1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

What is heartbleed ?

Discussion in 'Security' started by jobsbywork, Apr 10, 2014.

  1. #1
    There has been a lot of discussion is happening over the internet but no one is providing proper information.Does any one have information out there?
    SEMrush
     
    jobsbywork, Apr 10, 2014 IP
    SEMrush
  2. wisdomtool

    wisdomtool Moderator Staff

    Messages:
    15,816
    Likes Received:
    1,365
    Best Answers:
    1
    Trophy Points:
    455
    #2
    It is an Openssl exploit. You posted in General Business which is a wrong forum to post.
     
    wisdomtool, Apr 10, 2014 IP
  3. Spoiltdiva

    Spoiltdiva Illustrious Member

    Messages:
    7,370
    Likes Received:
    2,670
    Best Answers:
    52
    Trophy Points:
    470
    #3
    I don't usually don't discuss techie stuff on here as I'm likely to make a fool of myself but...Heartbleed has been around for about 2 years. It doesn't have a trace. It was first detected by Google and verified by Codenumicon.
    What the bug basically does is give the hacker the ability to gain data from the server you regularly use.(Facebook/Gmail etc.) An open SSL is *supposed* to give you a secure line when e-mailing or chatting on IM, but in reality thanks to this bug that is no longer the case. On the positive side it is possible that this security flaw was never discovered by hackers so....do you wish to be an optimist and say that it hasn't, or? You can change all your passwords but that's about it.
     
    Last edited: Apr 10, 2014
    Spoiltdiva, Apr 10, 2014 IP
    kingofking, malky66 and ryan_uk like this.
  4. ryan_uk

    ryan_uk Illustrious Member

    Messages:
    3,983
    Likes Received:
    1,022
    Best Answers:
    33
    Trophy Points:
    465
    #4
    That pretty much sums it up.

    But, before you change a password, though, check that the server has actually been patched (otherwise a hacker could potentially still be watching the packets and gain the new password). I have been using this one, which seems to mostly work well:
    filippo.io/Heartbleed/

    Oh - and it is what is called a "man in the middle" exploit; that means there needs to be something between the server and client to inspect the packets.

    The exploit relies upon a vulnerable version of OpenSSL being compiled with heartbeats enabled.

    Any sites that had "perfect forward secrecy" enabled won't have been vulnerable (or at least since they enabled it). Take a look at:
    https://www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy

    Google is one company that has been using this for Gmail, secure search and other services since about November 2013.

    Finally, @jobsbywork there is plenty of "proper information". Search Google, Bing, DuckDuckGo, or whatever you prefer, and you will find a ton of information easily.
     
    ryan_uk, Apr 10, 2014 IP
    kingofking and malky66 like this.
  5. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,480
    Likes Received:
    1,920
    Best Answers:
    247
    Trophy Points:
    515
    #5
    Uhm... not quite guys... Simply changing passwords will NOT plug the hole if it exists on your system.

    Basically all heartbleed does is let you find out someone else's 'private' certificate so that you can view someone else's SSL communications (HTTPS, SSL Pop3/IMAP/SMTP) as if it wasn't secured. Admittedly, it can be used to see your passwords, so change them anyways -- but that's not what it DOES; changing your passwords does jack shit if the vulnerability is still there for them to just lather-rinse-repeat your tuchas all over again!

    You need to patch your copy of OpenSSL up to the latest version (something that should be done anyways) and then re-issue the part that is ACTUALLY compromised -- your SSL certificates. That either means getting a new certificate (if using a real 'trusted' source) or regenerating your private/untrusted one AFTER. You should also enable what's called "dual authentication" since only one side of OpenSSL was compromised.

    Couldflare has a decent blog entry on it.
    http://blog.cloudflare.com/the-heartbleed-aftermath-all-cloudflare-certificates-revoked-and-reissued

    Most major "trusted" cert issuers are sending new ones.... it's actually causing a pretty hefty spike in CRL traffic.

    http://blog.cloudflare.com/the-heartbleed-aftermath-all-cloudflare-certificates-revoked-and-reissued

    But again, until you are sure you are updated to the latest openSSL and using new certs, changing your passwords isn't gonna do a blasted thing as you'd still be vulnerable to the same attack all over again. If you don't know what that means or what it entails, you probably shouldn't be managing a server.
     
    deathshadow, Apr 19, 2014 IP
  6. SlimCharles47

    SlimCharles47 Greenhorn

    Messages:
    88
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    23
    #6
    This is quoted from this post I read - http://www.interworx.com/community/openssl-vulnerability-strikes-heart-online-security/ "The Heartbleed bug — officially known as CVE–2014–0160 — is the result a defect in OpenSSL’s implementation of the SSL protocol’s heartbeat function. The heartbeat function is a simple addition to the protocol that allows the machines involved in a SSL connection to send a message to each other requesting a response to verify that the other party is still available. Unfortunately, it’s possible to craft the heartbeat message so that the responding server will transmit the contents of a portion of its memory to the originating server. The vulnerability is so serious because it allows an attacker access to information in RAM that may contain private keys and other critical data. With the private keys, an attacker could potentially decrypt all further communication with that server." Hope this helps.
     
    SlimCharles47, Apr 22, 2014 IP
    deathshadow likes this.
  7. Sandra Peterson

    Sandra Peterson Greenhorn

    Messages:
    3
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #7
    Heartbleed bug is basically an encryption flaw that is found in websites that use Open SSL encryption to secure the online data of their customers. the problem is that these SSL encryption protocols have been highly flawed and taking its advantage, hackers have been able to crack into these protocol servers. Heartbleed bug has allowed these cyber criminals to secretly gain access to the encryption keys of these SSL encrypted servers, copy all the critical data and then use it for the fulfillment of their malicious and heinous intentions. It is a vulnerability and weakness of internet technology that has allowed such high risk threat to nourish. The sad truth is that a large number of giant websites like Facebook, Airbnb and Gmail, that we use almost every day have also been the victim of this nuisance.
     
    Sandra Peterson, May 6, 2014 IP
  8. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,480
    Likes Received:
    1,920
    Best Answers:
    247
    Trophy Points:
    515
    #8
    Yes, cyber-criminals like homeland securty, the FBI, the NSA, and pretty much every other alphabet soup organization out there. :D
     
    deathshadow, May 6, 2014 IP
  9. maestria

    maestria Well-Known Member

    Messages:
    705
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    110
    #9
    maestria, May 22, 2014 IP
  10. maestria

    maestria Well-Known Member

    Messages:
    705
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    110
    #10
    maestria, May 22, 2014 IP