Heartbleed Exploit

BiscuitintheBasket

CCS Donator
Donator
Joined:
May 15, 2010
Posts:
3,802
Liked Posts:
0
I am sure you have all heard about the Heartbleed exploit in the news.  If not, I have some further information about it below, and I highly suggest reading it.</p>


 </p>


The link below is to one (of many that are out there), sites that will check the status of the SSL for websites.   It is worth using against sites you regularly login to and find out if they have been exploited and if the exploit has been fixed.   Regardless, it is not a bad idea to consider changing your passwords on any websites where you have personal and financial information or have shared passwords.</p>


https://lastpass.com/heartbleed/</p>


 </p>



Some known exploited sites are: Facebook, Google, Amazon Services, Yahoo, tmblr, YouTube, and Netflix</p>



Some known ok sites are: Apple, Amazon, Paypal, eBay, and Microsoft</p>


 </p>


 </p>


What is this?</p>


The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet. OpenSSL is open-source software that is widely used to encrypt web communications. SSL/TLS is what normally provides secure and private communication over the Internet via websites, email, IM, and VPNs. According to CNET, an attacker can exploit Heartbleed to essentially “get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.�</p>


Heartbleed is being taken so seriously because OpenSSL is widely used, essentially no servers locally encrypt their data the way LastPass does, and it’s been exploitable for some time.</p>
 

phranchk

New member
Joined:
May 14, 2010
Posts:
2,053
Liked Posts:
0
Location:
Champaign
Few questions:</p>


Why haven't all of these websites required a password change?</p>


Also, the exploit has apparently existed for up to 2 years. If it had been known about by hackers outside of the security firm that discovered it wouldn't it have been exploited already and wouldn't we have seen the effects of it by now?</p>


I know that they have no idea if it has been exploited because there were able to hack their own environment and not leave a trace.</p>
 
winos5

winos5

CCS Donator
Donator
Joined:
Oct 19, 2013
Posts:
7,956
Liked Posts:
829
Location:
Wish You Were Here
NSA was reportedly using it to collect data.</p>
 

jakobeast

New member
Joined:
May 15, 2010
Posts:
3,903
Liked Posts:
21
Location:
yer ma's pants
Ok, I am a fucking idiot when it comes to computers. And reading shit about code is like reading German porn; nearly impossible and not erotic. What does this virus or whatever it is do? </p>
 

BiscuitintheBasket

CCS Donator
Donator
Joined:
May 15, 2010
Posts:
3,802
Liked Posts:
0
<blockquote class="ipsBlockquote" data-time="1397306250" data-cid="225512" data-author="phranchk">

Few questions:
Why haven't all of these websites required a password change?
Also, the exploit has apparently existed for up to 2 years. If it had been known about by hackers outside of the security firm that discovered it wouldn't it have been exploited already and wouldn't we have seen the effects of it by now?
I know that they have no idea if it has been exploited because there were able to hack their own environment and not leave a trace.</p></blockquote>
Obviously conspiracy theories are running rampant on this one, but I am not so sure they apply here even though I made the Denver Airport comment. Though I do like the ones I am reading about Snowden or Wikileaks knew about it.


Good question on the timing of when the exploit was known and what had been done to correct it. There are a ton of mixed messages about when it was known, which tells me it was most likely early on, but only to a small group of the developers...but I just have to wonder if the open source zealots just wanted to keep it on the "down low" because it is a massive black eye on the movement in terms of skill and, most importantly, testing. The things they preach is why it is the better way to go. But I am not so sure we will ever know when it was truly discovered.


Also, if someone discovers the exploits and the money to be gained, they will most likely keep it a bit secret.


The good news is that major financial institutions don't use this or much open source code that is front facing (except for Citibank). But places like Google and Facebook use it because they support the open source movement and it also helps reduce costs. Facebook for many years has thrown out warnings, some not so publicized, about account information being skimmed.


As far as requiring a password change, I have only had one institution send me an email to change my password and fess up that were suspect to the exploit and have corrected it. All of the others that are known to use the bugged version, and since changed, and sending me cricket sounds. Probably worried about the perception and PR issues that would follow....
 

BiscuitintheBasket

CCS Donator
Donator
Joined:
May 15, 2010
Posts:
3,802
Liked Posts:
0
<blockquote class="ipsBlockquote" data-time="1397314477" data-cid="225519" data-author="jakobeast">

Ok, I am a fucking idiot when it comes to computers. And reading shit about code is like reading German porn; nearly impossible and not erotic. What does this virus or whatever it is do?</p></blockquote>

In a nutshell (not a German one, so it can be understood):

When you login to something like facebook they use an added layer of security to encrypt your login information so bad guys cannot read it. With out it being encrypted anyone could get that information as it would just be sent over the Internet as plain text.

Most websites you login to have what is known as a heartbeat to check to see if you are still actively connected so you don't have to constantly login, or when you have close the browser for them to end your login session.

This software that has a bug, that got exploited, that would allow someone to remotely scan the servers you are logging into to read this heartbeat. The bug allowed those doing the scanning to be able to mimic your information...and beyond that get onto the server and grab information with no trace they did it (because the heartbeats are generally not logged or tracked).


