Heartbleed Bug: Serious Hole in Internet Security

Virgorising · Apr 11, 2014

CZroe said:
Sure they are. They are extremely difficult to access after the first request due to the contents of the memory being unpredictable, but it's possible. Heck, there are DoS attacks/exploits that could be used to force a reboot for a first request. Someone try sending that honeypot the ol', Win95 Ping of Death.

:'(

Markbnj · Apr 11, 2014

CZroe said:
Sure they are. They are extremely difficult to access after the first request due to the contents of the memory being unpredictable, but it's possible. Heck, there are DoS attacks/exploits that could be used to force a reboot for a first request. Someone try sending that honeypot the ol', Win95 Ping of Death.

I'm sure someone will try. You have to applaud Cloudflare's balls. If they're wrong it will be a very public mistake.

Virgorising · Apr 11, 2014

Markbnj said:
I'm sure someone will try. You have to applaud Cloudflare's balls. If they're wrong it will be a very public mistake.

Not to mistake HUBRIS for balls. To me, they are polar opposites.

Miramonti · Apr 11, 2014

This bug and it's publicity is a phisher's gift from heaven.

Phishing might be become as much a nightmare entrapping people to give up their passwords as the actual hacking risk, as sites are sending out password alerts and fake alerts phishing for passwords are sure to follow soon.

Virgorising · Apr 11, 2014

jjsole said:
I haven't gotten gotten any spam yet, but this bug and it's publicity is a phisher's gift from heaven.

Phishing might be become as much a nightmare entrapping people to give up their passwords as the actual hacking risk, as sites are sending out password alerts and everyone now will feel compelled to change their passwords.

I swear, in recent days I've been receiving more SPAM than usual. Unfair to associate that to this thing, tho.

But, anyone who gets sucked into pishing mails, opens their attachments, gives any info at all, rather than reports them/forwards them to the company the hackers are trying to hack, at this point in time, should maybe not be online at all.

I know....harsh. But it's 2014. People should know by know.

Miramonti · Apr 11, 2014

Virgorising said:
I swear, in recent days I've been receiving more SPAM than usual. Unfair to associate that to this thing, tho.

But, anyone who gets sucked into pishing mails, open their attachment,s give any info at all, rather than report them/forward them to the company the hackers are trying to hack, at this point in time, should maybe not be online at all.

I know....harsh. But it's 2014. People should know by know.

Well, we know people get caught in phishing...this is going to make it even easier for a certain population. Some people really only want to get into this 'digital sh!t' any further than they have to - email to keep in touch with family - and a few select sites, especially but not limited to the older generations. It is what it is.

mmntech · Apr 11, 2014

Virgorising said:
I know people know, but this is just now the lead story on Huffington:

http://www.bloomberg.com/news/2014-...e-used-heartbleed-bug-exposing-consumers.html

Talk about insidious.

The NSA is keeping 'Merica safe, unless those matters of national security get in the way of their cold war mentality.

Virgorising · Apr 11, 2014

jjsole said:
Well, we know people get caught in phishing...this is going to make it even easier for a certain population. Some people really only want to get into this 'digital sh!t' any further than they have to - email to keep in touch with family - and a few select sites, especially but not limited to the older generations. It is what it is.

I am again starting to feel a little sheltered.

:$

Miramonti · Apr 11, 2014

mmntech said:
The NSA is keeping 'Merica safe, unless those matters of national security get in the way of their cold war mentality.

No sh!t. Atleast the NSA prevented the Boston Marathon bombing tho. Oh wait...

Virgorising said:
I am again starting to feel a little sheltered.:$

haha

Virgorising · Apr 11, 2014

jjsole said:
No sh!t. Atleast the NSA prevented the Boston Marathon bombing tho. Oh wait...

Seriously, could anyone have prevented that horrific? And now, Russia is refusing to share data on when the now dead brother studied there. Read: was trained there.

I have good friends in Beantown.....and they don't think it could have been prevented either. These unimaginable events make us feel so vulnerable we often need to think a given event could have been precluded.

