Hella scary OpenSSL Vulnerability

Sharesies | MightyApe | GoodSync | Backblaze backup

Welcome Guest.

You haven't logged in yet. If you don't have an account you can register now.

Forums › IT Pro and developers › Hella scary OpenSSL Vulnerability

ubergeeknz

3344 posts

Uber Geek

Trusted

Vocus

#143260 8-Apr-2014 14:09

"We attacked ourselves from outside, without leaving a trace," they wrote. "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

Think about this - silent theft of private keys. The implications on being able to trust SSL certs are huge even after this vuln is patched.

Links: http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

http://threatpost.com/openssl-fixes-tls-vulnerability/105300

http://www.openssl.org/news/vulnerabilities.html#2014-0160

muppet

2387 posts

Uber Geek

Trusted

#1020653 8-Apr-2014 14:24

Yes, I've spent the morning patching my Debian systems and generating new certificates.
Good ol' Crypto.

MyHeritage

Shop MyHeritage and uncover your origins and find new relatives with a simple DNA test. (affiliate link).

Lias

5226 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1020664 8-Apr-2014 14:31

If you assume that at least one malicious state actor (Russia, USA, China) has has access to this for some time, it becomes utterly terrifying.

I'm a geek, a gamer, a dad and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it.

hio77

'That VDSL Cat'
12982 posts

Uber Geek

ID Verified

Trusted

Voyager

Subscriber

#1020710 8-Apr-2014 14:58

not the best news... yay for spending the day updating and checking machines!

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Noodles

487 posts

Ultimate Geek

#1020742 8-Apr-2014 15:54

Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/

ubergeeknz

3344 posts

Uber Geek

Trusted

Vocus

#1020747 8-Apr-2014 15:59

Noodles: Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/

Seems to be slammed though

hio77

'That VDSL Cat'
12982 posts

Uber Geek

ID Verified

Trusted

Voyager

Subscriber

#1020751 8-Apr-2014 16:06

Noodles: Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/

handy tool, as assumed, all clear on my machines!

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

wasabi2k

2092 posts

Uber Geek

#1020755 8-Apr-2014 16:16

Only affects OpenSSL 1.01 -> 1.01f

Anyone running Netscalers - they are running 0.9.7b.

rphenix

978 posts

Ultimate Geek

Lifetime subscriber

#1020792 8-Apr-2014 17:13

muppet: Yes, I've spent the morning patching my Debian systems and generating new certificates.
Good ol' Crypto.

+1 to that. Spent most of this afternoon updating systems.

Lias

5226 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1021040 9-Apr-2014 09:49

Ouch.. Just checked the websites of the various financial institutes I have accounts with.. 2 out of 6 are vulnerable.

lchiu7

6182 posts

Uber Geek

Trusted

#1021186 9-Apr-2014 13:33

I'm guessing if Google found it then most of the Google servers are okay!

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/rooms/32019730 Mention GZ to get a 10% discount

System One: PS3 SuperSlim, NPVR and Plex Server running on Intel NUC (C2D) (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Odroid C2 running Kodi and Plex, Panasonic 60" 3D plasma, Samsung Q80 Atmos soundbar. Google Chromecast, Google Chromecast TV

System Two: Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen, Denon AVRS730H 7.2 Channel Dolby Atmos/DTS-X AV Receiver, Samsung 4K player, Google Chromecast, Odroid C2 running Kodi and Plex

nathan

5695 posts

Uber Geek
Inactive user

#1022181 9-Apr-2014 13:59

you can't just patch, you need to patch, revoke the certs and reissue them to be sure no one has your private keys

OUCH

freitasm

BDFL - Memuneh
76349 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1022184 9-Apr-2014 14:06

You can also use https://www.ssllabs.com/ssltest/ to test.

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

Lias

5226 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1022294 9-Apr-2014 17:23

nathan: you can't just patch, you need to patch, revoke the certs and reissue them to be sure no one has your private keys

OUCH

And assume all your users need to change passwords just to be safe.

News and reviews »

Samsung Announces Galaxy AI
Posted 28-Nov-2023 14:48

Epson Launches EH-LS650 Ultra Short Throw Smart Streaming Laser Projector
Posted 28-Nov-2023 14:38

Fitbit Charge 6 ReviewÂ
Posted 27-Nov-2023 16:21

Cisco Launches New Research Highlighting Gap in Preparedness for AI
Posted 23-Nov-2023 15:50

Seagate Takes Block Storage System to New Heights Reaching 2.5 PB
Posted 23-Nov-2023 15:45

Seagate Nytro 4350 NVMe SSD Delivers Consistent Application Performance and High QoS to Data Centers
Posted 23-Nov-2023 15:38

Amazon Fire TV Stick 4k Max (2nd Generation) Review
Posted 14-Nov-2023 16:17

Over half of New Zealand adults surveyed concerned about AI shopping scams
Posted 3-Nov-2023 10:42

Super Mario Bros. Wonder Launches on Nintendo Switch
Posted 24-Oct-2023 10:56

Google Releases Nest WiFi Pro in New Zealand
Posted 24-Oct-2023 10:18

Amazon Introduces All-New Echo Pop in New Zealand
Posted 23-Oct-2023 19:49

HyperX Unveils Their First Webcam and Audio Mixer Plus
Posted 20-Oct-2023 11:47

Seagate Introduces Exos 24TB Hard Drives for Hyperscalers and Enterprise Data Centres
Posted 20-Oct-2023 11:43

Dyson Zone Noise-Cancelling Headphones Comes to New Zealand
Posted 20-Oct-2023 11:33

The OPPO Find N3 Launches Globally Available in New Zealand Mid-November
Posted 20-Oct-2023 11:06

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

RSS feeds: Main feed; Forums feed

Site features: Geekzone BI dashboard; Geekzone Badges

Affiliate links: Mighty Ape; Sharesies

Site Information: Subscribe to Geekzone; Privacy Statement; Forum Usage Guidelines (FUG); Advertising; Trademark and copyright

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.