Overclock.net › Forums › Industry News › Software News › [AT] Critical Crypto Bug in OpenSSL Opens Two-Thirds of the Web to Eavesdropping
New Posts  All Forums:Forum Nav:

[AT] Critical Crypto Bug in OpenSSL Opens Two-Thirds of the Web to Eavesdropping

post #1 of 54
Thread Starter 
Quote:
Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.

The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.

Source
Gaming Rig
(19 items)
 
  
CPUMotherboardGraphicsGraphics
i7 4930k Asus Rampage IV Black Edition Asus Strix GTX 970 Asus Strix GTX 970 
RAMHard DriveHard DriveOptical Drive
Corsair Vengeance Low Profile 16GB (4x4GB) DDR3... Western Digital 2TB Caviar Black (WD2003FZEX) Samsung 840 Pro SSD 128GB LG BH16NS40.AUAU10B 16x 
CoolingCoolingCoolingCooling
Phanteks PH-TC14PE_BK Phanteks PH-F140HP Cooler Master MegaFlow 200 LED Cooler Master MegaFlow 200 LED 
OSMonitorKeyboardPower
Windows 7 Professional (Retail/Full) Dell UltraSharp U2713HM Corsair K95 Corsair AX860 
CaseMouseMouse Pad
Cooler Master HAF X Corsair M65 (Black) Corsair Vengeance MM600 Dual Sided Gaming Mouse... 
  hide details  
Reply
Gaming Rig
(19 items)
 
  
CPUMotherboardGraphicsGraphics
i7 4930k Asus Rampage IV Black Edition Asus Strix GTX 970 Asus Strix GTX 970 
RAMHard DriveHard DriveOptical Drive
Corsair Vengeance Low Profile 16GB (4x4GB) DDR3... Western Digital 2TB Caviar Black (WD2003FZEX) Samsung 840 Pro SSD 128GB LG BH16NS40.AUAU10B 16x 
CoolingCoolingCoolingCooling
Phanteks PH-TC14PE_BK Phanteks PH-F140HP Cooler Master MegaFlow 200 LED Cooler Master MegaFlow 200 LED 
OSMonitorKeyboardPower
Windows 7 Professional (Retail/Full) Dell UltraSharp U2713HM Corsair K95 Corsair AX860 
CaseMouseMouse Pad
Cooler Master HAF X Corsair M65 (Black) Corsair Vengeance MM600 Dual Sided Gaming Mouse... 
  hide details  
Reply
post #2 of 54
O crap.
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
post #3 of 54
Well that can't be any good.headscratch.gif
post #4 of 54
Time to issue new certificates....
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
Reply
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
Reply
post #5 of 54
New CA's, not new certs.
Nightrider
(17 items)
 
Commodore 64
(10 items)
 
 
CPUMotherboardGraphicsRAM
3930k x79 gd45 PLUS GTX Titan Crucial Ballistix Sport VLP  
Hard DriveHard DriveHard DriveCooling
HyperX 3k Intel 320 Seagate Barracuda Swifttech H220 
CoolingCoolingOSOS
Swifttech 220QP Corsair SP120 Windows 8.1 Pro Windows 10 Pro 
OSOSMonitorMonitor
Windows 7 Home Ubuntu 15.4 QNIX 2710 Catleap 2B 
Keyboard
Ducky - Cherry MX Red 
CPUMotherboardGraphicsRAM
3570k DZ77GA - 70K GTX670-DC2-4GD5  MV-3V4G3D/US 
Hard DriveCoolingOSOS
HyperX 3k CM 212 + Win 7 64 ubuntu 
PowerCase
Seventeam 850w modular CS-NT-ZERO-2  
  hide details  
Reply
Nightrider
(17 items)
 
Commodore 64
(10 items)
 
 
CPUMotherboardGraphicsRAM
3930k x79 gd45 PLUS GTX Titan Crucial Ballistix Sport VLP  
Hard DriveHard DriveHard DriveCooling
HyperX 3k Intel 320 Seagate Barracuda Swifttech H220 
CoolingCoolingOSOS
Swifttech 220QP Corsair SP120 Windows 8.1 Pro Windows 10 Pro 
OSOSMonitorMonitor
Windows 7 Home Ubuntu 15.4 QNIX 2710 Catleap 2B 
Keyboard
Ducky - Cherry MX Red 
CPUMotherboardGraphicsRAM
3570k DZ77GA - 70K GTX670-DC2-4GD5  MV-3V4G3D/US 
Hard DriveCoolingOSOS
HyperX 3k CM 212 + Win 7 64 ubuntu 
PowerCase
Seventeam 850w modular CS-NT-ZERO-2  
  hide details  
Reply
post #6 of 54
Dont know if people have seen

DO NOT USE YAHOO


They are heamorgin username passwords and everything esle (secret answers, phone numbeers) at the moment in plain text

http://heartbleed.com/



http://www.reddit.com/r/netsec/comments/22gaar/heartbleed_attack_allows_for_stealing_server/
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
post #7 of 54
Quote:
Originally Posted by Avonosac View Post

New CA's, not new certs.

Right.... this hack allows you to steal the secret keys used to generate the certs!
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
Reply
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
Reply
post #8 of 54
Quote:
Originally Posted by Ulquiorra View Post

Dont know if people have seen

DO NOT USE YAHOO


They are heamorgin username passwords and everything esle (secret answers, phone numbeers) at the moment in plain text

http://heartbleed.com/



http://www.reddit.com/r/netsec/comments/22gaar/heartbleed_attack_allows_for_stealing_server/

evidence please, i scoured the sites and didn't see mention of Yahoo specifically although I am not denying they are vulnerable i would like you to show a list or the claimant

Thanks.


btw ubuntu based distro's (mint) were patched very quickly last night.

type openssl version -a in your terminal and look at the version, it should be 1.0.1e but dont wory about the 2013 date, the build date was 7th April 2014
post #9 of 54
..Also I wouldn't be too surprised if this is one of the exact holes that the SS have been using around the world to intercept traffic.
post #10 of 54
The patch works ... ish, i applied it stright waya but the tool is STILL retuning data,



The yahoo thing is the top thing in twitter wink.gif

https://twitter.com/search?q=heartbleed&src=typd


Last pass also fell victim to it, its been a badddd day for some sys admins wink.gif

the below iptables rule acts as a stopgap, it stops the tool from detyecting you, i think theres also snort rules / ossec rules for it at the moment being done
#iptables -t filter -A INPUT -p tcp --dport 443 --tcp-flags ALL PSH,ACK -j DROP
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
Overclock.net › Forums › Industry News › Software News › [AT] Critical Crypto Bug in OpenSSL Opens Two-Thirds of the Web to Eavesdropping