04-09-2014, 09:39 AM
I know this may not belong here, but its important that you guys don't get your information/accounts hijacked. I put it in this section so everyone can see.
Cliffs: Heartbeat bug allows attackers to steal OpenSSL private keys, OpenSSL secondary keys, Retrieve up to 64kb of memory from the affected server (decrypt all traffic between the server and client(s)). Your info could have been stolen, your websites that run on OpenSSL can leak your users information. This is a critical update and almost everyone is affected.
More indepth explanation:
Heartbeat bug allows one endpoint to go "I'm sending you some data, echo it back to me". It supports up to about 64 KiB.
You send both a length figure and the data itself. Unfortunately, if you use the length figure to claim "I'm sending 64 KiB of data" (for example) and then only really send, say, one byte, OpenSSL would send you back your one byte -- and 64 KiB (minus one) of other data from RAM... Whoops!
This allows the other endpoint to get random portions of memory from the process using OpenSSL. An attacker cannot choose which memory, but if they try enough times, their request's data structure is likely to wind up next to something interesting, such as your private keys, or users' cookies or passwords.
Sites that are still vulnerable as of today are Yahoo, OKCupid, Flickr, Adfly, Hidemyass, amungus, digitaIpoint, etc... just to name a few.
"Serious bug that leaves no trace".
Yes it's serious. It is advised you change your passwords on ALL your accounts you know/have because the thing with this bug is that its been out in the open for a while and it leave NO TRACE from an attacker, Which means that noone knows who took what from where.
Update your computer/servers!
Clear your cookies (log out of all accounts) and Change your passwords.
+ Always add a 2nd step verification for your accounts on sites that have it.
http://www.forbes.com/sites/jameslyne/20...and-yahoo/
Sites still affected:
https://github.com/musalbas/heartbleed-m...op1000.txt
Check to see if your website is vulnerable:
http://filippo.io/Heartbleed/
Update to the latest fix:
http://www.openssl.org/news/secadv_20140407.txt
Quote:The tiny padlock next to web addresses that promised to protect our most sensitive information — passwords, stored files, bank details, even Social Security numbers — is broken.
A flaw has been discovered in one of the Internet’s key encryption methods, potentially forcing a wide swath of websites to swap out the virtual keys that generate private connections between the sites and their customers.
On Tuesday afternoon, many organizations were heeding the warning. Companies like Lastpass, the password manager, and Tumblr, the social network owned by Yahoo, said they had issued fixes and warned users to immediately swap out their usernames and passwords.
The vulnerability involves a serious bug in OpenSSL, the technology that powers encryption for two-thirds of web servers. It was revealed Monday by a team of Finnish security researchers who work for Codenomicon, a security company in Saratoga, Calif., and two security engineers at Google.
Researchers are calling the bug “Heartbleed” because it affects the “heartbeat” portion of the OpenSSL protocol, which pings messages back and forth. It can and has been exploited by attackers.
The bug allows attackers to access the memory on any web server running OpenSSL and take all sorts of information: customer usernames and passwords, sensitive banking details, trade secrets and the private encryption keys that organizations use to communicate privately with their customers.
What makes the Heartbleed bug particularly severe is that it can be used by an attacker without leaving any digital crumbs behind.
“It’s a serious bug in that it doesn’t leave any trace,” said David Chartier, the chief executive at Codenomicon. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there.”
Three security researchers at Codenomicon’s offices in Oulu, Finland, first discovered the bug last Thursday. The researchers, Antti Karjalainen, Riku Hietamäki and Matti Kamunen, immediately alerted the Finnish authority that is charged with responsibly disclosing security bugs. As it turned out, a security researcher at Google, Neel Mehta, had also discovered the bug and the Google security team had been working on a fix.
On Monday, the open-source team that oversees OpenSSL issued a warning to people and organizations about the bug, and encouraged anyone using the OpenSSL library to upgrade to the latest version, which fixes the problem.
Security researchers say it is impossible to know whether an attacker used the bug to steal a victim’s information, but found evidence that attackers were aware of the bug and had been exploiting it. Researchers monitoring various “honeypots” — stashes of fake data on the web aimed at luring hackers so researchers can learn more about their tools and techniques — found evidence that attackers had used the Heartbleed bug to access the fake data.
But actual victims are out of luck. “Unless an attacker blackmails you, or publishes your information online, or steals a trade secret and uses it, you won’t know if you’ve been compromised,” Mr. Chartier said. “That’s what makes it so vicious.”
Security researchers are warning organizations to get new private encryption keys as quickly as possible, and warning people to start changing their usernames and passwords immediately, particularly for sensitive accounts like their online banking, email, file storage and e-commerce accounts.
Related
For a primer on how to create passwords that drive hackers away, click here.
“This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit,” Tumblr’s security team wrote on their site. “This might be a good day to call in sick and take some time to change your passwords everywhere— especially your high-security services like email, file storage and banking, which may have been compromised by this bug.”
Mr. Chartier advised users to consider their passwords gone. “Companies need to get new encryption keys and users need to get new passwords immediately,” he said. “And do it quickly.”
Cliffs: Heartbeat bug allows attackers to steal OpenSSL private keys, OpenSSL secondary keys, Retrieve up to 64kb of memory from the affected server (decrypt all traffic between the server and client(s)). Your info could have been stolen, your websites that run on OpenSSL can leak your users information. This is a critical update and almost everyone is affected.
More indepth explanation:
Heartbeat bug allows one endpoint to go "I'm sending you some data, echo it back to me". It supports up to about 64 KiB.
You send both a length figure and the data itself. Unfortunately, if you use the length figure to claim "I'm sending 64 KiB of data" (for example) and then only really send, say, one byte, OpenSSL would send you back your one byte -- and 64 KiB (minus one) of other data from RAM... Whoops!
This allows the other endpoint to get random portions of memory from the process using OpenSSL. An attacker cannot choose which memory, but if they try enough times, their request's data structure is likely to wind up next to something interesting, such as your private keys, or users' cookies or passwords.
Sites that are still vulnerable as of today are Yahoo, OKCupid, Flickr, Adfly, Hidemyass, amungus, digitaIpoint, etc... just to name a few.
"Serious bug that leaves no trace".
Yes it's serious. It is advised you change your passwords on ALL your accounts you know/have because the thing with this bug is that its been out in the open for a while and it leave NO TRACE from an attacker, Which means that noone knows who took what from where.
Update your computer/servers!
Clear your cookies (log out of all accounts) and Change your passwords.
+ Always add a 2nd step verification for your accounts on sites that have it.
http://www.forbes.com/sites/jameslyne/20...and-yahoo/
Sites still affected:
https://github.com/musalbas/heartbleed-m...op1000.txt
Check to see if your website is vulnerable:
http://filippo.io/Heartbleed/
Update to the latest fix:
http://www.openssl.org/news/secadv_20140407.txt