Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet
04-08-2014, 05:22 PM,
#1
Exclamation  Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet
ATTENTION! This is serious. I recommend that you not login to any https site that involves sensitive private information until you know that site has been patched!

Quote:Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet
Posted 15 hours ago by Greg Kumparak (@grg)


I saw a t-shirt one time. “I’m a bomb disposal technician,” it read. “If you see me running, try to keep up.”

The same sort of idea can be applied to net security: when all the net security people you know are freaking out, it’s probably an okay time to worry.

This afternoon, many of the net security people I know are freaking out. A very serious bug in OpenSSL — a cryptographic library that is used to secure a very, very large percentage of the Internet’s traffic — has just been discovered and publicly disclosed.

Even if you’ve never heard of OpenSSL, it’s probably a part of your life in one way or another — or, more likely, in many ways. The apps you use, the sites you visit; if they encrypt the data they send back and forth, there’s a good chance they use OpenSSL to do it. The Apache web server that powers something like 50% of the Internet’s web sites, for example, utilizes OpenSSL.

Through a bug that security researchers have dubbed “Heartbleed“, it seems that it’s possible to trick almost any system running any version of OpenSSL from the past 2 years into revealing chunks of data sitting in its system memory.

Why that’s bad: very, very sensitive data often sits in a server’s system memory, including the keys it uses to encrypt and decrypt communication (read: usernames, passwords, credit cards, etc.) This means an attacker could quite feasibly get a server to spit out its secret keys, allowing them to read to any communication that they intercept like it wasn’t encrypted it all. Armed with those keys, an attacker could also impersonate an otherwise secure site/server in a way that would fool many of your browser’s built-in security checks.

And if an attacker was just gobbling up mountains of encrypted data from a server in hopes of cracking it at some point? They may very well now have the keys to decrypt it, depending on how the server they’re attacking was configured (like whether or not it’s set up to utilize Perfect Forward Secrecy.)

The exploit relies on a bug in the implementation of OpenSSL’s “heartbeat” feature, hence the “Heartbleed” name. Security firm Codenomicon has written an in-depth breakdown of the Heartbleed bug here.

To quote their findings:

We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

It seems the bug has been in OpenSSL for 2+ years (since December 2011, OpenSSL versions 1.0.1 through 1.0.1f) before its publicly announced discovery today. Even worse, it appears that exploiting this bug leaves no trace in the server’s logs. So there’s no easy way for a system administrator to know if their servers have been compromised; they just have to assume that they have been.

The bug was discovered and reported to the OpenSSL team by Neel Mehta of Google’s security team. OpenSSL released an emergency patch for the bug along with a Security Advisory this afternoon.

http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/

and
http://heartbleed.com/

You're welcome.
Reply
04-08-2014, 05:33 PM,
#2
RE: Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet
Witness the beauty of the Free Market and Open-Source Software.

A vulnerability is fixed less than 24 hours after it is discovered.

Try accomplishing that with Microsoft or Apple proprietary government subsidized software.
Reply
04-08-2014, 06:00 PM, (This post was last modified: 04-08-2014, 06:04 PM by temp9.)
#3
RE: Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet
(04-08-2014, 05:33 PM)CharliePrime Wrote: Witness the beauty of the Free Market and Open-Source Software.

A vulnerability is fixed less than 24 hours after it is discovered.

Try accomplishing that with Microsoft or Apple proprietary government subsidized software.

Quote:A vulnerability is fixed less than 24 hours after it is reported.

Fixed that for you.Icon_biggrin

The problem here - aside from the fact that NSA/GCHQ et al. probably knew about it quite a while ago (the "bug" has been there for over 2 years) - is getting the fix implemented. As an example, last time I checked, maybe 30 minutes ago, mail.yahoo.com is not patched and the personal info is flowing freely. I expect that this shit is going to have big repercussions.

I've spent all morning reading about it, but I don't think it has hit the MSM. This should be the top story everywhere. But it ain't.
Reply
04-08-2014, 06:57 PM,
#4
RE: Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet
My understanding was that the bug has existed in the code for two years, but was only discovered within the last few days.

But you are right and I was wrong. It was only reported yesterday.

Thanks for posting this. I saw a news item about it in my RSS stream, but ignored it because I mistakenly thought it was small.
Reply
04-08-2014, 08:27 PM,
#5
RE: Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet
How can a user know if a site he visits uses the hackable OpenSSL?
Reply
04-09-2014, 12:08 AM,
#6
RE: Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet
(04-08-2014, 08:27 PM)4cc Wrote: How can a user know if a site he visits uses the hackable OpenSSL?