Truth is...MANY ARE precluded.

jjsole said:
Quote: Originally Posted by Virgorising View Post I am again starting to feel a little sheltered. haha

I mean it. I fix everyone's computers, always tried to show them, empower them, and I always make it fun, cause it CAN BE FUN......I am still boggled by that nobody wants to learn. And these are mostly smart young professionals.

Re pishing mails, when very occasionally I get one---sometimes not even re a company I have ever dealt with---truth is, I feel insulted, given how obvious they are, and think "How dumb do you think we are?"

Miramonti · Apr 11, 2014

Virgorising said:
Seriously, could anyone have prevented that horrific? And now, Russia is refusing to share data on when the now dead brother studied there. Read: was trained there.

I have good friends in Beantown.....and they don't think it could have been prevented either. These unimaginable events make us feel so vulnerable we often need to think a given event could have been precluded.

Truth is...MANY ARE precluded.

I mean it. I fix everyone's computers, always tried to show them, empower them, and i always make it fun......I am still boggled by that nobody wants to learn. and these are mostly young professionals.

As for pishing mails, when I very occasionally get one---sometimes not even a company I have ever dealt with--- it's obvious, and I even chuckle thinking how could anyone not get wut this is, it's so obvious, and soooo insulting to our intelligence.

I see people all the time that technology requires a part of their brain that simply doesn't seem to get blood. They could be brilliant in other areas tho. My mom, who's intelligent and artistic, but old, went out and bought the latest microsoft office because she couldn't open an email attachment she thought she needed (a .scr virus)...

There's no use trying to fight it - people are out there that don't have much patience, desire, and even capacity, for understanding technology, but that doesn't necessarily make them idiots (such as an english professor that can't do math or a math wiz that can't spell.)

Virgorising · Apr 11, 2014

jjsole said:
I see people all the time that technology requires a part of their brain that simply doesn't seem to get blood. They could be brilliant in other areas tho. My mom, who's intelligent and artistic, but old, went out and bought the latest microsoft office because she couldn't open an email attachment she thought she needed (a .scr virus)..

OUCH! But I swear I don think this ouch is age indigenous.

jjsole said:
There's no use trying to fight it - people are out there that don't have much patience, desire, and even capacity, for understanding technology, but that doesn't necessarily make them idiots (such as an english professor that can't do math or a math wiz that can't spell.)

I guess I am. Still trying to fight it, I mean.

My take away in this is.....bottom line: the health of being passionately interested every nano! As I have come to and sometimes say, the definition of an interESTING person, is simply a person who is interESTED. I mean ingenuously, filled with wonder, apolitically....like a child before it learns to shut down and become some necrotic version of COOL.....as in old school Superheros.

tfinch2 · Apr 11, 2014

https://www.eff.org/deeplinks/2014/...gence-agencies-using-heartbleed-november-2013

blurredvision · Apr 11, 2014

I'm part of a managed services team that support dozens of clients, all with differing environments. How can I determine what exactly is affected? I know that's not an easy answer but is there is a growing list of devices/software that is vulnerable, or what can I check for in particular?

This thing is a nightmare right now.

IronWing · Apr 11, 2014

Maybe we could split this thread into one for info concerning the Heart Bleed bug and a second thread for discussing all the secret squirrel theories. That way folks interested in the bug could get useful info.

jpiniero · Apr 11, 2014

blurredvision said:
I'm part of a managed services team that support dozens of clients, all with differing environments. How can I determine what exactly is affected? I know that's not an easy answer but is there is a growing list of devices/software that is vulnerable, or what can I check for in particular?

This thing is a nightmare right now.

Sure seems like the publicity of this is causing virtually every company out there to make a statement about whether it is vulnerable or not.

blurredvision · Apr 11, 2014

jpiniero said:
Sure seems like the publicity of this is causing virtually every company out there to make a statement about whether it is vulnerable or not.

