Post by mijewen on Apr 14, 2014 15:06:44 GMT
Folks, if you haven't heard about Heartbleed yet, google it. I don't know more than anybody else can read about it, but it seems that the writers of OpenSSL made a woopsie in their code. I use the Avast virus shield, so I initially went there, to see if they had automatically protected me - but it isn't that easy. Nefarious individuals could already have my details, like passwords, secure keys, etc, and will get around to using them as soon as they can.
You can read about it at ...
heartbleed.com/
Apparently, this bug has been about for a long time, and has been discovered, I believe, by the people who wrote the code (or other people, perhaps, but in the same company).
They say ...
------------------------
What leaks in practice?
We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
-----------------------
Now that the news is out, however, companies who use OpenSSL will no doubt be patching their code, but fraudsters will be working to catch any available data while they can - before everybody gets to applying the patch. It is also possible that undesirables had already tumbled to it before the news was made public, so could already have your details.
The advice is that if you dealt with any such site, that you should check that they have patched their OpenSSL, then change your password there. If you use the password anywhere else, then change it there too.
I have taken the day out to change all of my passwords on vulnerable sites. One I have found (and why I am writing about it here) is DueDil.
There is a test tool at ...
possible.lv/tools/hb/
When I tested DueDil, it said ....
-------------------------------
Looking for TLS extensions on www.duedil.com
ext 65281 (renegotiation info, length=1)
ext 00011 (EC point formats, length=4)
ext 00035 (session ticket, length=0)
ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check.
Actively checking if CVE-2014-0160 works: Your server appears to be patched against this bug.
Checking your certificate
Certificate is valid before 0day. <-- Your stuff may be compromised. Consider changing the certificate and passwords.
---------------------------------------
I also called Funding Circle about it, and they said that although they use OpenSSL, they are not affected by the bug ?!! Well, whether they were or not, it seems that they know about Heartbleed and have taken measures, but it could be worth changing passwords there too. After all, you have money wrapped up there.
OK, Folks, that's it.
Watch your backs!
Mijewen
You can read about it at ...
heartbleed.com/
Apparently, this bug has been about for a long time, and has been discovered, I believe, by the people who wrote the code (or other people, perhaps, but in the same company).
They say ...
------------------------
What leaks in practice?
We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
-----------------------
Now that the news is out, however, companies who use OpenSSL will no doubt be patching their code, but fraudsters will be working to catch any available data while they can - before everybody gets to applying the patch. It is also possible that undesirables had already tumbled to it before the news was made public, so could already have your details.
The advice is that if you dealt with any such site, that you should check that they have patched their OpenSSL, then change your password there. If you use the password anywhere else, then change it there too.
I have taken the day out to change all of my passwords on vulnerable sites. One I have found (and why I am writing about it here) is DueDil.
There is a test tool at ...
possible.lv/tools/hb/
When I tested DueDil, it said ....
-------------------------------
Looking for TLS extensions on www.duedil.com
ext 65281 (renegotiation info, length=1)
ext 00011 (EC point formats, length=4)
ext 00035 (session ticket, length=0)
ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check.
Actively checking if CVE-2014-0160 works: Your server appears to be patched against this bug.
Checking your certificate
Certificate is valid before 0day. <-- Your stuff may be compromised. Consider changing the certificate and passwords.
---------------------------------------
I also called Funding Circle about it, and they said that although they use OpenSSL, they are not affected by the bug ?!! Well, whether they were or not, it seems that they know about Heartbleed and have taken measures, but it could be worth changing passwords there too. After all, you have money wrapped up there.
OK, Folks, that's it.
Watch your backs!
Mijewen