Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersHella scary OpenSSL Vulnerability
ubergeeknz

3344 posts

Uber Geek

Trusted
Vocus

#143260 8-Apr-2014 14:09
Send private message

"We attacked ourselves from outside, without leaving a trace," they wrote. "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

Think about this - silent theft of private keys.  The implications on being able to trust SSL certs are huge even after this vuln is patched.

Links: http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

http://threatpost.com/openssl-fixes-tls-vulnerability/105300

http://www.openssl.org/news/vulnerabilities.html#2014-0160

Create new topic
muppet
2322 posts

Uber Geek

Trusted

  #1020653 8-Apr-2014 14:24
Send private message

Yes, I've spent the morning patching my Debian systems and generating new certificates.
Good ol' Crypto.

Affiliate link
 
 
 

Affiliate link: Free kids accounts - trade shares and funds (NZ, US) with Sharesies.
Lias
4874 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #1020664 8-Apr-2014 14:31
Send private message

If you assume that at least one malicious state actor (Russia, USA, China) has has access to this for some time, it becomes utterly terrifying.




I'm a geek, a gamer, a dad and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it.

hio77
'That VDSL Cat'
12970 posts

Uber Geek

ID Verified
Trusted
Voyager
Subscriber

  #1020710 8-Apr-2014 14:58
Send private message

not the best news... yay for spending the day updating and checking machines!




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 

 



Noodles
487 posts

Ultimate Geek


  #1020742 8-Apr-2014 15:54
Send private message

Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/

ubergeeknz

3344 posts

Uber Geek

Trusted
Vocus

  #1020747 8-Apr-2014 15:59
Send private message

Noodles: Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/


Seems to be slammed though

hio77
'That VDSL Cat'
12970 posts

Uber Geek

ID Verified
Trusted
Voyager
Subscriber

  #1020751 8-Apr-2014 16:06
Send private message

Noodles: Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/


handy tool, as assumed, all clear on my machines!




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 

 

wasabi2k
2092 posts

Uber Geek


  #1020755 8-Apr-2014 16:16
Send private message

Only affects OpenSSL 1.01 -> 1.01f

Anyone running Netscalers - they are running 0.9.7b.



rphenix
956 posts

Ultimate Geek

Lifetime subscriber

  #1020792 8-Apr-2014 17:13
Send private message

muppet: Yes, I've spent the morning patching my Debian systems and generating new certificates.
Good ol' Crypto.

+1 to that.  Spent most of this afternoon updating systems.

Lias
4874 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #1021040 9-Apr-2014 09:49
Send private message

Ouch.. Just checked the websites of the various financial institutes I have accounts with.. 2 out of 6 are vulnerable. 




I'm a geek, a gamer, a dad and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it.

lchiu7
5848 posts

Uber Geek

Trusted

  #1021186 9-Apr-2014 13:33
Send private message

I'm guessing if Google found it then most of the Google servers are okay!




Staying in Wellington. Check out my AirBnB in the Wellington CBD.  https://www.airbnb.co.nz/rooms/32019730  Mention GZ to get a 10% discount

 

System One:  PS3 SuperSlim, NPVR and Plex Server running on Intel NUC (C2D) (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Odroid C2 running Kodi and Plex, Panasonic 60" 3D plasma, Samsung Q80 Atmos soundbar. Google Chromecast, Google Chromecast TV

System Two: Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen, Denon AVRS730H 7.2 Channel Dolby Atmos/DTS-X AV Receiver, Samsung 4K player, Google Chromecast, Odroid C2 running Kodi and Plex

 

 

nathan
5695 posts

Uber Geek
Inactive user


  #1022181 9-Apr-2014 13:59
Send private message

you can't just patch, you need to patch, revoke the certs and reissue them to be sure no one has your private keys

OUCH

freitasm
BDFL - Memuneh
74136 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1022184 9-Apr-2014 14:06
Send private message

You can also use https://www.ssllabs.com/ssltest/ to test.




Support Geekzone by subscribing, making a donation. or using one of our referral links: Sharesies | Goodsync  | Mighty Ape | Backblaze | Norton 360 | Lenovo laptops 

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 

Lias
4874 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #1022294 9-Apr-2014 17:23
Send private message

nathan: you can't just patch, you need to patch, revoke the certs and reissue them to be sure no one has your private keys

OUCH


And assume all your users need to change passwords just to be safe.




I'm a geek, a gamer, a dad and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it.

Create new topic





News and reviews »

Amazon to Acquire iRobot
Posted 6-Aug-2022 11:41

Samsung x LIFE Picture Collection Brings Iconic Moments in History to The Frame
Posted 4-Aug-2022 17:04

Norton Consumer Cyber Safety Pulse Report: Phishing for New Bait on Social Media
Posted 4-Aug-2022 16:50

Microsoft Announces New Solutions for Threat Intelligence and Attack Surface Management
Posted 3-Aug-2022 21:54

Seagate Addresses Hyperscale Workloads with Enterprise-Class Nytro SSDs
Posted 3-Aug-2022 21:50

Visa Launching Eco-friendly Payment Solutions in New Zealand
Posted 3-Aug-2022 21:48

NCR Delivers Services to Run Bank of New Zealand ATM Network
Posted 30-Jul-2022 11:06

New HP Portfolio Supports New Era of Hybrid Work
Posted 28-Jul-2022 17:14

Harman Kardon Launches Citation MultiBeam 1100 Soundbar
Posted 28-Jul-2022 17:10

Nanogirl Labs Launches Creator Project
Posted 28-Jul-2022 17:05

Marvel Snap Launches as an Action Collectible Card Game
Posted 26-Jul-2022 17:46

Jabra Talk 65 Review
Posted 26-Jul-2022 17:31

Huawei Watch D Review
Posted 26-Jul-2022 17:26

Huawei Introduces Watch Fit 2
Posted 14-Jul-2022 17:06

Huawei Launches Watch D in New Zealand
Posted 14-Jul-2022 17:05








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup



RSS feeds
Main feed
Forums feed
Copyright
©2002-2022 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Slack
Geekzone on Twitter
Affiliate links
Mighty Ape
Sharesies
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.