We have detected that cookies are not enabled on your browser. Please enable cookies to ensure the proper experience.
Results 1 to 13 of 13
  1. #1

    Heartbleed Bug: OpenSSL Security Compromised

    Some of the MSM (main stream media) have not yet alerted people to the importance of an announcement by the OpenSSL project regarding a serious bug in their code (04/07/2014). The code affects 1,000,000+ servers (web, email, banking systems and others). There is a fix available but it will take a few days (at best) for companies to implement the fix and re-acquire new crypto keys and certificates.

    In the mean time, servers with this error have no real protection, all crypto keys, data on the server are open*.

    There are recommendations to verify with your providers, bank, and other web access providers as to the state of their patches. There are some systems that are NOT affected but only the providors can confirm that status.


    * That data leakage means that servers vulnerable to Heartbleed are less secure than they would be if they simply had no encryption at all. "This allows attackers to eavesdrop communications, steal data directly from the services and users, and to impersonate services and users," explained security group Codenomicon, which discovered the flaw.

    The OpenSSL project has created a webpage to inform everyone about the issues surrounding the Heartbleed bug.

    http://heartbleed.com/

    The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

    The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

    What leaks in practice?

    We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

    How to stop the leak?

    As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL [ht tps://www.openssl.org/news/secadv_20140407.txt ] has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

    There is an extensive FAQ at the bottom of their statement indicating remedies, affected systems and remedial actions.
    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

  2. #2
    Use https://www.ssllabs.com/ssltest/ to check how vulnerable domains are.

    store.lotro.com gets an A- and is rated as not vulnerable to Heartbleed.

  3. #3
    Here are 2 sites that have compiled a list of MAJOR websites and their Heartbleed Status.

    Not every site is vulnerable and not every site uses the required vulnerable sections of the OpenSSL code.

    This is not a be-all/end-all set of lists and each person will need to determine for themselves all the sites they visit that MAY need to have password changes. There is a timing issue: do not change your password UNTIL the host site has completed their Heartbleed updates which include a software patch, re-encryption and a new SSL certificate (there are delays in the certificates). Changing a password before all of this may not protect your data/access/password.

    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

  4. #4
    Join Date
    Aug 2008
    Location
    Vancouver, BC Canada
    Posts
    3,089
    Quote Originally Posted by Aedfrith View Post
    Use https://www.ssllabs.com/ssltest/ to check how vulnerable domains are.

    store.lotro.com gets an A- and is rated as not vulnerable to Heartbleed.
    These types of sites are giving conflicting and misleading information, and are not a reliable source. The only authority on this issue that we should trust is Turbine, and they haven't made a statement yet.

  5. #5
    There is another aspect of the Heartbleed bug that is getting little or no attention and that is with embedded systems or firmware. Devices which uses microchips that have or rely on the vulnerable release of SSL will either take a very long time to fix or not be fixable at all.

    ex: Imagine a device like a cell phone that does an automated handshake with a server. Inside the cell phone are chips and software along with apps. In order to make the apps and phone run "fast" some aspects of the SSL handshake are moved into firmware where it will be fast and also less prone to hacking (along the normal lines).

    Now, consider this same chip requiring a firmware update. Because it's an embedded system it may be harder or take longer to patch. It can only be patched if the chip has a WriteMany ability. Some chips are WriteOnce and those are a one time burn. There are chips that have multiple write cycles but it's not so easy to just grab some section of a complicated software system and jam in new code.

    An other aspect that can impact the speed of resolution are complex systems that rely on multiple 3d party libraries or base code.

    ex: Imagine a large complex system that governs n,000 servers. These servers run multi-faceted software products, some home-grown by the owner-company and some of it purchased as 3d party add ons or code libraries or subsystems. (forums, email, data transfer upload, ftp, sales, inventory, purchasing, order processing, order fulfillment etc). There may even be operating system level add-ons that are involved.

