Heartbleed is a Catastrophic bug

By: zapionics<alt>
April 9th, 2014
5:04 pm

Heartbleed is a Catastrophic bug

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

"There is no limit on the number of attacks that can be performed," Cyber-defence specialists at Fox-IT said in a blog post.

This is the big one we've been dreading with the current version of OpenSSL completely compromised. The only defence seems to be complete renewal of all private/public key pair and re-issue of all certificates. Not only that but all account passwords need to be replaced on the basis that they may have been compromised by multiple agencies.

Of course replacing your passwords should only be done after your service providers have updated all their web servers with the patch, new keys and certificates. That may take some time.

Personally, I would have to assume that the big institutions have been compromised and go from there.

Repeating; this is a complete failure of the current version of OpenSSL. All keys and certificates are compromised. All sites need to be patched and updated and all users need to update their passwords on all devices. I think OpenSSL is in widespread use by most of our institutions, government agencies, service providers and small to medium size businesses.

Story here

Join the Discussion!

11 comments on "Heartbleed is a Catastrophic bug"

  • zapionics<alt>
    April 9, 2014 at 5:32 pm

    OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are vulnerable. I should mention that OS's that shipped with any of these will be compromised out of the box. I'm also wondering about appliances, such as cloud servers.

    Obviously all messages previously encrypted and sent are compromised. A lot of these get stored and archived. I suppose the information goes stale, especially financial data, but its still pretty disappointing.

  • Sandog
    April 9, 2014 at 7:19 pm

    Sounds scary, hope MS patches it.

  • traveler
    April 9, 2014 at 8:44 pm

    Yeah ... especially for XP !!!!!!! We need that XP patch right away.




  • zapionics<alt>
    April 10, 2014 at 12:53 am

    It looks like Yahoo mail is gone, if you have an account with them you need to update your password at least, or just get out.
    In the meantime, readers should steer clear of Yahoo Mail and any other sites that are still running vulnerable versions of OpenSSL.
    Link

    Theres also exposure to routers, i dk about you guys but i have no clue how to patch my router, i don't even think its possible.

  • zapionics<alt>
    April 10, 2014 at 1:19 am

    Some information here, "What the Heartbleed Security Bug Means for You"
    Even if a site is patched you wont know if they were exposed previously, so if they don't post a statement then you still should update your passwords.

  • Sandog
    April 10, 2014 at 5:06 am

    My ISP expired my mail exchange password the other day.

  • Whammamoosha
    April 22, 2014 at 1:05 am

    Could it affect an ARRIS cable modem over 802.11 (OTA exposure)?

  • fvbounty
    April 22, 2014 at 6:40 am

    There's a lot of site that were no affected, I only had to change a few passwords!

    The Heartbleed Hit List: The Passwords You Need to Change Right Now

  • zapionics<alt>
    April 22, 2014 at 5:43 pm

    So many banks claim they were not affected, what a surprise, hehe.
    Seriously, I'd consider changing passwords everywhere at this point, especially if they involve money or sensitive information. I'd also consider the risk of identity theft or the impacts of losing control of a service if its hijacked.

    Why is it that in hindsight things are obvious but not at the time? Something to do with adaptive learning, i think. For example it probably took 100,000 years before someone invented the wheel, but i'm sure that the very next day everyone else was copying it.

  • zapionics<alt>
    April 22, 2014 at 6:12 pm

    Originally Posted by Whammamoosha
    Could it affect an ARRIS cable modem over 802.11 (OTA exposure)?
    Modem-Routers using OpenSSL between versions 1.0.1 (excluding 1.0.1g) and 1.0.2 are affected and need their firmware to be updated, if possible.
    I'd be checking their support site to understand how your particular device is impacted. I think only Cisco is publishing much info at the moment though.



Post Reply