What's new
  • ICMag with help from Landrace Warden and The Vault is running a NEW contest in November! You can check it here. Prizes are seeds & forum premium access. Come join in!

Heartbleed Security Flaw affects most of Internet

dddaver

Active member
Veteran
Please note: ICMag is not affected as we have a version of ssl that is not compromised! - Skip

(CNN)
-- A major online security vulnerability dubbed "Heartbleed" could put your personal information at risk, including passwords, credit card information and e-mails.
Heartbleed is a flaw in OpenSSL, an open-source encryption technology that is used by an estimated two-thirds of Web servers. It is behind many HTTPS sites that collect personal or financial information. These sites are typically indicated by a lock icon in the browser to let site visitors know the information they're sending online is hidden from prying eyes.
Cybercriminals could exploit the bug to access visitors' personal data as well as a site's cryptographic keys, which can be used to impersonate that site and collect even more information.
It was discovered by a Google researcher and an independent Finnish security firm called Codenomicon. The researchers have put up a dedicated site to answer common questions about the bug. They even gave it an adorably gruesome custom icon.
Heartbleed is the result of a small coding error but it could have far-reaching consequences and affect the majority of Internet users.
Researchers discovered the issue last week and published their findings on Monday, but said the problem has been present for more than two years, since March 2012. Any communications that took place over SSL in the past two years could have been subject to malicious eavesdropping.
What makes the bug particularly problematic is that there is no simple fix. Action needs to be taken by both the compromised sites and individuals who have visited them.
To protect their user data and encryption keys, sites must upgrade to the patched version of OpenSSL, revoke compromised SSL certificates and get new ones issued.
Many major websites including Google, Facebook, Yahoo and Amazon have said they've taken steps to secure their sites. Security researchers demonstrated the flaw by stealing Yahoo e-mail logins on Tuesday morning, but Yahoo has since fixed the issue across its major sites, including Tumblr.
It's not just an issue for major sites. Smaller online stores and services use OpenSSL, and those sites might take longer to make the necessary fixes. Websites don't typically publicize whether they're using OpenSSL, so the process will also be bumpy for consumers.
Individuals should update their passwords across the various Web pages they use, but only once they have confirmed a site has already taken the proper measures to address Heartbleed. If they don't and that site is still at risk, the new password could also be compromised. Many sites will also likely send e-mails instructing customers to update passwords if necessary.
 
Last edited by a moderator:

Skip

Active member
Veteran
Heartbleed is the result of a small coding error
Inserted by an agent of the NSA, no doubt.

The NSA alone has caused far more damage to our national security than all the hackers in the world. They've put backdoors on all the major software made in the USA. This is now seriously harming the business interests of the US Tech industry to the tune of $billions as companies foreign and domestic begin to switch from US software to that made elsewhere with more security.

Big Brother has fucked us over again.
 

Dropped Cat

Six Gummi Bears and Some Scotch
Veteran
I can still download porn, though, right?

Silly innerwebs. Hope it doesn't stop my N*tflix or anything important.

I'll have to post that on my Facebo*k page now, so everyone knows.
 

Skip

Active member
Veteran
Facts about Heartbleed:
It's been active for the last two years in software used to secure the internet using ssl.

There is now a fix, and it's being implemented across the web as I write this.

GOOD NEWS! The version of ssl in use on our servers is not vulnerable to this bug!

It's a serious problem as it allows hackers to possibly access data being sent across the web.

It affected millions of websites and software by big companies like Cisco.

So to protect yourself you should change your passwords everywhere esp. if personal info is at stake
 
Last edited:

Skip

Active member
Veteran
I checked again with our hosting company and they've fixed all sites on their servers if they were at risk.

So Seedbay and Seedboutique are also OK to use and not affected
by heartbeat.

But you should still change passwords for your own piece of mind, esp. on other sites.
 

Wiggs Dannyboy

Last Laugh Foundation
ICMag Donor
Veteran
Inserted by an agent of the NSA, no doubt.

