Heartbleed flaw

[Curt Harms]

There are web apps that can check for this vulnerabilty. I checked all the sites where having my user credentials 'out there' would be a problem. All checked safe. A real issue would be if someone used one or a couple passwords for everything. Also, openSSL before a certain version was not vulnerable to this exploit. Here's the site I used:

http://filippo.io/Heartbleed/

[Brian Elfert]

The big web sites all have employees working basically 24x7 who can patch the site quickly in case of a security flaw like Heartbleed. It is likely that a number of the websites that test good yesterday or today would not have tested good earlier in the week. They just patched things right away. A few big web sites were given advance notice of the Heartbleed vulnerability and had things patched before the public announcement.

[Scott Shepherd]

Does this look weird to anyone else? It's a major security flaw that "exposes" millions and millions, but yet there don't seem to be any reports that anything has been done with any of it. If they are swiping user data and passwords and encrypted stuff, wouldn't they be using it? You're not hearing about it at all. I wonder if this is part of the NSA issues, and this is one of the tools they implemented to help get them access to secure networks around the world, just to collect the data, not to use it to buy new shoes from Amazon. Then it's exposed and it's treated like some run of the mill virus out there that some unknown person dumped out there.

Just something to think about. If all the big names had their networks breached, then there would be millions and millions of people that had their data stolen over the last 2 years. But there's no reporting of that happening.

Something's fishy.....

[Brian Elfert]

I'm not sure there is any way to know if your server was compromised. At least that is the way one of my co-workers explained it.

[Brian Tymchak]

Does this look weird to anyone else? It's a major security flaw that "exposes" millions and millions, but yet there don't seem to be any reports that anything has been done with any of it. If they are swiping user data and passwords and encrypted stuff, wouldn't they be using it? You're not hearing about it at all. I wonder if this is part of the NSA issues, and this is one of the tools they implemented to help get them access to secure networks around the world, just to collect the data, not to use it to buy new shoes from Amazon. Then it's exposed and it's treated like some run of the mill virus out there that some unknown person dumped out there.

Just something to think about. If all the big names had their networks breached, then there would be millions and millions of people that had their data stolen over the last 2 years. But there's no reporting of that happening.

Something's fishy.....

My understanding is that it was discovered by a company that searches for security vulnerabilities. Hopefully, this time the problem was found before the damage was done...

[Roger Feeley]

Scott, it sounds fishy because no one really knows what data you can get when you exploit the HeartBleed. Here is my understanding of how it works:

In HTTPS, you have to keep the conversation alive by sending continuous data packets back and forth (called 'heartbeats'). That is, if you have nothing of substance to say, you still have to say something. It goes like this:

your machine sends a heartbeat to the https server and it echos it back. As I understand it, the message looks like this: <length><some number of bytes>
So you might send <5><Scott>.
You would send <5><Scott> to the server and it would send <5><Scott> back to you. It copies "Scott" into a specific area of memory. Then it builds the reply.

The bug is that the number of bytes doesn't have to match the length. It turns out that there was no check to see if the length and the text matched.

Soooo... You can send <5000><Scott>. It copies 'Scott' into it's buffer for 5 bytes and then returns 5000 bytes of whatever it has.

That's like me saying, I want whatever is in the 1 square foot of the northeast corner of your shop. I might get your garbage. I might get your collection of router bits. Or I might get the cabinet that holds all your spare keys to your house and car.

So no one knows for sure what's in that buffer when it gets raided. I would guess that most of the time, it's garbage. Once in a while, you might get lucky and get a credit card number. If you get very, very, very lucky, you might get certificate data that would let you crack open the whole web site.

Does this look weird to anyone else? It's a major security flaw that "exposes" millions and millions, but yet there don't seem to be any reports that anything has been done with any of it. If they are swiping user data and passwords and encrypted stuff, wouldn't they be using it? You're not hearing about it at all. I wonder if this is part of the NSA issues, and this is one of the tools they implemented to help get them access to secure networks around the world, just to collect the data, not to use it to buy new shoes from Amazon. Then it's exposed and it's treated like some run of the mill virus out there that some unknown person dumped out there.

Just something to think about. If all the big names had their networks breached, then there would be millions and millions of people that had their data stolen over the last 2 years. But there's no reporting of that happening.

Something's fishy.....

[Brian Elfert]

It was only discovered that OpenSSL has a vulnerability int he past two or three weeks even the problem code was released in 2012. It is hard to exploit a vulnerability if nobody knows about it although somebody could have been exploiting it and didn't tell anyone. The NSA denies that they knew about the bug and had been using it to exploit websites.

The discovery of the exploit was kept secret for a number of days until a patch was ready. A few website hosting companies got early access to the patch and had their servers patched before the public announcement.