So basically, those that know about this exploit were capable of grabbing tons of personal and sensitive data and those managing the sites would never know.


It is far more detailed than that, but I think that should give the gist.




The best thing is to always use differing login names and passwords to any servers where you are leaving personal and financial information (Banks, Credit Cards, etc.). Periodically change those passwords, and if possible login name too. I know it seems tin foil hattin', but knowing how laxed or how much consulting goes into the setup and management of many of these websites, exploits are more common than we all may think. Having the same login name and passwords allows for one place to get hit and your information is then vulnerable elsewhere.
 

phranchk

New member
Joined:
May 14, 2010
Posts:
2,053
Liked Posts:
0
Location:
Champaign
There really needs to be a better system for logging onto sites because it's almost impossible to remember unique passwords for different sites and remember them all. I know there's programs that can track it for you but that makes me feel uneasy having everything in one place. I think maybe something like an text message SMS password. My company used it. Worked well 99% of the time. I sure the cost is prohibitive for individual sites to utilize.
 

jakobeast

New member
Joined:
May 15, 2010
Posts:
3,903
Liked Posts:
21
Location:
yer ma's pants
Thanks for the gist. The only sites I frequent and sign in are here, facebook, twitter. My bank was not on that list from that link above. So I spose I should go change my password on the facebook and twitters.</p>
 
roshinaya

roshinaya

fnord
Donator
Joined:
May 15, 2010
Posts:
3,533
Liked Posts:
440
Has there been any reports of this exploit actually being used (a part from the NSA, but it's a given since they collect everything anyways)? I tend to keep sensitive information away from the internets, so not really bothered.
 

BiscuitintheBasket

CCS Donator
Donator
Joined:
May 15, 2010
Posts:
3,802
Liked Posts:
0
<blockquote class="ipsBlockquote" data-author="roshinaya" data-cid="225544" data-time="1397332900">

Has there been any reports of this exploit actually being used (a part from the NSA, but it's a given since they collect everything anyways)? I tend to keep sensitive information away from the internets, so not really bothered.</p></blockquote>
The problem is that the sites that exposed themselves will have no trace that someone exploited them. The fact that this was known, and places like Yahoo, Facebook, Netflix, and Citibank have all had several reports of the possibility of peoples information skimmed over the last couple of years says that there is a strong possibility that the exploit has been used. That information is money.
 
jaxhawksfan

jaxhawksfan

CCS Donator
Donator
Joined:
May 15, 2010
Posts:
2,490
Liked Posts:
0
Location:
Back in Jax
Received an email from Carbonite today telling me that they don't use that type of security for my files, and that my stuff is safe with them.  They did, however, recommend changing passwords if I have used the same for them and other sites.</p>
 

The Count Dante

CCS Donator
Donator
Joined:
May 16, 2010
Posts:
2,745
Liked Posts:
0
Its a mess. The fix out apparently doesnt completely solve the issue. </p>
 

BiscuitintheBasket

CCS Donator
Donator
Joined:
May 15, 2010
Posts:
3,802
Liked Posts:
0
Roll back is the way to go.   Good thing it is still only a small amount of the potential sites with issues.   Weeeeeee!</p>
 

phranchk

New member
Joined:
May 14, 2010
Posts:
2,053
Liked Posts:
0
Location:
Champaign
I'm starting to think that now that this exploit has been publicized it has been exploited even more. I've seen a huge uptick in the amount of hacked spam mails I get from friends/colleagues.</p>
 
MassHavoc

MassHavoc

Moderator
Staff member
Joined:
May 14, 2010
Posts:
17,855
Liked Posts:
2,554
<blockquote class="ipsBlockquote" data-author="phranchk" data-cid="227849" data-time="1398793231">
<div>


I'm starting to think that now that this exploit has been publicized it has been exploited even more. I've seen a huge uptick in the amount of hacked spam mails I get from friends/colleagues.</p>
</div>
</blockquote>


Yeah well it took them what 2 years to report it?</p>
 
winos5

winos5

CCS Donator
Donator
Joined:
Oct 19, 2013
Posts:
7,956
Liked Posts:
829
Location:
Wish You Were Here
<blockquote class="ipsBlockquote" data-author="phranchk" data-cid="227849" data-time="1398793231">
<div>


I'm starting to think that now that this exploit has been publicized it has been exploited even more. I've seen a huge uptick in the amount of hacked spam mails I get from friends/colleagues.</p>
</div>
</blockquote>


 </p>


Me too.</p>


 </p>


Lots of unsolicited stuff with attachments to unzip and infect your  PC.   They tend to be invoices or bills saying you owe money for one thing or another, but they are either bogus (obvious grammar errors or mispelled words) or don't identify who they are from.</p>
 
You must log in or register to reply here.

10,936members
95,784threads
4,541,717posts
276online users

Members online NOW

  • Member
  • Admin
  • Mod
  • Donor
  • HOF
Total: 276 (members: 32, guests: 244)

Staff online NOW

Top