Heartbleed bug in OpenSSL is major security risk

[zme-ul]

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

din cate stiu si am gasit pana acum, Valve, Google, Yahoo, Flickr, Imgur au fost la un momendat vulnerabile la acest exploit

[zme-ul]

https://forum.candaparerevista.ro/ IS VULNERABLE. - http://filippo.io/Heartbleed/#candapare ... .no-ip.org

Here is some data we pulled from the server memory:
(we put YELLOW SUBMARINE there, and it should not have come back)

Code: Select all

([]uint8) {
 00000000  02 00 79 68 65 61 72 74  62 6c 65 65 64 2e 66 69  |..yheartbleed.fi|
 00000010  6c 69 70 70 6f 2e 69 6f  59 45 4c 4c 4f 57 20 53  |lippo.ioYELLOW S|
 00000020  55 42 4d 41 52 49 4e 45  5f 41 80 11 9e ed 6a 54  |UBMARINE_A....jT|
 00000030  9a 61 37 8d 21 68 78 a9  0e 6c ec e4 a7 5c 2e 00  |.a7.!hx..l...\..|
 00000040  05 00 05 01 00 00 00 00  00 0a 00 08 00 06 00 17  |................|
 00000050  00 18 00 19 00 0b 00 02  01 00 00 0d 00 0a 00 08  |................|
 00000060  04 01 04 03 02 01 02 03  ff 01 00 01 00 78 2d 73  |.............x-s|
 00000070  69 7a 69 6e 67 3a 62 6f  72 64 65 72 8e 21 c7 6c  |izing:border.!.l|
 00000080  d3 3b a8 c3 74 55 42 f0  9c b6 75 67              |.;..tUB...ug|
}

[zme-ul]

• All good, nivelul2.lab501.ro seems fixed or unaffected!
• bancatransilvania.ro IS VULNERABLE. -11/04 2:30AM

[reV]

Sa le f** neamu alora care au gasit Heartbleed-u si l-au exploatat ca mi-a luat o zi jumate sa rezolv problema pe unde sunt webmaster/sysadmin. De ce nu vrea lumea sa foloseasca Cloudflare, nu inteleg (folosesc pentru site-urile mele si ei au rezolvat problemele cu vreo saptamana inainte sa se face publice toate magariile), mai ales cand au si servicii free

[zme-ul]

The Heartbleed Hit List: The Passwords You Need to Change Right Now

LastPass Now Tells You Which Heartbleed-Affected Passwords to Change

[zme-ul]

The Programmer Behind Heartbleed Speaks Out: It Was an Accident

The Internet bug known as Heartbleed was introduced to the world on New Year's Eve in December 2011. Now, one of the people involved is sharing his side of the story.

Programmer Robin Seggelmann says he wrote the code for the part of OpenSSL that led to Heartbleed. But it was an accident. He submitted the code to the OpenSSL project and other members reviewed it. Seggelmann later added another piece of code for a new feature, which the members then added. It was this added feature that introduced the bug.

Seggelmann told the Sydney Morning Herald that the actual error was "trivial," but that its impact was clearly severe. Since he and the reviewers missed the flaw, it eventually made its way to the official release, which went live on Dec. 31, 2011, according to logs.

Heartbleed is a vulnerability in the encryption that many sites use to ensure that your communications can't be intercepted. Theoretically, up to two-thirds of the Internet traffic was exposed for more than two years. Engineers at security firm Codenomicon discovered the flaw last week, and it was publicly announced on April 7.

mama lor! de mai mult 3 ani de zile exista vulnerabilitatea asta
nu e bine cum le face Linus Torvalds, cand calca in sctrachini ii trimite la colt

[brutalistu]

http://xkcd.com/1354/

[Jaunty]

https://forum.candaparerevista.ro/ IS VULNERABLE. - http://filippo.io/Heartbleed/#candapare ... .no-ip.org

Patched.

• All good, nivelul2.lab501.ro seems fixed or unaffected!
• bancatransilvania.ro IS VULNERABLE. -11/04 2:30AM

nivelul2.lab501.ro uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for web1.lab501.ro The certificate expired on 27-Aug-13 11:04. The current time is 11-Apr-14 16:23.

Oi va voi...

Cât despre bănci, văd că în general nu au TLS-ul bine configurat: Banca Transilvania, ING, CEC (lol)

[zme-ul]

uitat sa adaug,
daca aveti pe router FW custom DDWRT (all versions between ~19000 - 23882 are affected, previous releases should be fine, but they have other vulnerabilities ) sau OpenWRT, update the fucker naw!

DD-WRT started using the vulnerable code on 2012/04/29. Any DD-WRT build after (and including) 19163 has the flaw, and any build after (and including) 23882 has the fix.
[...]
openssl is used for freeradius, openvpn, tor, asterisk