Heartbleed: Serious OpenSSL zero day vulnerability revealed

Dermot7 · Apr 10, 2014

In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here’s a short primer.
Click to expand...

Heartbleed Bug: What Can You Do? — Krebs on Security

Page42 · Apr 10, 2014

Perhaps this has been answered. I missed it if it has.
Can someone advise me why it is recommended to change your password on a site that is still affected by Heartbleed?
It seems to me that the new credentials can be harvested in the same manner that the old ones were.

SirDrexl · Apr 10, 2014

Page42 said: ↑

Perhaps this has been answered. I missed it if it has.
Can someone advise me why it is recommended to change your password on a site that is still affected by Heartbleed?
It seems to me that the new credentials can be harvested in the same manner that the old ones were.
Click to expand...

You change your password AFTER you find that it has been fixed.

Page42 · Apr 10, 2014

SirDrexl said: ↑

You change your password AFTER you find that it has been fixed.
Click to expand...

Yes, of course, that makes most sense. I asked because I thought I read somewhere to change them everywhere, regardless of status of the site.
I tried looking for where I may have read that advice and gave up, figuring that I probably misread it.
TY for your response, SirDrexl.

siljaline · Apr 10, 2014

The Heartbleed Hit List: The Passwords You Need to Change Right Now http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Minimalist · Apr 10, 2014

SirDrexl said: ↑

For those using KeePass, I recommend adding "last modification time" to your columns so you can sort by that and keep track of which sites for which you've changed the passwords.
Click to expand...

Good advice . I didn't start to change my passwords yet, but will surely use this trick when I get to it.

hqsec

BoerenkoolMetWorst · Apr 10, 2014

Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?

https://www.eff.org/deeplinks/2014/...gence-agencies-using-heartbleed-november-2013

ronjor · Apr 10, 2014

Microsoft Services unaffected by OpenSSL "Heartbleed" vulnerability

Microsoft Security Staff Microsoft Security Staff
10 Apr 2014 3:03 PM

After a thorough investigation, Microsoft determined that Microsoft Account, Microsoft Azure, Office 365, Yammer and Skype, along with most Microsoft Services, are not impacted by the OpenSSL “Heartbleed” vulnerability. Windows’ implementation of SSL/TLS is also not impacted. A few Services continue to be reviewed and updated with further protections.
Click to expand...

http://blogs.technet.com/b/security...and-the-openssl-heartbleed-vulnerability.aspx

ronjor · Apr 10, 2014

Apple Says iOS, OSX and “Key Web Services” Not Affected by Heartbleed Security Flaw

April 10, 2014, 1:42 PM PDT
Click to expand...

http://recode.net/2014/04/10/apple-...ces-not-affected-by-heartbleed-security-flaw/

ronjor · Apr 10, 2014

Heartbleed Bug hits at heart of many Cisco, Juniper products

Cisco, Juniper say to expect security advisory updates related to Heartbleed
By Ellen Messmer, Network World
April 10, 2014 05:07 PM ET
Click to expand...

http://www.networkworld.com/news/2014/041014-heartbleed-cisco-juniper-280593.html

CloneRanger · Apr 10, 2014

iammike Said

If the site that you visit already has patched OpenSSL and got a new certificate it's a good idea. But if they either patched or only got new certificates it is useless
Click to expand...

Makes sense now !

emmjay Said

Cable boxes and home Internet routers are just two of the major classes of devices likely to be affected, says Lieberman. “ISPs now have millions of these devices with this bug in them”
Click to expand...

Well that's going to be fun, NOT. Which is likely to mean, many will NOT get patched, EVER !

Dermot7 · Apr 10, 2014

By Graham Cluley:

Everywhere you look people are panicking about the Heartbleed bug.
Click to expand...

And, to be fair, it is a very serious bug that does give malicious hackers, security researchers and snoopers the opportunity to spy upon what should have been private communications, and hoover up confidential information such as email addresses and passwords.

