Hella scary OpenSSL Vulnerability

AliExpress | MightyApe | Amazon Prime | Amazon Fire TV | Amazon (Kindle, books, electronics)

Welcome Guest.

You haven't logged in yet. If you don't have an account you can register now.

Forums › IT Pro and developers › Hella scary OpenSSL Vulnerability

ubergeeknz

Fully Operational
3304 posts

Uber Geek
+1 received by user: 1072

Trusted

Vocus

Subscriber

Topic # 143260 8-Apr-2014 14:09

"We attacked ourselves from outside, without leaving a trace," they wrote. "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

Think about this - silent theft of private keys. The implications on being able to trust SSL certs are huge even after this vuln is patched.

Links: http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

http://threatpost.com/openssl-fixes-tls-vulnerability/105300

http://www.openssl.org/news/vulnerabilities.html#2014-0160

muppet

1806 posts

Uber Geek
+1 received by user: 562

Trusted

Reply # 1020653 8-Apr-2014 14:24

2 people support this post

Yes, I've spent the morning patching my Debian systems and generating new certificates.
Good ol' Crypto.

Lias

2657 posts

Uber Geek
+1 received by user: 1332

Subscriber

Reply # 1020664 8-Apr-2014 14:31

3 people support this post

If you assume that at least one malicious state actor (Russia, USA, China) has has access to this for some time, it becomes utterly terrifying.

Information wants to be free.
The Net interprets censorship as damage and routes around it.

hio77

'That VDSL Cat'
6155 posts

Uber Geek
+1 received by user: 1153

Trusted

Spark

Subscriber

Reply # 1020710 8-Apr-2014 14:58

not the best news... yay for spending the day updating and checking machines!

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Noodles

457 posts

Ultimate Geek
+1 received by user: 83

Reply # 1020742 8-Apr-2014 15:54

2 people support this post

Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/

ubergeeknz

Fully Operational
3304 posts

Uber Geek
+1 received by user: 1072

Trusted

Vocus

Subscriber

Reply # 1020747 8-Apr-2014 15:59

Noodles: Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/

Seems to be slammed though

hio77

'That VDSL Cat'
6155 posts

Uber Geek
+1 received by user: 1153

Trusted

Spark

Subscriber

Reply # 1020751 8-Apr-2014 16:06

Noodles: Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/

handy tool, as assumed, all clear on my machines!

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

wasabi2k

2090 posts

Uber Geek
+1 received by user: 848

Reply # 1020755 8-Apr-2014 16:16

Only affects OpenSSL 1.01 -> 1.01f

Anyone running Netscalers - they are running 0.9.7b.

rphenix

777 posts

Ultimate Geek
+1 received by user: 31

Subscriber

Reply # 1020792 8-Apr-2014 17:13

muppet: Yes, I've spent the morning patching my Debian systems and generating new certificates.
Good ol' Crypto.

+1 to that. Spent most of this afternoon updating systems.

Lias

2657 posts

Uber Geek
+1 received by user: 1332

Subscriber

Reply # 1021040 9-Apr-2014 09:49

2 people support this post

Ouch.. Just checked the websites of the various financial institutes I have accounts with.. 2 out of 6 are vulnerable.

Information wants to be free.
The Net interprets censorship as damage and routes around it.

lchiu7

4638 posts

Uber Geek
+1 received by user: 68

Trusted

Reply # 1021186 9-Apr-2014 13:33

I'm guessing if Google found it then most of the Google servers are okay!

System One: Popcorn Hour A200, PS3 SuperSlim, NPVR running on Gigabyte Brix, Sony BDP-S390 BD player, Logitech Revue, Pioneer AVR, Panasonic 60" 3D plasma

System Two: Popcorn Hour A200 , Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Toshiba HD-A2 HD-DVD player, Roku XS media player

Check out my blog at lchiu.blogspot.com

nathan

4927 posts

Uber Geek
+1 received by user: 1312

Trusted

Microsoft

Reply # 1022181 9-Apr-2014 13:59

2 people support this post

you can't just patch, you need to patch, revoke the certs and reissue them to be sure no one has your private keys

OUCH

freitasm

BDFL - Memuneh
58317 posts

Uber Geek
+1 received by user: 9762

Administrator

Trusted

Geekzone

Subscriber

Reply # 1022184 9-Apr-2014 14:06

You can also use https://www.ssllabs.com/ssltest/ to test.

Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure)

Lias

2657 posts

Uber Geek
+1 received by user: 1332

Subscriber

Reply # 1022294 9-Apr-2014 17:23

nathan: you can't just patch, you need to patch, revoke the certs and reissue them to be sure no one has your private keys

OUCH

And assume all your users need to change passwords just to be safe.

Information wants to be free.
The Net interprets censorship as damage and routes around it.

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow @geekzonenzforum

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow @geekz1

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

Follow @geekzoneprices

News »

Nothing nebulous about Microsoft’s cloud-transition
Posted 21-Jul-2017 15:34

We’re spending more on tech, but not as much as Australians
Posted 21-Jul-2017 11:43

Endace announces EndaceFabric for network-wide packet recording
Posted 20-Jul-2017 20:49

Acorn 6: MacOS image editing for the rest of us
Posted 20-Jul-2017 17:04

HTC faces backlash over keyboard pop-up ads
Posted 19-Jul-2017 15:53

BNZ adds Visa credit cards to Android Pay wallet
Posted 18-Jul-2017 19:44

Still living in a Notification hell – Om Malik
Posted 18-Jul-2017 13:00

Duet Display uses iPad to extend Mac, PC
Posted 18-Jul-2017 10:58

PC sales could be worse
Posted 17-Jul-2017 07:34

Crypto-currencies, tulips, market bubbles
Posted 17-Jul-2017 06:38

NZ Tech Podcast: Big batteries, solar cars, cold war, IoT
Posted 16-Jul-2017 16:53

Vodafone Australia mulls Wisp alliance, NZ implications
Posted 13-Jul-2017 16:49

Rural health professionals see fibre pay-off
Posted 13-Jul-2017 11:52

Vodafone announces expansion of $5 Daily Roaming
Posted 13-Jul-2017 10:20

Intel unveils powerful Intel Xeon Scalable processors
Posted 12-Jul-2017 20:41

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.

RSS feeds: Main feed; Forums feed; All RSS feeds

Site features: Geekzone Mobile; Geekzone Badges; Geekzone Slack channel; Geekzone on Twitter; Geekzone Dashboard

Geekzone offers: Amazon orders (Kindle, books, everything); MightyApe orders; Payoneer card

Site Information: Subscribe to Geekzone; Privacy Statement; Forum Usage Guidelines (FUG); Advertising on Geekzone; Trademark and copyright