[kwlug-disc] Heartbleed affected sites

Khalid Baheyeldin kb at 2bits.com
Sat Apr 12 12:51:16 EDT 2014


Heartbleed extracted whatever happened to be in memory at the time. That
can be passwords or hashes or anything else.

It is non-specific, but a determined attacker can potentially glean some
info with persistence.

Also, because the attacker does not need to complete a connection that
would be logged (e.g. HTTP, ...etc.), this makes the attacks untraceable
with the usual logs (e.g. web server).

This is what makes it scary: potential information disclosure, and non
traceablility.


On Sat, Apr 12, 2014 at 4:29 AM, unsolicited <unsolicited at swiz.ca> wrote:

> That's over simplistic.
>
> You can't extract a password that isn't there.
>
> *IF* it is even in the packet you get.
>
> *IF* it was being exploited at the time.
>
> *IF* you are of interest to them.
>
> *IF* they are interested in doing damage to that provider of services.
>
> Lot of IFs. Lot of FUD.
>
> What's being protected?
>
> Will you know?
>
> Will you care?
>
> Not saying now that exploit known they wouldn't run with it.
>
> But patching is simplistic.
>
> I take your point about SSL keys - IF it was in the data returned.
>
> But with properly isolated systems, it should only be the front end
> impacted. On the assumption that nobody inside your firewall is exploiting
> it.
>
> Lots of IFs all around.
>
> But I take your point.
>
>
>
> On 14-04-11 05:44 PM, Bob Jonkman wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> If your router is accessible from the WAN port via http then you have
>> more urgent problems than Heartbleed.
>>
>> If a site has both http and https then there's no (new) vulnerability
>> with http, but a Heartbleed attack on https can still extract
>> passwords and other info.
>>
>> To extract a password from an http session a bad guy needs to be a
>> man-in-the-middle, or sniffing the network (remember Firesheep?). To
>> extract a password with Heartbleed an attacker only has to initiate an
>> https session.
>>
>> - --Bob.
>>
>>
>>
>> On 14-04-11 05:35 PM, Khalid Baheyeldin wrote:
>>
>>> But, wouldn't Heartbleed be an issue, only if you use SSL on the
>>> site? For example, if you have OpenWRT/Tomato/DD-WRT and logging
>>> via http (not https), then there is no exploit via OpenSSL?
>>>
>>>
>>> On Fri, Apr 11, 2014 at 3:26 PM, Bob Jonkman <bjonkman at sobac.com>
>>> wrote:
>>>
>>> If you're using a tool to check for Heartbleed vulnerabilities, be
>>> sure to check the Web interface on your router and/or modem as
>>> well.
>>>
>>> I'm not sure if router vendors are on top of this, but according
>>> to ssltest.py my Tomato/MLPPP Version 1.25-mp3alpha6 (from
>>> http://fixppp.org ) is not vulnerable, nor my Thomson Speedtouch
>>> modem with firmware 6.1.0.5
>>>
>>> Also, somebody asked me how safe these vulnerability checking
>>> tools are, especially the online and Javascript-based ones. What's
>>> to say they're not merely displaying "all is well", and actually
>>> compiling a list of vulnerable sites for later exploitation?
>>>
>>> --Bob.
>>>
>>>
>>> On 14-04-08 12:06 PM, Khalid Baheyeldin wrote:>
>>>
>>>> You can use this python tool ssltest.py to check if your
>>>>>> servers are vulnerable:
>>>>>>
>>>>>> $ wget -O ssltest.py "http://pastebin.com/raw.php?i=WmxzjkXJ"
>>>>>> $ python ssltest.py example.com
>>>>>>
>>>>>
>>>
>>> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>>>
>>>> Mashable has a list going of sites affected by Heartbleed:
>>>>>>
>>>>>> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
>>>>>>
>>>>>>
>>>>>>
>>>>>>  Don't forget to add Canada Revenue (and most other government
>>
>>> sites) to your list of passwords to change!
>>>>>>
>>>>>
>>>
>>>
>>> Bob Jonkman <bjonkman at sobac.com>          Phone: +1-519-669-0388
>>> SOBAC Microcomputer Services             http://sobac.com/sobac/
>>> http://bob.jonkman.ca/blogs/    http://sn.jonkman.ca/bobjonkman/
>>> Software   ---   Office & Business Automation   ---   Consulting
>>> GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA
>>>
>>>
>>>>
>>>> _______________________________________________ kwlug-disc
>>>> mailing list kwlug-disc at kwlug.org
>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>
>>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________ kwlug-disc mailing
>>> list kwlug-disc at kwlug.org
>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>>  -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.14 (GNU/Linux)
>> Comment: Ensure confidentiality, authenticity, non-repudiability
>>
>> iEYEARECAAYFAlNIYh8ACgkQuRKJsNLM5erCjgCfZAuLyG8v83bORUxPxTvs14m+
>> r8kAoInhKmR99uQBN2cIt+2KY3xq4KMl
>> =6dTX
>> -----END PGP SIGNATURE-----
>>
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>



-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple, and
wrong." -- H.L. Mencken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140412/77cbae69/attachment.html>


More information about the kwlug-disc mailing list