The problem is the amount of devices we employ across our many clients is not necessarily tracked well (or at all). We deploy very common solutions when available but we inherit a ton of stuff that sometimes we just know nothing about. For a managed services outfit like ourselves, this sucks.

tfinch2 · Apr 11, 2014

Markbnj said:
I'm sure someone will try. You have to applaud Cloudflare's balls. If they're wrong it will be a very public mistake.

And they were wrong: https://www.cloudflarechallenge.com/heartbleed

JamesV · Apr 11, 2014

I assume many of us here use online banking and buy things at online sites like Steam and Amazon.

So what are you doing about it?

I had to call Capital One earlier, because my great aunt was in the hospital when her bill was due, and they charged her a late payment fee. I explained it to the CS rep, and they took it off her bill. I then asked about Heartbleed, and if Capital One's online banking site was protected.

Yea, I should have known better... rep had no clue, and hadn't even heard of this. Read in the local paper that CNET has a list of sites that have 'patched' the hole, and going to check it tomorrow.

Just wondering if any of you are doing anything drastic about this, or letting it slide like Y2K.

Red Squirrel · Apr 12, 2014

One thing for sure, this bug will make everybody rethink about encryption. Sometimes we hide behind encryption and think we're safe, but this sure as hell proved that's not always the case. VPN with a bad encryption engine may as well be a RPN (Real Public Network

)

It's probably safe to say the NSA has a lot to do with this, or at the very least, has exploited it quite a lot. These days it's not really hackers you have to worry about. Most of them are just bored kids wanting to screw around with your systems for fun and games. It's the government you have to worry about, they're the ones that can make you disappear.

I'm going to give it about a month, then go around and change all my passwords. Though I probably should change them now, and in a few months. In fact for the next year or so it's probably not a bad idea to change passwords every now and then. The issue is if you change it before a site gets patched and certs issued, it can still be hacked. Lot of sites may be reporting that they patched it, but did they reissue certs?

Markbnj · Apr 12, 2014

tfinch2 said:
And they were wrong: https://www.cloudflarechallenge.com/heartbleed

Well there you go. The first guy sent 2.5 million requests, and they did say they rebooted the server in the middle of his run, which may have put the keys back into memory. But anyway, two people got them, and that's bad.

lxskllr · Apr 12, 2014

Red Squirrel said:
One thing for sure, this bug will make everybody rethink about encryption. Sometimes we hide behind encryption and think we're safe, but this sure as hell proved that's not always the case. VPN with a bad encryption engine may as well be a RPN (Real Public Network )

Maybe this will get more companies using PFS. Turds like Yahoo won't until their making a death spiral down the toilet, but better managed companies might give it more consideration. It won't protect against a real time data grab, but at least keys won't be around to decrypt history.

FelixDeCat · Apr 12, 2014

Markbnj said:
Well there you go. The first guy sent 2.5 million requests, and they did say they rebooted the server in the middle of his run, which may have put the keys back into memory. But anyway, two people got them, and that's bad.

Mark, its clear you know nothing about the internet or computers.

:colbert:

HOSED · Apr 12, 2014

FelixDeCat said:
In addition, I have studied this topic extensively and come to the conclusion that this is much ado about nothing.

I would mildly disagree. I did hear an "expert" on National Public Radio state that it is most important to change your email passwords if you do not wish to change all others.

awe

If nothing else this serves as a reminder do not use the same password for all sites, make them complex , and change them regularly;

I have a very old NetZero email account that I use very infrequently and the password dialog only allows up to 12 characters and only numbers and letters. I believe I will be closing it out today!

CZroe · Apr 12, 2014

There's STILL no mention of this on DailyTech. Wow! I'm glad I don't read Anandtech exclusively.

Heartbleed Bug: Serious Hole in Internet Security

Diamond Member

Elite Member <br>Moderator Emeritus

Diamond Member

Lifer

Diamond Member

Lifer

Lifer

Diamond Member

Lifer

Diamond Member

Lifer

Diamond Member

Lifer

Lifer

No Lifer

Lifer

Lifer

Lifer

Platinum Member

No Lifer

Elite Member <br>Moderator Emeritus

No Lifer

Lifer

Senior member

Lifer