Hard Light Productions Forums
Off-Topic Discussion => General Discussion => Topic started by: BritishShivans on April 08, 2014, 05:58:10 pm
-
http://heartbleed.com/ (http://heartbleed.com/)
http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/ (http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/)
OpenSSL and Cloudflare have been compromised by a massive bug that's been around for 2 years. No sign of anyone using this to take anything yet, but I'd be ready to change your passwords just in case.
Judging from what it sounds like, I wouldn't be surprised if this was an American 'intelligence' agency's doing... :nervous:
-
This doesn't sound like an intentional backdoor. Rather, it seems like an obscure, hard to find bug that only reveals itself under specific circumstances, but is devastating when it does. Ask any SCP coder, we've had those in the past (and probably still have, waiting for someone to stumble upon them...). :) With such a complex system, it's very hard to account for absolutely everything.
I'll probably change my password to anything that matters. Are banks are among the ones who use OpenSSL? I don't think so, but I thought I'd rather check. I generally try to keep sensitive data off the internet, but my inbox might warrant a password change.
-
haha everything was so ****ed. I was watching some people poke at this bug just a few minutes after learning about it, and they were grabbing plaintext usernames and passwords for email accounts, GoG, PlayStation Network... I think everything running on Apache is supposed to be vulnerable, but most people have rolled out patches.
-
Well, it was time to change some passwords anyway.
-
You are scaring me. God dammit, need to change passwords.
Ok, this time I'll switch from 123456 to 654321!
-
Tom Scott is pretty good, succint at explaining this bug:
-
Judging from what it sounds like, I wouldn't be surprised if this was an American 'intelligence' agency's doing... :nervous:
I've seen the kind of backdoors the NSA tried to pull, they're nowhere near this subtle.
-
Yeah, as much as this would make a stellar entry for the underhanded C contest (http://underhanded.xcott.com/), this has all the hallmarks of a genuine coding error.
-
Great scott!
-
To elaborate on 'how the NSA do', one of their more notorious exploits was rigging the Dual_EC_DBRG (http://en.wikipedia.org/wiki/Dual_EC_DRBG) random number generator so they'd be able to predict the outputs (and hence use it as leverage to pry open cryptographic keys). There's a semi-technical account of it here (http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html), but the gist of it is that they did it by releasing an incredibly inefficient algorithm that had no formal proof of security, which failed basic standards of cryptographic adequacy, and that had two mystery constants in the middle of it which just so happened to be selected to make the output predictable.
Obviously, nobody in their right mind used it — except US government departments who were pressured into doing so by the NSA, who it appears are really that dumb.
-
If the NSA didn't find and use this vulnerability, they are probably kinda pissed now. Actually, same as if they did know about it. Really, what are security researchers doing nowadays, disclosing vulnerabilities instead of selling them to intelligence agencies, as is their patriotic duty. Maybe they should be prosecuted for treason, like Snowden?
-
Maybe they should be prosecuted for treason, instead of Snowden?
Fixed that for you.
-
Maybe they should be prosecuted for treason, instead of Snowden?
Fixed that for you.
It doesn't have to be either-or, you know. If you're collecting not collecting all that info about everyone, you might as well prosecute as many as you can. How else are you going to justify it? Think of the children!
-
You are scaring me. God dammit, need to change passwords.
Ok, this time I'll switch from 123456 to 654321!
you dont use sqrt(plank*pi/length of your penis)?
this only works if you are straight though.
it also doesnt work for women because that would implode the universe. unless they have a dildo i suppose.
-
So, was HLP's web server affected? Should we all be changing our passwords here?
-
apparently people are thinking this has any effect on sites which dont usually use https for access...
the gist of it is, this exploit enabled exploiters to get the private key of the SSL certificate... NOT your passwords.
they can get those by looking at http traffic at any point between hlp's servers and you :p ( i dont know how smf transmits password over the web, and i hope to hell it aint cleartext... its not, its a hash of some sort. )
hlp dont do https, so no real issue here.
this however means that someone can spoof your server and basically any key that ever got touched from apache2/nginx/whatever server or software that used the vulnerable OpenSSL libs cannot be guaranteed to be valid.
also, as a side note, at work we're getting one of our sites https part get hammered at a rate of 180-ish request/sec... my coworker and i are assuming its that since we had 130 request per minute before yesterday evening :p
anyone else have any similar experience of this sort on their servers?
-
To add to what pecenipicek said, I verified the version of OpenSSL that is installed and it's not affected.
Yes, this is a nasty bug, but by the Binary Gods of Mount 01, the amount of FUD going around about it is silly.
"Beware the heartbleed virus!" <- Yes, that was a headline.
I would estimate that the chances of someone being affected by this is pretty small. Just keep a close eye on your accounts for weirdness and react fast if you see anything out of the ordinary, like logins from different machines you didn't use, failed password attempts, etc.
If you want to be proactive, sure, change your passwords now, but unless you are sure the system you are changing the password on is using the patched version, it's not going to do much good.
-
Is it bad that I'm willing to take on some degree of risk with this, because I REALLY can't be assed to try and come up with new secure-ish passwords I know I'll remember?
-
If anyone asked me, I'd tell them not to change their passwords right now, the reasoning goes like this: To change your password, you have to log on to the site. This puts your login data (password, password hash, account details, username) into memory at the server, where it can be read by the vulnerability. If you didn't log on since the disclosure, you're fairly secure (modulo everyone who knew about the vulnerability before the disclosure). The more you muck around with your data on a vulnerable server, the worse it gets. Just wait until this blows over and everyone uses a secure version of openSSL.
-
I've been verifying every password I change is only on a server that's been upgraded (the big sites are posting notices).
Fortunately, it appears none of the Canadian banks use OpenSSL, or at least the vulnerable version.
-
http://www.usatoday.com/story/tech/2014/04/11/heartbleed-cisco-juniper/7589759/
-
LastPass have a rather nice Heartbleed vulnerability checker which will not only check if the site is running OpenSSL but more importantly it will also check if the site's certificate has been updated this week. (but unfortunately it won't check which version of OpenSSL is in use).
You can find it here (https://lastpass.com/heartbleed/). If you actually use LastPass, you can run their security check to see which sites are vulnerable (It's never a bad idea to run the check anyway).