The good news is that some of the affected websites and services have already taken action, patched their systems and are proactively reaching out to customers and advising them to change their passwords.

IFTTT (“If this then that”) for instance is a great service that I regularly use as part of my daily online life. So I was pleased to receive an email from them confirming that they have fixed the Heartbleed bug on their own site, and were suggesting that now was a good time to reset my password in an abundance of caution – just in case it had been compromised.
Click to expand...

In the wake of Heartbleed, watch out for phishing attacks, disguised as password reset emails | HOTforSecurity

siljaline · Apr 10, 2014

I've changed my Facebook password - have you ?

https://www.facebook.com/settings?tab=account&section=password&view

Dermot7 · Apr 10, 2014

'Heartbleed' computer bug threat spreads to firewalls and beyond | Reuters

ronjor · Apr 10, 2014

Cisco finds 13 products (so far) vulnerable to Heartbleed—including phones
Collaboration products, router OS have OpenSSL bug; Cisco still checking others

by Sean Gallagher - Apr 10 2014, 5:25pm CST
Click to expand...

http://arstechnica.com/security/201...ar-vulnerable-to-heartbleed-including-phones/

chachazz · Apr 10, 2014

Mozilla Security - Heartbleed Security Advisory

: Two Mozilla systems were affected by Heartbleed. Most Persona and Firefox Account (FxA) servers run in Amazon Web Services (AWS), and their encrypted TLS connections are terminated on AWS Elastic Load Balancers (ELBs) using OpenSSL. Until April 8, when Amazon resolved the bug in AWS, those ELBs used a version of OpenSSL vulnerable to the Heartbleed attack.
Click to expand...

...continue reading.

Concerning Sync ..."Neither the account server nor a potential attacker could have learned the password or the encryption key that protects Sync data."

iammike · Apr 11, 2014

The guy responsible for the Heartbleed bug "confessed"

The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake.
Click to expand...

-www.pcpro.co.uk/news/388162/heartbleed-coder-bug-in-openssl-was-an-honest-mistake-

TairikuOkami · Apr 11, 2014

Sure and everyone, who reviewed it missed it as well, why bother validating a variable, it is only SSL, just submit it?! Snowden anyone, ehm.

lotuseclat79 · Apr 11, 2014

Researchers find thousands of potential targets for Heartbleed OpenSSL bug
at: http://arstechnica.com/security/201...potential-targets-for-heartbleed-openssl-bug/

-- Tom

iammike · Apr 11, 2014

This thread has so many links that it will take days before I have read them all

Page42 · Apr 11, 2014

I have not received a single request/instruction to change a password... valid or otherwise.
Has anyone else?

SirDrexl · Apr 11, 2014

hqsec said: ↑

Good advice . I didn't start to change my passwords yet, but will surely use this trick when I get to it.

hqsec
Click to expand...

Another thing I've been doing is, when I find that a site wasn't affected (like PayPal), I'll change something in the entry (like in the notes section) so KeePass registers it as changed. If you can't find anything you want to change, just delete a character, click OK and then type it in again; that will be enough for KeePass to give it a new modification time.

Page42 · Apr 11, 2014

SirDrexl said: ↑

Another thing I've been doing is, when I find that a site wasn't affected (like PayPal), I'll change something in the entry (like in the notes section) so KeePass registers it as changed. If you can't find anything you want to change, just delete a character, click OK and then type it in again; that will be enough for KeePass to give it a new modification time.
Click to expand...

Very smart.

BoerenkoolMetWorst · Apr 11, 2014

Palancar said: ↑

AirVpn official response:
...
Kind regards
Click to expand...

AirVPN has a major systems upgrade planned for Sunday:

Hello!