    If any one of these products relies or implements some of the faulting code, then the owner-company has to wait for the 3d party to repair the 3d party code, test, and roll out the fix. There are some companies who are going to have to wait for base level fix from their 3d party provider.

    If there's one server in a sea of servers that remains vulnerable, the entire system is vulnerable. I hope those large players have a decent A&R system in place (Audit and Remediation).
    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

  6. #6
    Join Date
    Apr 2007
    Location
    Gallifrey. I need a Jelly Baby.
    Posts
    18,062
    Sabriel, I like your sig. I Googled it and read the entire thing.
    Life is not a journey to the grave with the intention of arriving safely in a well preserved body, but rather to skid in broadside, totally worn out & proclaiming "WOW, what a ride!"
    [I][FONT=comic sans ms][COLOR=#ffff00]Continuing the never ending battle to keep Lobelia Sackville-Baggins in check[/COLOR][/FONT][/I]

  7. #7
    Just when you thought it was safe to go back in the water.... Reverse Heartbleed affects clients not servers.

    The server version: Heartbleed, has been patched for the most part except those with embedded firmware or apps relying on the OS to fix it (ex: some android cell phones).

    Reverse Heartbleed, is the same vulnerability but it affects clients eg PCs.



    What kinds of clients are vulnerable?

    Anything that speaks TLS using OpenSSL is potentially vulnerable, but there are two main classes of client apps that are worth mentioning:

    1) Traditional clients are things like web browsers, apps that use HTTP APIs (everything from Dropbox to Microsoft Office), and of course many mobile apps on both iOS and Android. It might be easy to direct one of these clients to connect to a malicious server (as in the case of a web browser) or it might require a man-in-the-middle (MITM) attack to redirect a client to an evil endpoint.

    2) Open agents are clients that can be driven by an attacker but don't reside on an attacker's machine. If you can direct some remote application to fetch a URL on your behalf, then you could theoretically attack that application. The web is full of applications that accept URLs and do something with them; any of these have the potential to be vulnerable:


    •Social networks that do smart things with URLs; e.g. Facebook, which fetches any URL that you type in to a status update in order to generate a preview of that URL.

    •File sharing apps like image thumbnailers, image hosters, Gravatar, and anything else that can "upload" an image or other user-supplied data via a URL.

    •Web spiders like the Googlebot that can stumble on a URL and index it – they can be directed to a malicious server just by linking to it.

    •API consumers that allow integrations across websites. For example, Redbooth integrates with Dropbox to allow users to upload files to projects. If I can convince the Redbooth servers via MITM to send their Dropbox requests to my server, I can potentially exploit them.

    •Identity federation protocols, such as OpenID and WebFinger, allow low-trust users to direct high-trust servers to arbitrary URLs that the user can control. The StackOverflow login page prompts the user for a URL that can be used to log in with OpenID – therefore, the code that StackOverflow uses to fetch that URL must not be vulnerable.

    •Webhooks, which allow a user to register interest in a certain event happening and get a callback. I can tell Github that I'd like to be notified at a URL I control whenever someone pushes to a repository, and Github's agent will connect to that URL over TLS if specified.

    The surface of exposed clients is potentially very broad – any code in an application that makes outbound HTTP requests must be checked against reverse Heartbleed attacks.

    ....


    The important takeaway is that it's not enough to patch your perimeter hosts - you need to purge bad OpenSSL versions from your entire infrastructure. And you should keep a healthy distance between agent code that fetches user-provided URLs and sensitive parts of your systems.


    http://blog.meldium.com/home/2014/4/...rse-heartbleed
    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

  8. #8
    Some interesting by products of the Heartbleed bug:

    A) The Big Tech firms are now financing/donating money to a new project to be administered by the Linux Foundation called "Core Infrastructure Initiative". They are each donating $300,000 USD to the project: Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, rackspace, VMWare.

    http://www.linuxfoundation.org/progr...ure-initiative

    B) A new fork in the OpenSSL project happened by a "new/rival" group. The new fork is called: LibreSSL.

    note: the website is very bare bones while they are ripping and dumping code they don't like.
    http://www.libressl.org/


    C) An essay describing the development environment issues highlighted by the Heartbleed bug but applies to the Internet as a whole and all software or complex systems. Selected points below, full essay is a good read.