The NSA alone has caused far more damage to our national security than all the hackers in the world. They've put backdoors on all the major software made in the USA. This is now seriously harming the business interests of the US Tech industry to the tune of $billions as companies foreign and domestic begin to switch from US software to that made elsewhere with more security.

Big Brother has fucked us over again.

And...here's the latest:

http://www.huffingtonpost.com/2014/04/11/nsa-heartbleed_n_5134813.html

NSA Knew About And 'Exploited' Heartbleed For Years: Bloomberg


The Heartbleed bug just went from bad to worse to truly, utterly terrifying.

The National Security Agency knew of the existence of the catastrophic bug for at least two years and kept it a secret from the public and the cybersecurity community in order to exploit it, according to a bombshell report from Bloomberg News. However, the agency is denying the story.

While it's unclear what the agency was able to do with its knowledge of the exploit, we at least know this: If the report is true, the NSA knew about one of the most dangerous bugs in Internet history, and it did nothing to warn us about it.

"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," the NSA said in a statement circulated to reporters. "Reports that say otherwise are wrong." A White House spokesperson also stated that no federal agency was aware of the bug.

First discovered by Google and Codenomicon, a security firm, the Heartbleed bug is a flaw in the encryption used to protect vast number of websites from hackers. The fear is that the bug may expose credit card numbers, passwords and more.

Yahoo, Amazon and many, many other major websites used the free code, called OpenSSL, since encryption software is notoriously difficult to write.

Immediately after news of Heartbleed broke, some suspected that the NSA was exploiting the security lapse to access people's private data. Others saw it coming even before that: The documents leaked by former NSA contractor Edward Snowden indicated that the NSA partnered its British spying equivalent, the GCHQ, to try to crack SSL and other encryption standards that protect the Internet.
The two sources who spoke to Bloomberg are confirming those fears Friday.

Now that we know that the NSA knew about the bug, the question is how exactly they exploited it. Before this news broke, Wired reported that the bug might not be all that handy for the NSA. Heartbleed lets an attacker scoop up data from a website, but according to the story's author, Kim Zetter, "the data that’s returned is random — whatever is in the memory at the time — and requires an attacker to query multiple times to collect a lot of data."

The piece of the data that had security experts most worried -- the private SSL keys -- may be safe from the NSA's clutches. Theoretically, with a website's private key, a bad actor could steal information from a website months or years after the Heartbleed bug has been patched in its system. But after several tests, the online security company CloudFlare said it was unable to use Heartbleed to extract those keys. However, another researcher at Errata Security was much less sure about private keys being safe.
But the bits of data the agency was able to vacuum up with Heartbleed could be used in its many other data-gathering initiatives. "Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission," Bloomberg's Michael Riley wrote.
 
O

OGShaman

heartbleed_explanation.png
 

dddaver

Active member
Veteran
First CNN reported this: [FONT=Arial, Helvetica, sans-serif]"...[/FONT][FONT=Arial, Helvetica, sans-serif]estimated two-thirds of Web servers[/FONT]..."

Then today Forbes reports this:"...exposed user details on 17% of the world’s supposedly secure web servers." This was taken from their story on Yahoo "news": Microsoft Abandons Windows 8.1: Take Immediate Action Or Be Cut Off Like Windows XP .
http://www.forbes.com/sites/gordonk...-be-cut-off-like-windows-xp/?partner=yahootix

Small difference there ;P

I really think most reporting, and especially from these huge trusted news organizations, is mostly bullshit and sensationalistic anymore. And they are using that old tried and trusted tool, scare everyone, just to get their shit published or used. That makes no one believe anything any news organization says because most of is most likely just bullshit lies.
ying.gif
WTF?

Please don't say it's just US. It's evidently worldwide. Maybe more so in our so-called "free" societies. These big news outfits say whatever they want now because their legal depatments will handle it, then those legal departments have to get bigger, and bigger, and bigger as more complaints come their way. While all the lawyers just laugh. This is nuts and getting worse too.
 

Latest posts

Latest posts

Top