We're glad to inform you that a major system upgrade will take place during Sunday, 13 April 2014, 21:00:00 - Sunday, 13 April 2014, 22:00:00 UTC
This upgrade has a triple, important purpose: close any possible exploitation chance, regardless of how unlikely it could be, deriving from past "Heartbleed" vulnerability, bring AirVPN in an even higher security environment and open the road for an important new feature of the service: 3 simultaneous connections per account on different servers (details will be provided soon after the major upgrade which takes precedence).

The upgrade in details

switch to 4096 bit size RSA and DH keys

implementation of additional OpenVPN TLS-Auth layer

re-generation of certificates and keys

general optimization

During the upgrade all the VPN clients will be forcefully disconnected and will not be able to reconnect. The upgrade will take approximately 30 minutes.

Disconnections will occur on all servers from-to:
Sunday, 13 April 2014, 21:00:00 - Sunday, 13 April 2014, 22:00:00 UTC

that is:

Sunday, 13 April 2014, 14:00:00 - Sunday, 13 April 2014, 15:00:00 PDT
Sunday, 13 April 2014, 16:00:00 - Sunday, 13 April 2014, 17:00:00 CDT
Sunday, 13 April 2014, 17:00:00 - Sunday, 13 April 2014, 18:00:00 EDT
Sunday, 13 April 2014, 23:00:00 - Monday, 14 April 2014, 00:00:00 CEST
Monday, 14 April 2014, 06:00:00 - Monday, 14 April 2014, 07:00:00 JST

Click here to find your town: http://www.timeandda...T23&p1=215&ah=1

Mandatory actions

After the upgrade, customers running the Air client for Windows will need to shut down and restart the Air client. It is assumed that customers have already downloaded the new package for Windows which includes OpenVPN with non-vulnerable OpenSSL, available here https://airvpn.org/windows and installed the new OpenVPN version.

Customers running any other OpenVPN wrapper or OpenVPN will need to re-download configuration, certificates and keys files.

Additional information for customers running manually configured wrappers:

the "TLS-Cipher" or equivalent name in your configuration becomes: TLS-DHE-RSA-WITH-AES-256-CBC-SHA

in Tomato, DD-WRT, pfSense, Fritz!Box etc., the client certificate, the server certificate, the client key and the TLS key must be pasted again (after they have been generated and downloaded from the Configuration Generator as usual) in the appropriate fields of your configuration

Please do not hesitate to contact us for any further information.

Kind regards
AirVPN Staff
Click to expand...

Minimalist · Apr 11, 2014

Nice comic explanation of this bug:
http://www.f-secure.com/weblog/archives/00002696.html

hqsec

Log in or Sign up

Heartbleed: Serious OpenSSL zero day vulnerability revealed

Dermot7 Registered Member

Page42 Registered Member

SirDrexl Registered Member

Page42 Registered Member

siljaline Registered Member

Minimalist Registered Member

BoerenkoolMetWorst Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

CloneRanger Registered Member

Dermot7 Registered Member

siljaline Registered Member

Dermot7 Registered Member

ronjor Global Moderator

chachazz Updates Team

iammike Registered Member

TairikuOkami Registered Member

lotuseclat79 Registered Member

iammike Registered Member

Page42 Registered Member

SirDrexl Registered Member

Page42 Registered Member

BoerenkoolMetWorst Registered Member

Minimalist Registered Member

Log in or Sign up

Heartbleed: Serious OpenSSL zero day vulnerability revealed

Dermot7 Registered Member

Page42 Registered Member

SirDrexl Registered Member

Page42 Registered Member

siljaline Registered Member

Minimalist Registered Member

BoerenkoolMetWorst Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

CloneRanger Registered Member

Dermot7 Registered Member

siljaline Registered Member

Dermot7 Registered Member

ronjor Global Moderator

chachazz Updates Team

iammike Registered Member

TairikuOkami Registered Member

lotuseclat79 Registered Member

iammike Registered Member

Page42 Registered Member

SirDrexl Registered Member

Page42 Registered Member

BoerenkoolMetWorst Registered Member

Minimalist Registered Member

Useful Searches