Heartbleed (you NEED to read this)

[Crion]

A critical flaw was uncovered in OpenSSL.  The exploit affects only specific versions of the OpenSSL package and was uncovered by researchers at Google.  Apparently, vendor Cloudfare jumped the gun on revealing the details and now vendors are scrambling to patch the code.  Thanks, Cloudfare for single handedly screwing over the entire internet! :angry:

http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

[AlwaysFSX]

Thanks, Cloudfare for single handedly screwing over the entire internet! :angry:

Well at least they're trying to fix it...

[Wferr]

Thanks, Cloudfare for single handedly screwing over the entire internet! :angry:

Yeah they should apologize for trying to get a huge flaw patched.

[MatheusSanzo]

Wait a moment, I'm going to wear my tinfoil hat.

Never mind, there is an update already: openssl-1.0.1.g-1

[qwertywarrior]

ahh crap

i guess ill stop doing any finance over the net for the short term

[Crion]

You guys are missing what happened.  Red Hat, SuSE, Canonical (aka Ubuntu) were in the process of patching thanks to the report from Google researchers.  Standard practice on exploits like this is to report to the companies first so patches can be made available.  Once patches are done and released, then a public announcement about the details of the exploit comes out.  CloudFare publicly announced the details before patches were out which forced everyone to scramble last night. Patches should be already out for most as of this post.

[dylandylandylan]

Well at least it's patched quickly unlike some security holes that have been present in software and services since 2005.

[Jack.EXE]

Earlier this week, researchers discovered a major flaw in OpenSSL, an open source encryption technology that's utilized by an estimated two-third of the world's websites. They're calling it "Heartbleed."

 

HeartBleed, a major OpenSSL security flaw has been uncovered, hackers can (and probably have) access server information, such as: credit card numbers, passwords, and other personal info.

 

cybercriminals can comb through a server's memory and pluck sensitive user data, including usernames, passwords, credit card numbers, and more.
Hackers can also exploit the vulnerability to eavesdrop on communications, steal data directly from the services and users, and impersonate services and users, according to Heartbleed.com, a special website built by Finnish security firm Codenomicon. The website is intended to answer questions about the vulnerability.

 

Theories I've heard say this is the NSA's doing, but I'm skeptical,

what would they want with our credit cards?

 

The good news here is that an updated version of OpenSSL plugs up the security hole. However, not all websites know about the patch, nor are some of them informed about Heartbleed. 

 

Password changes are recommended, but wait until the site is safe.

Watch your credit transactions too, no one died from being too careful.

 

Comments? Thoughts? 

[Thunderjolt]

I've heard about this. This needs to get patched really quickly...

[Scionyde]

Repost: http://linustechtips.com/main/topic/137181-heartbleed-attack-leaves-23-web-vulnerable/

 

Still, it sounds like you're planning to put more effort into your OP, so there's that.

[MatheusSanzo]

I've heard about this. This needs to get patched really quickly...

It did, 2 days ago.

[KakaoDj]

It did, 2 days ago.

#snap

[Katness Everdeen]

This sort of thing happens all the time. Some folks just don't learn some learn very quickly and adapt.

[Thunderjolt]

It did, 2 days ago.

damn son that was quick

[Altecice]

If i am right in remembering it only effects a 64KB block of memory. that  "         may             " hold information about whatever you are doing. Safe to say that this bug is going to be around for at least 10 years.

[Mooshi]

It's been patched and it was mainly Yahoo related sites such as Yahoo.com, Tumblr ect that were affected.

[KakaoDj]

No need to update the topic, it's dead  :unsure:

Might not be, up to the mods

[ajoy39]

If i am right in remembering it only effects a 64KB block of memory. that  "         may             " hold information about whatever you are doing. Safe to say that this bug is going to be around for at least 10 years.

It's already been patched, and this was actually extremely serious. It made it very easy to get the x.509 cert secret keys, which you can use to make any computer think you are the server it's trying to communicate with, or vice versa. In short, this bug made encryption on the internet with openSSL (most of the internet) completely useless and it's basically impossible to tell if you have been hacked this way. 

[ajoy39]

It's been patched and it was mainly Yahoo related sites such as Yahoo.com, Tumblr ect that were affected.

It was anyone using OpenSSL 1.0.1. That's a lot of people. 70% of the internet runs on some version of OpenSSL. Anyone hosting with Amazon Web Services, including Amazon themselves, were vulnerable. GitHub was vulnerable. Facebook was probably vulnerable though they haven't released a statement. This was the worst OpenSSL bug in years, and one of the worst things about it is that there is virtually no way to tell if you were or weren't hacked with it. The ONLY way to be safe is to revoke all secret keys and reissue them, revoke all sessions, redo all of your SSL certs, and update everything. And even then that only protects you going forward, there is no way to tell what or how much data has already been compromised. 

 

In short, this was a bad bad day. 

[Altecice]

It's already been patched, and this was actually extremely serious. It made it very easy to get the x.509 cert secret keys, which you can use to make any computer think you are the server it's trying to communicate with, or vice versa. In short, this bug made encryption on the internet with openSSL (most of the internet) completely useless and it's basically impossible to tell if you have been hacked this way. 

 

It may already be patched but everyone's home routers may need patching and I doubt that's going to be done quickly. Also companies will need to repay to get new certs after patching so like I said. It may be fixed but it will be a long time before everyone has bother to implement the fix.

[IrishFeangol]

The worst thing about this bug is the work involved in making sure there is no last damage to your system. Applying the patch doesn't fix the problem outright because if a hacker managed to get an SSH key before the patch they could more or less have their way with a server.

At work after installing the new version of openssl on our servers we changed about 50 SSH keys and done a mandatory password update for everyone in the office. We're revoking our old ssl certs as well which in another pain the butt.

[rockking1379]

Repost: http://linustechtips.com/main/topic/137181-heartbleed-attack-leaves-23-web-vulnerable/

Still, it sounds like you're planning to put more effort into your OP, so there's that.

Sorry I don't do spectacular articles. I rarely post at all on here.

[GeTecknics]

what i thought was scry is that if you use paypal and check the SSL security with the checker that ncix provided they failed and amazon got a B they way i look at is like this if you havent gone to the website in a couple of weeks dont until you know its safe if you have go back and delete your card off of it but make sure you use  vpn while doing it im not that worried about amazon because because card data on my account isnt accessed until i make a purchase while i have bought 2 things in the past week i was using a vpn dont know if it helps but it might

[bcredeur97]

the funny thing is yahoo.com and mail.yahoo.com isnt patched yet. so i can but imagine that thousands of people's emails have been hacked into the past three days....

[Student]

A security bug has been descovert, most ssl/https comunication had been affected.

 

A test for your own server: http://filippo.io/Heartbleed/

 

Source: https://www.openssl.org/news/secadv_20140407.txt

http://www.theverge.com/2014/4/8/5594266/how-heartbleed-broke-the-internet