[kwlug-disc] Heartbleed affected sites

CrankyOldBugger crankyoldbugger at gmail.com
Fri Apr 11 16:30:00 EDT 2014


Well, try not to be surprised, but apparently the NSA has been exploiting
this bug for two years now:

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

But yes, the media is doing a wonderful job of convincing people that this
issue is far bigger than it really is.



On 11 April 2014 16:24, unsolicited <unsolicited at swiz.ca> wrote:

> Why?
>
> The bug was introduced 2 years ago, but its not known to have been
> exploited, from anything I've seen, which doesn't say much.
>
> Nefarious activity in the wild is monitored by various organizations to
> whatever extent it is, and the issue was not discovered / reported by them,
> as far as I know.
>
> From what I saw a 64k chunk of memory is potentially exposed in an ssh
> server to someone if they were exploiting it, for which we don't know they
> were. (Or even aware it was possible.)
>
> Doesn't mean there was anything useful in that 64k chunk. Which they would
> then have to decipher in the sense of figuring out if there is anything
> useful, and that usefulness has to extend to being able to do something
> with it.
>
> Without any knowledge one way or the other, I assume CRA is shut down not
> because there's an issue going forward (problem easily patched, now), but
> because they don't know what might have happened during or within. Short of
> checksumming every system, I don't know how they might prove one way or
> another. But someone higher up is probably requiring due diligence on
> something that can't be proven.
>
> I do wonder if 'change your password' isn't FUD, promoted for trying to
> give users the sense that they're in control of their own security, and
> that changing their password will let them be proactive and 'solve the
> problem'.
>
> There's a lot if 'ifs' to the chain of events above before you have
> certainty of impact. And a lot of other risks (especially human error) out
> there that are quite probably more likely to happen and impact you than
> this one. No, I don't know what they are, either. But I also haven't seen
> any impact.
>
> It's a lot of work to change all the passwords, let alone for some time
> afterwards trying to remember what you changed them to.
>
> Not sure it's worth the effort in the absence of any detected impact. Hard
> to say its not just fear mongering. Certainly some media I've seen running
> around with their heads cut off demonstrate a deep misunderstanding of
> things, yet their heads are still talking.
>
>
> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>
>> Mashable has a list going of sites affected by Heartbleed:
>>
>> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
>>
>> Don't forget to add Canada Revenue (and most other government sites) to
>> your list of passwords to change!
>>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140411/427ffbf2/attachment.html>


More information about the kwlug-disc mailing list