Heartbleed - Please read

patracy · Apr 11, 2014

While it's not related to anything on this site. I just want you all to be informed.

http://mashable.com/2014/04/09/hear...l&utm_source=facebook.com&utm_campaign=buffer

Please read through it, even if you don't understand it. Check the list of sites. A green check mark on a site you use, please change your password on that site now.

This has been a friendly PSA from the button pushing monkey. :patracy:

Triple C · Apr 11, 2014

Thanks patracy, I read an article on this but couldn't tell by it if I needed to change passwords and if so which ones. This was very helpful and I appreciate you looking out for us! Thanks for all you do.

swbradley1 · Apr 11, 2014

For anyone interested I took a break from fly swatting and wanted to find the code snippet for myself.

Like reverse engineering a MS patch only with source code. It's in the t1_lib.c code.

OpenSSL-1.0.1-OpenSSL-1.0.1f
Bad Version
< /* Read type and payload length first */
< hbtype = *p++;
< n2s(p, payload);
< pl = p;
<
Didn't check for length in the bad version and if you asked for a heartbeat word like testing and told it that testing was 500 characters long the vulnerable server would give you 500 characters out of memory. You know, like personal information, SSNs, DL number, credit card or username and passwords. It was random. Hit the server over and over and you never know what kind of information the server would puke out. Cool.

OpenSSL-1.0.1g
Good Version
>
> /* Read type and payload length first */
xx if (1 + 2 + 16 > s->s3->rrec.length)
xx return 0; /* silently discard */
> hbtype = *p++;
> n2s(p, payload);
xx if (1 + 2 + payload + 16 > s->s3->rrec.length)
xx return 0; /* silently discard per RFC 6520 sec. 4 */
> pl = p;

(Note - The Xs indicate the checking added to fix it.)

Probably more than anyone but a c-coder would want to know but hey, it's my job.

Needless to say I've been a busy person since Monday.

patracy · Apr 12, 2014

And it appears this also effects routers, smartphones, and various other hardware.

Android smart phone check:
https://play.google.com/store/apps/details?id=com.lookout.heartbleeddetector

Robo McDuff · Apr 12, 2014

I saw this a few days ago and checked my bank sites etc.

Beware, this bug is a flaw in SECURE websites (banks, internet payments etc) laying it open for hackers and the NSA, so the one site you thought was safe is wide open. In clear text: if in your URL you see the HTTPS and the green color and the lock, its a secure site. If you only see the simple HTTP without lock or color, its unaffected.

Our SS site and normal blog sites are unsecured sites so are NOT affected by this bug; they are wide open anyway unless protected by a very dedicated webmaster!

Check it yourself with this site, fill in the SECURE url of your internet banking or amazon or whatever and see if it is ok or not. As to changing your password, only change passwords for secure sites that are ok. Changing your password for a site that is still wide open does not help much and can give a dedicated hacker info on how you construe passwords (like combination of birth dates or whatever) unless you are good at making random passwords without connection to your daily life.

Update-edit: not all secure sites use the green color but the lock is or should be there
Patracy, please correct me if I talk BS somewhere

Dieseljoe3 · Apr 12, 2014

Any horror stories out there yet about getting hacked because of this?

Robo McDuff · Apr 12, 2014

Start check your Android software, version 4.1 is vulnerable. And the NSA did know about it according some but not according their official press release.

Funny now that everybody is hyping about smart phones, mobile internet, cloud computing, cloud storing etc etc, more and more it becomes clear that these systems and technologies are much more vulnerable than the old fashioned simple phone with desktop. Once in a million year flaws (major downtime for google or twitter, major secure site bug) are happening with a frightening regularity.

swbradley1 · Apr 13, 2014

Well this is bad.

https://www.cloudflarechallenge.com/heartbleed

patracy · Apr 13, 2014

swbradley1 said:
Well this is bad.

https://www.cloudflarechallenge.com/heartbleed

And to give people a background on this. This was a site setup with the OpenSSL to see who could break it.

Obviously it's been broken, within a day. :shock:

https://gist.github.com/steakknife/10558819

Robo McDuff · Apr 13, 2014

swbradley1 said:
Well this is bad.

https://www.cloudflarechallenge.com/heartbleed

Link does not work

zout · Apr 13, 2014

Thanks PT - have no clue what everyone else posted as far as those computer terms but it doesn't look good so I went to the site you posted up and recognize some of those sites.
Seeing as we all communicate through these computers would it be a bad idea just to have a separate thread/forum link for computer security to help an idiot like me ??

Again thanks for the heads up on stuff like this as you folks are on the cutting edge of it every day - folks like me without hearing about it are on the receiving end of it.

patracy · Apr 13, 2014

Robo McDuff said:
Link does not work

It should not, but does for some.

Heartbleed - Please read

More options

patracy

Administrator

Triple C

New member

swbradley1

Modertator

patracy

Administrator

Robo McDuff

In memorial Ron - 73M819

Dieseljoe3

New member

Robo McDuff

In memorial Ron - 73M819

swbradley1

Modertator

patracy

Administrator

Robo McDuff

In memorial Ron - 73M819

zout

Well-known member

patracy

Administrator