What You Need To Know About Heartbleed, the New Security Bug Scaring the Internet
- Thread starter Poke
- Start date
- Latest activity Latest activity:
- Replies 23
- Views 2K
It looks like a lot of servers will need patching... Probably a convenient exploit the NSA was using.
Yeah sounds like Yahoo fixing their stuff.
http://www.theverge.com/2014/4/8/5594266/how-heartbleed-broke-the-internet
http://www.theverge.com/2014/4/8/5594266/how-heartbleed-broke-the-internet
http://blogs.wsj.com/personal-techn...today/?mod=WSJ_hpp_MIDDLENexttoWhatsNewsThird
Currently a free article from the WSJ. They suggest you change your yahoo.com password today since Yahoo just patched their servers.
Currently a free article from the WSJ. They suggest you change your yahoo.com password today since Yahoo just patched their servers.
What You Need To Know About Heartbleed, the New Security Bug Scaring the Inte...
On the "Security Now" podcast on the TWiT network, Steve Gibson went into this in detail. Since the data returned from a server could contain almost anything, speeding to get the servers patched is Job 1. Not all sites were affected (IIS doesn't use the OpenSSL code) but enough do. If you reuse passwords on several sites, you would be wise to update it on those sites that have patched their servers.
Here's the link to the podcast: http://twit.tv/show/security-now/450
And the transcript (Heartbleed coverage starts on page 12) https://www.grc.com/sn/sn-450.pdf
—Roland
On the "Security Now" podcast on the TWiT network, Steve Gibson went into this in detail. Since the data returned from a server could contain almost anything, speeding to get the servers patched is Job 1. Not all sites were affected (IIS doesn't use the OpenSSL code) but enough do. If you reuse passwords on several sites, you would be wise to update it on those sites that have patched their servers.
Here's the link to the podcast: http://twit.tv/show/security-now/450
And the transcript (Heartbleed coverage starts on page 12) https://www.grc.com/sn/sn-450.pdf
—Roland
Last edited:
What You Need To Know About Heartbleed, the New Security Bug Scaring the Inte...
SSLLabs (http://SSLLabs.com) has a tool to check the websites you might visit to see if they are vulnerable or have patched. (The freakin' ads that pop up on the SatelliteGuys app make it impossible to add a photo to a posted entry.) So, a new post to show the SSLLabs scan of this website:
—Roland
SSLLabs (http://SSLLabs.com) has a tool to check the websites you might visit to see if they are vulnerable or have patched. (The freakin' ads that pop up on the SatelliteGuys app make it impossible to add a photo to a posted entry.) So, a new post to show the SSLLabs scan of this website:
—Roland
Are you on an iphone? If yes a new ad free version of the SatelliteGuys reader has been sent to apple, I am just waiting for them to release it. 
What You Need To Know About Heartbleed, the New Security Bug Scaring the Inte...
—Roland
I'm using my wife's iPad Air. My iPhone has the app, but I was able to log in on that for Web View so I don't get bombarded with the ads.Are you on an iphone? If yes a new ad free version of the SatelliteGuys reader has been sent to apple, I am just waiting for them to release it.
—Roland
I updated my Raspberry PI last night.
For those running SSL services on Mac OS X, according to my check, the OpenSSL version is not vulnerable:
v1.0 < 1.0g are vulnerable.
For those running SSL services on Mac OS X, according to my check, the OpenSSL version is not vulnerable:
Code:
server:downloads jkotches$ openssl version
OpenSSL 0.9.8y 5 Feb 2013
server:downloads jkotches$v1.0 < 1.0g are vulnerable.
Last edited:
When you are dramatically understaffed, as many organizations are these days... Guess what falls by the wayside?
Sent from my SCH-I605 using Tapatalk
CBC reporting someone took over 900 Canadian social insurance numbers and other personal information from the Canada Revenue Site.
And for why it wasn't found, the OpenSSL foundation guys also say it's due to lack of manpower. This was stated in a post to the OpenSSL users mailing list. I can get the exact message-id/quote if needed.
With complex software, it's easy for little things to escape notice.
Crypto software is HARD, folks.
With complex software, it's easy for little things to escape notice.
Crypto software is HARD, folks.
I also read the apology from the German developer who accidentally introduced the bug minutes before midnight New Year's Eve 2012. http://www.theguardian.com/technology/2014/apr/11/heartbleed-developer-error-regrets-oversight
It is one of the problems of open source code. People believe it to be safe since it is open source. But, that makes the grand assumption that people actually study it and review it instead of perhaps just giving it a glance to be sure it is not doing something really evil and deploying it. So, it took 2 years for someone to notice this...
http://www.cbc.ca/news/politics/heartbleed-bug-accused-charged-by-rcmp-after-sin-breach-1.2612526
Canada's RCMP traced and charged a 19 year old w/ stealing 900 SIN's and other personal information off Canada Revenue's site.
Faces a max of 10 year in prison... not long enough IMO.
I wouldnt be suprised that the 19 year old just tried to do it for giggles and had no intent on using the info.
Canada's RCMP traced and charged a 19 year old w/ stealing 900 SIN's and other personal information off Canada Revenue's site.
Faces a max of 10 year in prison... not long enough IMO.
I wouldnt be suprised that the 19 year old just tried to do it for giggles and had no intent on using the info.
Similar threads
