Hi All, The Heartbleed Bug is just that is it a coding failure in the implementation of the OpenSSL lib that ships with most if not all Linux OS's. Any software that says it can "remove" the bug is a little on the bogus side as well you need the OpenSSL lib for both Client access and Server access, meaning it is needed on both the client for it to start the openSSL session and the Server for it to know what to do with the SSL certificates. OK so what exactly is the risk.
Well: OpenSSL has a biult in heatbeat command so the client says to the server "Dude you still there say Potato (6 letters)" the server responds with potato all fine and dandy however if the user now evil says "Dude you still there? Say hat (500 letters)" the server will respond with hat and then 470 letters from RAM if you are a luck sod that may include a username and password that was securly shipped to the server using an SSL session. see: http://www.centosblog.com/xkcd-explanation-openssl-heartbleed-vulnerability/ So what is our risk profile? I would say that it is limited. 1) We do not know how many times this has ben exploited 2) We do not know how many username password combo's were got via this means The risk is quite low, you would have to be very lucky to grab a decent amount of passwords (not saying it is impossible) but there you go. I would, and indeed my recomendation to my users here at work, recommend changing your online passwords. Ironically for once Microsoft is not at risk of this as they do not use an implementation on OpenSSL ----- Original Message ----- From: Brian Smith Sent: 04/30/14 05:11 PM To: Peterborough LUG - No commercial posts Subject: Re: [Peterboro] Hi eveyone 1. I read that the exploitation was discovered/created/exploited by a benign hacker. i.e. Someone who did it to draw attention and not to use it. 2. I also read that it was a real vulnerability and that, although banks, etc., would patch pretty quickly, there was a slim chance someone could have got your credentials. The advice was to change all passwords immediately and then change them again after a couple of weeks just in case. 3. Lastly, I logged into First Direct Bank and they are displaying a notice which says, "Don't worry. There's no risk. You're safe". So take your pick. Brian Sent from my iPhone On 29 Apr 2014, at 18:23, gary smith < gazwebdes...@msn.com > wrote: I have just been reading a about the Heart Bleed Bug s and the report say's open source programs can be vulnerable and that Some operating system distributions that have shipped with potentially vulnerable OpenSSL version: * Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4 * Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11 * CentOS 6.5, OpenSSL 1.0.1e-15 * Fedora 18, OpenSSL 1.0.1e-4 * OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012) * FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013 * NetBSD 5.0.2 (OpenSSL 1.0.1e) * OpenSUSE 12.2 (OpenSSL 1.0.1c). I have also seen adverts saying Heart bleed Bug removal software available. Has anyone had any dealings with this problem or is it scare mongering. Gary Smith _______________________________________________ Peterboro mailing list Peterboro@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/peterboro
_______________________________________________ Peterboro mailing list Peterboro@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/peterboro