Plug the URL of the site you want to check into the text field on this page:

Heartbleed OpenSSL extension testing tool
Reply
04-09-2014, 03:50 AM, (This post was last modified: 04-09-2014, 05:44 AM by 4cc.)
#7
RE: Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet
https://concen.org - "Your server appears to be patched against this bug" Smile

Thank you very much Stiffy & Temp9

I did not find any sites that failed the Heartbeat test at http://possible.lv/tools/hb/

Also came across this other method of stealing HTTPS. It is said to be done on large company networks, so maybe should not be banking on the job. I believe this could also be done by your ISP:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://it.slashdot.org/story/14/03/05/1724237/ask-slashdot-does-your-employer-perform-https-mitm-attacks-on-employees?sdsrc=popbyskid
Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees? 572
Posted by Unknown Lamer on Wednesday March 05, 2014 @01:37PM
from the padlock-icon-says-I'm-good-right dept.
New submitter Matt.Battey writes "I was recently on-site with a client and in the execution of my duties there, I needed to access web sites like Google Maps and my company's VPN. The VPN connection was rejected (which tends to be common, even though it's an HTTPS based VPN service). However, when I went to Google Maps I received a certificate error. It turns out that the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site. My client's employees don't notice because their computers all have the internal CA pushed out via Windows Group Policy & log-on scripts.
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A commenter said "You own DNS and the path? You own the world." So this gives me a hint to not use the same DNS server that your ISP tells you to use. But I don't know the pros and cons of doing this.
Reply
04-10-2014, 03:36 PM,
#8
RE: Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet
(04-09-2014, 03:50 AM)4cc Wrote: http://it.slashdot.org/story/14/03/05/1724237/ask-slashdot-does-your-employer-perform-https-mitm-attacks-on-employees?sdsrc=popbyskid
Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees? 572
Posted by Unknown Lamer on Wednesday March 05, 2014 @01:37PM
from the padlock-icon-says-I'm-good-right dept.
New submitter Matt.Battey writes "I was recently on-site with a client and in the execution of my duties there, I needed to access web sites like Google Maps and my company's VPN. The VPN connection was rejected (which tends to be common, even though it's an HTTPS based VPN service). However, when I went to Google Maps I received a certificate error. It turns out that the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site. My client's employees don't notice because their computers all have the internal CA pushed out via Windows Group Policy & log-on scripts.
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A commenter said "You own DNS and the path? You own the world." So this gives me a hint to not use the same DNS server that your ISP tells you to use. But I don't know the pros and cons of doing this.

Yeah, I was just reading about this practice a few weeks ago. Pretty much sucks, but in a workplace I suspect that it's "legal".

Whether ISP's are dong this to intercept https traffic I wouldn't know, but I'm sure they could. Probably not as "legal" for them to do that though. Wink

My ISP states right in the TOS that they DO monitor/record (I forget the exact term they use) all web traffic, ie. what sites you visit. F them!

I, of course, recommend a good VPN, but I would also suggest DNSCrypt to get around ISP spying (again, F THEM!). Especially if you don't use a VPN.

http://dnscrypt.org/
or, what I use:
https://dnscrypt.eu/

If someone chooses to use DNSCrypt, avoid OpenDNS servers since they log traffic. Pick a DNS resolver that 1) doesn't log, and 2) uses DNSSEC.

JMO
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  Alternatives to the internet shortwave 32 8,683 04-23-2014, 08:58 PM
Last Post: CharliePrime
  Free Google internet access Orwell63 4 1,156 12-17-2013, 12:17 AM
Last Post: Watchdog
  Internet Storm Center Status JFK 0 1,025 09-24-2013, 01:26 PM
Last Post: JFK
  Get rid of Internet Explorer (again) - It’s more like an exploit than a browser h3rm35 6 1,333 04-20-2013, 04:06 PM
Last Post: CharliePrime
  Web wipeout: Syria suffers nationwide internet blackout zoverload 1 656 11-29-2012, 06:46 PM
Last Post: FastTadpole
  Malware may knock thousands off the internet on Monday zoverload 0 578 07-06-2012, 04:03 PM
Last Post: zoverload
  DNSSEC: the internet's International Criminal Court? h3rm35 3 2,914 04-27-2012, 10:10 AM
Last Post: FastTadpole
  Security slackers risk Internet blackout on March 8 Frank2 0 774 02-23-2012, 09:55 PM
Last Post: Frank2
  flaws in the key generation that underpins the security of protocols, including SSL. h3rm35 0 569 02-17-2012, 10:27 PM
Last Post: h3rm35
  Eolas patent trial: Relax! The Internet is saved yeti 1 670 02-10-2012, 10:22 PM
Last Post: h3rm35

Forum Jump:


Users browsing this thread: 1 Guest(s)