Heartbleed Bug - This doesn't look good

[nlinecomputers]

Fixing the bug is not enough. You need to issue new certificates and change passwords or there is the possibility that your previous private key has been exposed.

 

[NYJimbo]

Fixing the bug is not enough. You need to issue new certificates and change passwords or there is the possibility that your previous private key has been exposed.

Yeah, right, my customers sure will go for that.

I guess I should replace all my credit cards because its possible I put them through a skimmer somewhere.

 

[Bubbajoe]

I'm laughing at all this NSA fear.

You should fear Google!!:

http://windowsitpro.com/paul-thurrotts-wininfo/google-details-gmail-scanning-new-tos

http://online.wsj.com/news/articles/SB10001424052702304117904579501701702936522

 

[Galdorf]

CRA just admitted to data leaks via heartbleed over 900 peoples information was leaked:

Statement by the Commissioner of the Canada Revenue Agency on the Heartbleed bug

 

[nlinecomputers]

CRA just admitted to data leaks via heartbleed over 900 peoples information was leaked:

Statement by the Commissioner of the Canada Revenue Agency on the Heartbleed bug

And that happened after revelation of the bug to the world. I'm not worried about NSA. But script kiddies with an ridiculously easy tool to gain access are going to go to town on this. Just patching is not enough unless you can be certain no one tried to access the system before you managed to patch it.

 

[SilverLeaf]

I'm laughing at all this NSA fear.

......snip

You can choose to laugh all you want, but given the recent revelations about the NSA, it would be foolish to assume that they haven't leveraged this bug to maximum effect. I'm sure the NSA is intimately familiar with the source code for virtually all major security and encryption processes. If anybody knew about the vulnerability, it would have been the NSA. That's what they do, and they have significant resources. Given their track record, the fact that they have denied it means nothing.

 

[Bubbajoe]

CRA just admitted to data leaks via heartbleed over 900 peoples information was leaked:

Statement by the Commissioner of the Canada Revenue Agency on the Heartbleed bug

Hmmm... Wonder why all the other experts say there is no way to know if the Heartbleed vulnerability was used?

 

[nlinecomputers]

Hmmm... Wonder why all the other experts say there is no way to know if the Heartbleed vulnerability was used?

1. Because that claim is mostly bs? Heartbleed takes advantage of an existing connection. You have to have connected to the server in order to abuse the heartbeat connection to begin with. If you connect to the server then that can be logged.

2. They are making a logical assumption because while exploiting the system isn't traceable the login with the stolen creds would be.

 

[Bubbajoe]

Exactly. In a nutshell, they have no clue.

 

[Galdorf]

Canadian mounties have arrested a teenager who, they say, used the Heartbleed Internet bug to hack into the country's tax agency.
Looks like the mounties got there man i bet there are thousands of breaches that have gone undetected for 2 years.

 

[ComputerRepairTech]

Hmmm... Wonder why all the other experts say there is no way to know if the Heartbleed vulnerability was used?

If i'm not mistaken its not that theres no way its that the information is rarely logged aka not logged by default.

 

[Knightsman]

You can choose to laugh all you want, but given the recent revelations about the NSA, it would be foolish to assume that they haven't leveraged this bug to maximum effect. I'm sure the NSA is intimately familiar with the source code for virtually all major security and encryption processes. If anybody knew about the vulnerability, it would have been the NSA. That's what they do, and they have significant resources. Given their track record, the fact that they have denied it means nothing.

exactly!

I've always found it amusing when people just "believe" without question what the government says.

 

[Galdorf]

Looks like this bug even effected VPN! now i know the NSA has been using this bug.
New Heartbleed Exploit Hijacked Secure Network Sessions
https://www.mandiant.com/blog/attackers-exploit-heartbleed-openssl-vulnerability-circumvent-multifactor-authentication-vpns/

 

[drpcfix]

there are probably a couple ways to detect someone hacking, even though it isn't typically the type of traffic that is logged.

The bug is able to get at server memory in small pieces with just a part of the SSL handshake - this bit isn't logged in most/all systems.

Once you dump lots of bits of server memory, and are able to - for example - put together some valid session cookies so you can login as other users (session hijack) or even user/pass combos -

Then you may want to do something with it.

Login to the server and download data? Logged (web logs).

OR - if the entire attack was just using the ssl bit to read memory, the server could be behind a device that is capable of logging.

Maybe most web servers have a load balancer and then nginx/apache where the SSL sits. That SSL bit is never logged - but a government agency could possibly log all traffic at the load balancer level - or any other device between the internet and their SSL device.

When they say this isn't logged, typically, they mean if you have a web server facing the internet - 99% of the time there isn't another random thing there dumping all the packets/logging between that thing and the internet - not to say it's not possible..