    One small detail that is not readily known, is that the Heartbleed bug is bi-directional. It goes not just to the server but to every client too. The servers got patched but clients will remain unpatched for a long long time. So his statements and discussion presuming that clients are not affected is incorrect, The "what if" scenario" he suggests is even worse than he considers in his essay because they are actually occurring.


    • complexity in the large can arise from locally simple things

    • monocultures enable Internet-scale failure; all other failures are merely local tragedies

    • definition of Critical Infrastructures:

      Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government.
      Presidential Decision Directive 63, issued by President Clinton

    • all Internet standards become festooned with complicating option sets that no one person can know in their entirety.




    Dan Geer Lawfare.com Heartbleed as Metaphor

    http://www.lawfareblog.com/2014/04/h...d-as-metaphor/

    Daniel E. Geer, Jr., Sc.D., serves as Chief Information Security Officer at In-Q-Tel, the strategic investment partner of the U.S. intelligence community, and has held C-level positions at six startups over the past two decades. Prior to that, he led systems development at MIT’s Project Athena out of which came many of the underpinnings of today’s Internet and, earlier still, worked in medical computing within Harvard’s various teaching hospitals. He provides advice and counsel to numerous Federal agencies, and has been before Congress five times. Dr. Geer’s degrees are in Biostatistics from the Harvard School of Public Health and in Electrical Engineering from MIT, and he has been honored with the Lifetime Achievement Award of the USENIX Association.
    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

  9. #9
    Bruce Schneier wrote an interesting follow up on the issues exposed by the Heartbleed bug. The bug was caused by an error in the SSL programming and caused a lot of problems. While most of the problems have been resolved (not all) , the conditions and circumstances for other program errors still exists. Programs have bugs and sometimes how those are dealt with depends on who finds it.

    We should not be surprised if another exposure is found, but how it's dealt with depends on who finds it first. Such exposures won't always be made public.


    The Human Side of Heartbleed
    https://www.schneier.com/blog/archiv...man_side_.html

    One of the biggest problems we face in the security community is how to communicate these sorts of vulnerabilities. The story is technical, and people often don't know how to react to the risk. In this case, the Codenomicon researchers did well. They created a public website explaining (in simple terms) the vulnerability and how to fix it, and they created a logo -- a red bleeding heart -- that every news outlet used for coverage of the story.

    The first week of coverage varied widely, as some people panicked and others downplayed the threat. This wasn't surprising: There was a lot of uncertainty about the risk, and it wasn't immediately obvious how disastrous the vulnerability actually was.

    The major Internet companies were quick to patch vulnerable systems. Individuals were less likely to update their passwords, but by and large, that was OK.

    True to form, hackers started exploiting the vulnerability within minutes of the announcement. We assume that governments also exploited the vulnerability while they could. I'm sure the U.S. National Security Agency had advance warning.

    By now, it's largely over. There are still lots of unpatched systems out there. (Many of them are embedded hardware systems that can't be patched.) The risk of attack is still there, but minimal. In the end, the actual damage was also minimal, although the expense of restoring security was great.

    The question that remains is this: What should we expect in the future -- are there more Heartbleeds out there?

    Yes. Yes there are. The software we use contains thousands of mistakes -- many of them security vulnerabilities. Lots of people are looking for these vulnerabilities: Researchers are looking for them. Criminals and hackers are looking for them. National intelligence agencies in the United States, the United Kingdom, China, Russia, and elsewhere are looking for them. The software vendors themselves are looking for them.

    What happens when a vulnerability is found depends on who finds it.

    (snip)

    Heartbleed was unique because there was no single fix. The software had to be updated, and then websites had to regenerate their encryption keys and get new public-key certificates. After that, people had to update their passwords. This multi-stage process had to take place publicly....

    http://en.wikipedia.org/wiki/Bruce_Schneier
    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

  10. #10
    A timely post by Bruce Schneier was soon followed by reported new vulnerabilities in SSL. It's not unexpected that there would be more bugs, most software has more bugs than Engineering could fix in dedicated lifetimes. Some large scale projects have more than 10,000 identified bugs and use the "sell by date" method of fixing them - that's just delete anything more than N-years/N-months old. The unidentified just keep going like the Energizer Bunny and are distributed over and over. To the end-user there's not much difference in being the recipient of a "known bug" or a "unknown bug", the results are pretty much identical and the response is a slight change to the cut-n-paste message from a tech-support call.

    The current identified bug of the most interest in OpenSSL, is one that leaves the system open to a Man-In-The-Middle attack. It requires some specific setup and is not as wide-open as the previous Heartbleed/Reverse-Heartbleed ones but anything that can "spoof" a server response is not a good thing, especially if the "spoof" is from someone "not nice".

    ht tps://www.openssl.org/news/secadv_20140605.txt
    (links are fractured to prevent auto-run. Remove the space from the header)


    SSL/TLS MITM vulnerability (CVE-2014-0224)
    ============================== =============

    An attacker using a carefully crafted handshake can force the use of weak
    keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
    by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
    modify traffic from the attacked client and server.

    The attack can only be performed between a vulnerable client *and*
    server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
    are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
    of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

    OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
    OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
    OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

    There are more vulnerabilities detailed along with the fixes required. It is a reminder that end-users and corporate systems still need to be mindful of the un-intended consequences from lowering their "threat level" back to normal by thinking "everything is fine now".

    In another report nearly .02% of SSL certificates are "fake" ones. That's about 7,000 servers pretending to be "Facebook" but are not. You may think it's safe to get back in the water but the Forest is just waiting for you.

    "Keep your wits about you, man. You're going into the Forest after all...."
    Caretaker Argus Filch
    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

  11. #11
    OpenSSL is the gateway to heaven if you are an organization interested in what other people are doing and/or having the desire to be able to do exactly the same thing as they do especially while pretending to be them.

    It turns out that just as SysAdmins hold the "keys to the kingdom" and are on the "Hunted List", so too is OpenSSL, which is used by, well, everyone. Once you get the keys or a hook into OpenSSL you can gain access to anything a person does. It's the preferred target of least resistance to penetrate.

    And a whole host of folks have been busy beavers penetrating OpenSSL faster than PacMan Eats Dots. The attacks and exploits are ongoing since Heartbleed made the headlines and nearly every week another major attack is discovered. The attacks are so numerous the MSM (main stream media) hardly bother to notify anyone anymore since it's not really "new" News. In some cases there are countries where this "news" is prohibited from being printed or spoken about because some 3LetterChums are using it to their own advantages.

    The honest developers on the OpenSSL project are patching and fixing as fast as they can but the design of the internet is against them and the dikes cannot hold much longer. The internet is based on "trust" and when the other parties in this scheme turn out to be "less than trustworthy" it causes loads of problems.

    Not only are there people deliberately trying to "bust the trust" because it suites their personal/corporate/governmental goals but they are also looking to force "honest" brokers into breaking that trust on their behalf all without notifying their customers that the "honest" brokers have been legally required to do this. Legislation is pending in the USA that will grant coerced corporate cooperation retroactive and future immunity from legal complaints once it's found out that a corporation has been required by the US Government to hand-over the goods or rather the "keys to the kingdom". Similar to how the Telco's in the USA were granted retro-immunity when it was discovered that they were handing over all sorts of "private call details" to US Law Enforcement without the required warrants and without any protest from the Telco's management junta (after a government take over the ruling party is often referred to as a junta).

    So, the problem with OpenSSL is that it holds the keys to YOUR STUFF and they are very much interested in all the STUFF you have and they want more and more of YOUR STUFF. There's very little left in the way of STUFF they cannot access but they need to insure that YOUR STUFF IS THEIR STUFF, 24x7x500+ years. (yes, that's not a typo it's 500 years)

    So some of the more recent interesting attacks on OpenSSL are:

    • FREAK

      FREAK ("Factoring RSA Export Keys") came about because of old old US laws restricting the export of encryption (aka the Crypto Wars). Laws prohibiting what was then "strong" encryption required software companies to dumb-down their encryption routines. (Sounds familiar?) After the US Government "lost" the Crypto War strong encryption became the norm but what software company removes old dead code? None. Corporations don't remove old code because it's useful for compatibility and legacy issues and after a while no one even remembers that it's there at all. Well, almost no one. Seems there were some clever chaps that did remember the old poor encryption and found ways to "trick" severs and clients into coughing up the keys needed to move on to the more exciting activities of getting YOUR STUFF FOR THEM.

      ht tp://en.wikipedia.org/wiki/FREAK
    • Superfish Malvertising

      Superfish is an advertising program conveniently installed by Lenovo on their laptops (Dec 2014 - @Feb 2015) as part of their "customer appreciation" bundle of bloatware. The "appreciation" was the gathering of your passwords and corrupting your SSL certificates so they could gather information online and offline about your activities on that fantastic new laptop you got to play LOTRO on.

      Superfish is a MITM (Man in the Middle) attack and exists outside of the browser and activates when you turn on the PC. Since it's outside the browser it continues to harvest YOUR STUFF FOR THEM as long as the power is on. It uses a Self-Signed ROOT SSL Certificate that can intercept any and all encrypted sites (HTTPS).


      From Arstechnica:

      It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.

      Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries—a failure that completely undermines the reason HTTPS protections exist in the first place.

      [Update: Rob Graham, CEO of security firm Errata Security, has cracked the cryptographic key encrypting the Superfish certificate. That means anyone can now use the private key to launch man-in-the-middle HTTPS attacks that won't be detected by machines that have the certificate installed. It took Graham just three hours to figure out that the password was "komodia" (minus the quotes). ....

      Superfish has spawned a lot of clones and mini-phish using the same techniques: installing a fake SSL root certificate. The good news is that Superfish in not part of the 3LetterChummingGroup so you can remove it and there are instructions on the internet that detail the how-tos but there are other projects out there that do the same thing - they just don't bother to tell YOU and No, you cannot remove those except by taking a sledge hammer to your PC and even then they might be able to get YOUR STUFF.

      (The sledge hammer method of removal has a great how-to-video showing in detail the level of destruction required. search words: Guardian Destruction Hard Drives July 2013.)

      ht tp://en.wikipedia.org/wiki/Superfish
      ht tp://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/
      ht tp://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
    • JANUARY 2015 FIXITS

      included 8 security holes and problems with SSL certificates.

    • MYSTERY FIXIT eta 03/19/2015

      This week on March 19, 2015, the OpenSSL project is patching a "High Vulnerability" hole/exploit. The details of the patch are not being disclosed which is unusual and there is speculation that this patch is to fix something on the scale of Heartbleed.


    On the gooder news side, the OpenSSL Project is getting a bit more help these days from the Big Boy Pants Guys in Silicon Valley. They at least understand that YOUR STUFF needs to be YOUR STUFF so THEY can get YOUR STUFF for THEMSELVES and they won't get ANYTHING if you sledge hammer your PC. A PEW report (03/16/2015) shows that 87% of people polled knew "something about surveillance" and of those 30-34% have done at least 1 thing to change this: changing privacy settings on social media, using less social media, avoiding certain apps, uninstalling apps, speaking 1v1 instead of by cellphone or using online communications and (GASP!) avoiding using "trigger words" in electronic exchanges.

    ht tp://www.pewinternet.org/2015/03/16/americans-privacy-strategies-post-snowden/
    The Keys to the Kingdom can open a lot of doors with a lot of goats.

    ht tp://en.wikipedia.org/wiki/Monty_Hall_problem

    (urls fractured to prevent auto run. remove the space from the header)
    Last edited by SabrielofLorien; Mar 17 2015 at 09:49 AM. Reason: typos
    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

  12. #12
    So, some of the MYSTERY FIXITs on March 19, 2015 where on the ho-hum side of fixes, other than they all fixed something on the bad side of SSL coding. So, we can all go "WHEW!" dodged another bullet didn't we?! It wasn't another Heartbleed problem! LOLz As we all do the High-Five Dance... except maybe not.

    The Heartbleed Problem, the original one where your ID and Password could be hacked from a vulnerable file server, is going better than ever. There was a patch for it, it went out, it was massively publicised and MSM (main stream media) was hanging 10 on the story when pesto-chango everything was fixed and not much more was said about it. Reverse Heartbleed, where someone can get your User Id and Password from your personal system using the same technique, didn't get too much review because what can you do with millions and billions of vulnerable devices? Not too much so we can just ignore those problems.... works for the NSA and friends. At least the servers got patched didn't they? Or did they?

    Seems like they didn't

    Only 26% of vulnerable servers have been fixed since Heartbleed was announced. A whopping 74% have not been fixed. After the initial fixits went out, only an addition 2% of systems were patched (2014 to 2015). And those are the "Global 2000 Public Facing Servers", not some Mom n Pop Email Server used by the US Secretary of State located in an unused closet at home.

    Can you image!? An UNUSED CLOSET? (boggles).

    SSL/TSL and their follow ons, will be the focus of an estimated 50% of network attacks by 2017. Hijacked VPNs are on the increase too. If the NSA can crack 20,000 VPNs per hour with 12 analysts, imagine what a team of really motivated people could do and are doing.

    The fix isn't that hard. You have to be able to count to 4. Do 1 step at a time.

    1. Patch the OpenSSL vulnerability
    2. Generate new keys
    3. Issue and install new certificates
    4. Revoke old certificates



    It seems that an awful lot of the Global 2000 cannot count to 4.

    ht tps://www.venafi.com/blog/post/still-bleeding-one-year-laterheartbleed-2015-research/

    url fractured to prevent auto run remove the space from the header
    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

  13. #13
    So, by now a lot of people are giving up on the idea that Apple never gets hacked or that Linux is less vulnerable than Windows and realizing: It's Open Season for anyone with access to or money to buy the tools needed to hack SSL . In case it's still news: there are toolkits out there that will show you the ins and outs of the majority of exploits. Those that are interested already have them and are working overtime to get to YOUR SYSTEM before the software/hardware folks plug up the holes. Unfortunately, the folks in charge of these sorts of things rather let things lapse because well... who knows, but 10 years and counting on some of these "known" issues is a long time to get around to it. Then you have the problem of actually getting people to install the fix since a goodly portion of the "auto updates" are already hacked and you could be downloading a lot more than a fix not to mention the "I have nothing to hide..." ostrich procrastination stance of a lot of companies.

    So, what is it that's so attractive about SSL? Why does this piece get so much attention? To be sure there are other areas where equal opportunity hacking happens but SSL is a very tasty dish for a big hunk of it. It boils down to "who has the keys to the kingdom" and SSL has the keys to YOUR kingdom.

    SSL/TSL use X.509 certificates with high grade encryption which are markers used to ID and verify the source of data coming and going along the internet and into your devices. These X.509 certificates are controlled by "certificate authorities" (CA) around the world and those authorities issue certificates to others in a cascading hierarchy. When a data stream presents to your device it checks on an internal list in your device to see if the certificate is "good". If you get a certificate from a "trusted authority" your device goes: OK what do you want to do? and then broadly speaking, does it.

    In theory, the certificate is pretty hack proof. It uses good public-key encryption to prevent spoofing and there is a protocol followed about how they are generated and how they are secured from tampering.

