging services can be gained. Considering that this "bug" has been around for quite some time, it is very possible that the exploit was used to gain access to email, networks etc.

Worst of it is that since the vulnerability leaks data such as login credentials, the attacker can utilise the targeted services without leaving a visible intrusion trace (yes, you will be able to detect the access via audit trail or unusual usage behaviour such as proxy or foreign IPs, different browsers) - but in most cases it would be too late already to do something about it.

Sofar I have not found any reported leaks/attacks, but I honestly don't think hackers targeting companies via this vulnerability would drop details on pastebin - it is more lucrative to continue using the exploit.
 
I don't get how our servers are reporting as vulnerable - we use Thawte SSL, not OpenSSL ?
Someone explain that to me 0.o
 
Being an Windows/IIS person myself, I can only look on smugly. Usually it's our side that is caught with our pants down.
 
Anthro said:
I don't get how our servers are reporting as vulnerable - we use Thawte SSL, not OpenSSL ?
Someone explain that to me 0.o
Click to expand...

If you don't know the answer to that question then I hope you are not managing any servers yourself!
 
Anthro said:
I don't get how our servers are reporting as vulnerable - we use Thawte SSL, not OpenSSL ?
Someone explain that to me 0.o
Click to expand...

Aren't thawte a CA, or do they have their own ssl code bundle?
 
Sinbad said:
Aren't thawte a CA, or do they have their own ssl code bundle?
Click to expand...

The issue has got nothing to do with what technology the CA is using to issue the certificate. It's got to do with Linux/Unix type web servers running a very specific version of OpenSSL to actually implement the certificate. It doesn't matter who issued the certificate, what matters what platform you're running your web server on.
 
Anthro said:
I don't get how our servers are reporting as vulnerable - we use Thawte SSL, not OpenSSL ? Someone explain that to me 0.o
Click to expand...
It has nothing to do with the cert issuer. The vulnerability is in the OS stack (Linux) and has the potential of leaking your SSL private key which allows an intruder to use it to impersonate your site. More severe issues are around leaking user information or gaining access to VPN.

If you are running Linux it is very likely that you are affected. In this case you would have to upgrade to a patched OpenSSL version and then recycle your private keys and reissue certs.

deweyzeph said:
Being an Windows/IIS person myself, I can only look on smugly. Usually it's our side that is caught with our pants down.
Click to expand...
But did you ever manage to pull your pants up? First time in 12 months that we had to reboot servers - and you? :whistle:
 
From my link:

Tim Lee at Vox points out that the bug is likely to be most valuable to intelligence agencies, which have the infrastructure to intercept user traffic on a mass scale: “We know that the National Security Agency has secret agreements with American telecommunications providers to tap into the Internet backbone. Users might have thought that the SSL encryption on websites such as Gmail and Facebook protected them from this kind of snooping. But the Heartbleed bug could allow the NSA to obtain the private keys needed to unscramble these private communications.”
Click to expand...
 
Just as a heads up.. this doesn't just effect Linux/Unix.. its any software that is built on OpenSSL, even windows Services etc...
 
deweyzeph said:
Sure but it won't effect IIS though which doesn't use OpenSSL at all.
Click to expand...

Yeah... without a doubt..

For once IIS is the most "secure" webserver around, until people all patch their OpenSSL stuff... :)
 
MagicDude4Eva said:
It has nothing to do with the cert issuer. The vulnerability is in the OS stack (Linux) and has the potential of leaking your SSL private key which allows an intruder to use it to impersonate your site. More severe issues are around leaking user information or gaining access to VPN.

If you are running Linux it is very likely that you are affected. In this case you would have to upgrade to a patched OpenSSL version and then recycle your private keys and reissue certs.


But did you ever manage to pull your pants up? First time in 12 months that we had to reboot servers - and you? :whistle:
Click to expand...

Who the hell needs to reboot? Just install patched openSSL and bounce the webserver daemons.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X