Heartbleed: Serious OpenSSL zero day vulnerability revealed

Heartbleed vulnerability may have been exploited months before patch

 

LastPass Now Checks If Your Sites Are Affected by Heartbleed

 

Just FYI, I have a little good news.

https://forums.openvpn.net/topic15526.html

 

Widespread Bug Will Linger On in Unpatched Devices | MIT Technology Review

 

The Heartbleed Hit List: The Passwords You Need to Change Right Now

 

How to tell if Heartbleed could have stolen your password, and when it’s safe to change it

 

Vulnerability scan of Alexa top 10,000 websites; note: shows current (as of scan time) status only

 

List of vulnerability status by vendor

 

Which sites have patched the Heartbleed bug
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
Consider changing your password if you have an account on any of the affected sites.

 

How about deleting ALL Certs & Server etc info in your browsers, & then when prompted as you visit Any HTTPS www, install as required ?

 

Does anyone know of a reliable way to test a site if it is affected or not

I got a warning from someone about that -hxxp://filippo.io/Heartbleed/- site

No point in checking the Certificates as most of them (my Banks) are still from 2013 or before

Thanks

 

If the site that you visit already has patched OpenSSL and got a new certificate it's a good idea. But if they either patched or only got new certificates it is useless.

 

Mozilla Security Blog
Sid Stamm - April 8, 2014

"Two Mozilla systems were affected by Heartbleed. Most Persona and Firefox Account (FxA) servers run in Amazon Web Services (AWS), and their encrypted TLS connections are terminated on AWS Elastic Load Balancers (ELBs) using OpenSSL. Until April 8, when Amazon resolved the bug in AWS, those ELBs used a version of OpenSSL vulnerable to the Heartbleed attack"
..continue reading.

Concerning Sync ..."Neither the account server nor a potential attacker could have learned the password or the encryption key that protects Sync data."

 

Indeed, it's a real mess

I don't know except for the Members now online on the main forum page.

 

In reference to post #54, this caught my attention ...
Cable boxes and home Internet routers are just two of the major classes of devices likely to be affected, says Lieberman. “ISPs now have millions of these devices with this bug in them”

This is going to be interesting. ISPs are notorious for not upgrading field equipment even when it has been determined EOL for years.

 

Attack of the week: OpenSSL Heartbleed by Matthew Green
at: http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html

-- Tom

 

Heartbleed Bug SSL Vulnerability – Everything You Need To Know
at: http://www.darknet.org.uk/2014/04/heartbleed-bug-ssl-vulnerability-everything-need-know/

-- Tom

 

Heartbleed Bug: How to Check if a Website is Vulnerable

Luckily there are some resources to hand to help you find out which websites are affected and which have taken steps to remedy the situation if they have been affected.

The first thing you can do is to plug the website's URL into one of the many Heartbleed checkers set up in the wake of the security flaw being released. Here are three:

• http://filippo.io/Heartbleed/
  
• https://www.ssllabs.com/ssltest/
  
• https://lastpass.com/heartbleed/
  

If you find the website you are checking is vulnerable, then you should wait before changing your password, as doing so now won't protect it from those sneaky cybercriminals.

While these online checkers will tell you if a site is or isn't vulnerable, they won't tell you what the website has done to correct the problem.

http://www.ibtimes.co.uk/heartbleed-bug-how-check-if-website-vulnerable-1444236

(Can someone please tell me why my text is so large and how to fix it please.) - LowWaterMark: The rich text editor hides formatting from you. If you ever find a post acting funny, disable the rich-text editing and then go into it with the plain editor. You'll see right away what's worng.

 

Hackers scanning Web for ‘Heartbleed’ bug
10 April 2014

"
Hacking groups have been detected running automated scans of the Internet in search of Web servers vulnerable to the ‘Heartbleed’ bug.

Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced the same day.

By Tuesday, Kaspersky had identified such scans coming from "tens" of actors, and the number increased on yesterday after security software company Rapid7 released a free tool for conducting such scans.

"The problem is insidious," Baumgartner said. "Now it is amateur hour. Everybody is doing it."

http://eandt.theiet.org/news/2014/apr/heartbleed-scans.cfm

 

Nice finds
In the link supplied by Mr. Brian a few sites are specified as Not Affected, but if you read the quote, some don't deny vulnerability and/or imply that they may have been vulnerable if you read between the lines.

 

A few links about the actual software causing the Heartbleed bug:

heartbleed vs malloc.conf at: http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf

analysis of openssl freelist reuse at: http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse

-- Tom

 

Clear the rich text formatting by using the Remove Formatting icon.

 

For those using KeePass, I recommend adding "last modification time" to your columns so you can sort by that and keep track of which sites for which you've changed the passwords.