It seems an extraordinarily basic flaw in something which is supposed to secure banking, trade, etc.
It's like a prisoner saying "open the gate" and it doesn't. Then "open the gate please" and it does !!!! Brian Sent from my iPhone > On 30 Apr 2014, at 17:23, "Steve Harker" <shar...@gmx.com> wrote: > > Hi All, > > The Heartbleed Bug is just that is it a coding failure in the implementation > of the OpenSSL lib that ships with most if not all Linux OS's. Any software > that says it can "remove" the bug is a little on the bogus side as well you > need the OpenSSL lib for both Client access and Server access, meaning it is > needed on both the client for it to start the openSSL session and the Server > for it to know what to do with the SSL certificates. OK so what exactly is > the risk. > > Well: > > OpenSSL has a biult in heatbeat command so the client says to the server > "Dude you still there say Potato (6 letters)" the server responds with potato > all fine and dandy however if the user now evil says "Dude you still there? > Say hat (500 letters)" the server will respond with hat and then 470 letters > from RAM if you are a luck sod that may include a username and password that > was securly shipped to the server using an SSL session. > > see: > http://www.centosblog.com/xkcd-explanation-openssl-heartbleed-vulnerability/ > > So what is our risk profile? > > I would say that it is limited. > 1) We do not know how many times this has ben exploited > 2) We do not know how many username password combo's were got via this means > > The risk is quite low, you would have to be very lucky to grab a decent > amount of passwords (not saying it is impossible) but there you go. I would, > and indeed my recomendation to my users here at work, recommend changing your > online passwords. > > Ironically for once Microsoft is not at risk of this as they do not use an > implementation on OpenSSL > > >> ----- Original Message ----- >> From: Brian Smith >> Sent: 04/30/14 05:11 PM >> To: Peterborough LUG - No commercial posts >> Subject: Re: [Peterboro] Hi eveyone >> >> 1. I read that the exploitation was discovered/created/exploited by a benign >> hacker. i.e. Someone who did it to draw attention and not to use it. >> >> 2. I also read that it was a real vulnerability and that, although banks, >> etc., would patch pretty quickly, there was a slim chance someone could have >> got your credentials. The advice was to change all passwords immediately and >> then change them again after a couple of weeks just in case. >> >> 3. Lastly, I logged into First Direct Bank and they are displaying a notice >> which says, "Don't worry. There's no risk. You're safe". >> >> So take your pick. >> >> Brian >> >> >> Sent from my iPhone >> >>> On 29 Apr 2014, at 18:23, gary smith <gazwebdes...@msn.com> wrote: >>> >>> I have just been reading a about the Heart Bleed Bug s and the report >>> say's open source programs can be vulnerable and that Some operating >>> system distributions that have shipped with potentially vulnerable OpenSSL >>> version: >>> Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4 >>> Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11 >>> CentOS 6.5, OpenSSL 1.0.1e-15 >>> Fedora 18, OpenSSL 1.0.1e-4 >>> OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May >>> 2012) >>> FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013 >>> NetBSD 5.0.2 (OpenSSL 1.0.1e) >>> OpenSUSE 12.2 (OpenSSL 1.0.1c). >>> I have also seen adverts saying Heart bleed Bug removal software available. >>> Has anyone had any dealings with this problem or is it scare mongering. >>> Gary Smith >>> _______________________________________________ >>> Peterboro mailing list >>> Peterboro@mailman.lug.org.uk >>> https://mailman.lug.org.uk/mailman/listinfo/peterboro > > _______________________________________________ > Peterboro mailing list > Peterboro@mailman.lug.org.uk > https://mailman.lug.org.uk/mailman/listinfo/peterboro
_______________________________________________ Peterboro mailing list Peterboro@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/peterboro
