[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

On Tue, 15 Apr 2014 07:00:03 +0200
shawn wilson <ag4ve.us@gmail.com> wrote:

> >> On Apr 14, 2014 11:01 AM, "Chris Bannister" <cbannister@slingshot.co.nz>
> >>wrote:

> >> > On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:

> >> > I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html

Here's the article from Bruce's CRYPT-GRAM from April 15, 2014:

Heartbleed

Heartbleed is a catastrophic bug in OpenSSL:

     "The Heartbleed bug allows anyone on the Internet to read the
     memory of the systems protected by the vulnerable versions of
     the OpenSSL software. This compromises the secret keys used to
     identify the service providers and to encrypt the traffic, the
     names and passwords of the users and the actual content. This
     allows attackers to eavesdrop communications, steal data
     directly from the services and users and to impersonate
     services and users.

Basically, an attacker can grab 64K of memory from a server.  The attack 
leaves no trace, and can be done multiple times to grab a different 
random 64K of memory.  This means that anything in memory -- SSL private 
keys, user keys, anything -- is vulnerable.  And you have to assume that 
it is all compromised.  All of it.

"Catastrophic" is the right word.  On the scale of 1 to 10, this is an 11.

The bug has been patched.  After you patch your systems, you have to get 
a new public/private key pair, update your SSL certificate, and then 
change every password that could potentially be affected.

At this point, the probability is close to one that every target has had 
its private keys extracted by multiple intelligence agencies.  The real 
question is whether or not someone deliberately inserted this bug into 
OpenSSL, and has had two years of unfettered access to everything.  My 
guess is accident, but I have no proof.

http://heartbleed.com/
http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/ 
or http://tinyurl.com/ngcytay
https://news.ycombinator.com/item?id=7548991
https://xkcd.com/1353/
http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/
https://freedom-to-tinker.com/blog/felten/how-to-protect-yourself-from-heartbleed/ 
or http://tinyurl.com/kqe4b5c
http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html 
or http://tinyurl.com/lhjr7zf
http://filippo.io/Heartbleed/

More about Heartbleed on my blog:
https://www.schneier.com/blog/archives/2014/04/heartbleed.html
https://www.schneier.com/blog/archives/2014/04/more_on_heartbl.html

-- 
CK
Reply to: