Very Important security news!

Guest

Very Important security news!

Post by Guest » Tue Apr 08, 2014 9:16 pm

Hello =
From BBC News
A bug in software used by millions of web servers could have exposed anyone visiting sites they hosted to spying and eavesdropping, say researchers.
http://www.bbc.com/news/technology-26935905
By now, many of you already know this, but for those who do not, I wanted to share it with all of you
Since I am under the weather, I will not be able to share that much, even if it was staring in my face,but I will appreciate whatever information, you may add to this bit of news
I am posting what I believe to be the official site of OpenSSL, but from the scorecard
https://www.mywot.com/en/scorecard/openssl.org?utm_source=addon&utm_content=rw-viewsc
If it is, please give the right address
Best regards to all

NotBuyingIt
Posts: 6548
Joined: Fri Mar 11, 2011 6:21 pm

RE: Very Important security news! (CVE-2014-0160)

Post by NotBuyingIt » Wed Apr 09, 2014 1:11 am

I've copied the security alert from OpenSSL.org, including announcement of a fix. "A missing bounds check" is a very familiar coding blunder. Some compilers may optionally insert protection against this, but developers will turn off this option to improve execution speed and will ignore compile-time warnings. (I don't know whether CVE-2014-0160 involved either situation.)
OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.
(source: http:[i]//[/i]www.openssl.org/ ... uperHero58
&nbsp; &nbsp; I hope you will feel better soon.

Erwin Rommelfan
Posts: 127
Joined: Fri Sep 03, 2010 5:46 am

RE: Very Important eecurity news!

Post by Erwin Rommelfan » Wed Apr 09, 2014 3:00 am

Should we change our usernames and passwords in Web Of Trust?

Timo
Posts: 830
Joined: Sun Oct 29, 2006 5:11 pm

RE: Very Important eecurity news!

Post by Timo » Wed Apr 09, 2014 10:16 am

We updated our OpenSSl yesterday as soon as we were aware of the problem. In that respect there is no need to update your password however its recommend to change password periodically and not to use same on different services.

Guest

RE: Very Important security news!

Post by Guest » Wed Apr 09, 2014 1:47 pm

The sad part is the bug / flaw has been known since Dec. 2011... and now they are telling us.
http://betanews.com/2014/04/09/openssl-flaw-unlocks-the-internets-crown-jewels/

Erwin Rommelfan
Posts: 127
Joined: Fri Sep 03, 2010 5:46 am

RE: Very Important security news!

Post by Erwin Rommelfan » Wed Apr 09, 2014 6:53 pm

<quote user="destinationtruth">
The sad part is the bug / flaw has been known since Dec. 2011... and now they are telling us.
http://betanews.com/2014/04/09/openssl-flaw-unlocks-the-internets-crown-jewels/
[/quote]

Really? Why not tell us sooner?

Guest

RE: Very Important security news!

Post by Guest » Wed Apr 09, 2014 7:33 pm

<quote user="erwin rommelfan">
Really? Why not tell us sooner?
[/quote]

Good question, maybe they didn't have a solution.
http://heartbleed.com/

evilfantasy
Posts: 3940
Joined: Thu Dec 25, 2008 4:08 am

RE: Very Important security news!

Post by evilfantasy » Wed Apr 09, 2014 8:21 pm

<quote user="erwin rommelfan">
Should we change our usernames and passwords in Web Of Trust?[/quote]

NO! Don't change any passwords anywhere until an internet wide fix has been announced. It's best to not even visit your financial websites until a fix is confirmed. Use in person or phone banking for the next several days.

<quote user="destinationtruth">
Good question, maybe they didn't have a solution.
http://heartbleed.com/[/quote]

The vulnerability has been there for years. The proof-of-concept was just found/announced a few days ago.


Guest

RE: Very Important security news!

Post by Guest » Wed Apr 09, 2014 8:26 pm

<quote user="evilfantasy">


The vulnerability has been there for years. The proof-of-concept was just found/announced a few days ago.
[/quote]

Yep, though it could have been used already (though not likely), since it leaves no trace . . . we'll never know for sure.

evilfantasy
Posts: 3940
Joined: Thu Dec 25, 2008 4:08 am

RE: Very Important security news!

Post by evilfantasy » Thu Apr 10, 2014 4:01 am

[url=http://lifehacker.com/lastpass-now-tells-you-which-heartbleed-affected-passwo-1561522244 t=_self]LastPass Now Tells You Which Heartbleed-Affected Passwords to Change[/url]
Also. [url=http://filippo.io/Heartbleed/ t=_self]Heartbleed Test - Enter a URL or a hostname to test the server for CVE-2014-0160[/url]

Post Reply

Who is online

Users browsing this forum: namritabneha and 4 guests