    Your devices have a certificate list or repository already installed which contains lots of names of companies that have been recognized as legit CAs. In case a rogue certificate gets issued they can update this list and revoke the bad certificate. This list is not readily visible for the most part but you can see what sort of things are in the list from your browser properties/content/Certificates and Publishers (the exact path varies by browser type).

    What you will notice if you take a peek at the different tabs is: There's a heck of a lot of these things out there and why do I need "Trusted Root Certification Authority" from a company in Istanbul if I'm in the USA or what about that Japanese Government Application Authority? Hey here's one in Switzerland!

    It's all about the money.

    The certificate business is big business. Certificates are granted in a cascading hierarchy from a few Top Dogs rolling down hill through intermediate authorities. Companies need a lot of certificates, especially big companies. GoDaddy will get your website and SSL certificate all in one package which proves that your website is yours. If you need to make a change (ala Heartbleed) you have to get new certificates and revoke the old ones. Companies have so many certificates they often forget which applications, servers have them and if they cannot remember where they installed them all, they are hesitant to revoke everything because that one forgotten server app will stop working and then Cry Havoc!

    Your fancy iPhone isn't just sold here, it's sold here, there and everywhere. Same with PCs and other computing systems. In order to have things run auto-magically around the world, the manufactures install the whole global CA enchilada so no matter where the device ends up, it will function.

    So if you can spoof a certificate or exploit a weakness in validation or revocation or simply hack into a certificate authority and generation thousands of "good certificates" without anyone catching you, you can access an awful lot of devices worldwide. Tasty indeed.

    So, it's all very interesting and very academic but what can you do? Not a lot really.

    Most spoofs are going to come through social engineering: that cute picture sent to you by a "trusted friend" so you open it up and get a load more than the cute picture. These sorts of things can be dealt with by not falling into the trap of social engineering. Facebook won't like you much if you don't go along with their social networking plans but hey, they aren't paying you to get hacked are they?

    The pitfalls of the current SSL/TSL model are known and in the wake of the massive amount of global data hacking there are discussions taking place on how to stop it. There are 3 groups that oppose most changes: 1) Security Services world wide like the NSA,GCHQ, FSB. 2) Big Data Corporations like Google, Facebook, Twitter. 3) hackers everywhere. You can expect 2 of these to be vocal and attempt to block implementations.

    But why would they block something that actually makes the internet secure?

    Because they all use the same techniques. They will scream when the Sony's gets hacked and their data "stolen" but no one cares about YOUR data. Google and Facebook merrily hoover up your data, manipulating your feeds and friends to sell you that latest ad and if someone tries to grab their junk ad data they get all irate but they don't care at all about YOUR data. The FSB wants to know who you know and would very much like to be your "friend" but if anyone hacks into a government computer, even one with unrevoked known bad SSL certificates, it will be all over the front page with long prison sentences given for hacking. The only people who care about your data is YOU.

    There are of lot of YOUs working on actually making things secure and that's not on any government's National Security list and it's not on Google or Facebook's to-do list either. It's all about YOU.

    It's a good thing the world is made up primarily of YOUs.




    ht tp://en.wikipedia.org/wiki/X.509
    ht tp://en.wikipedia.org/wiki/Identity_certificate
    ht tp://en.wikipedia.org/wiki/Certificate_authority
    ht tp://en.wikipedia.org/wiki/Certificate_revocation_list

    (url fractured to prevent auto run. remove space from header)
    Last edited by SabrielofLorien; Apr 23 2015 at 01:04 PM.
    Whoever says “I” creates the “you.” Such is the trap of every conscience. The “I” signifies both solitude and rejection of solitude. Words name things and then replace them. Whoever says tomorrow, denies it. Tomorrow exists only for him who does not seek it. And yesterday? Yesterday is Kolvillàg: a name to forget, a word already forgotten.

    The Oath: A Novel by Elie Wiesel

 

 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

This form's session has expired. You need to reload the page.

Reload