Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2 3 4

Author Topic: OpenSSL; Serious Vulnerablility  (Read 15723 times)

Berrick

  • Reg Member
  • ***
  • Posts: 287
OpenSSL; Serious Vulnerablility
« on: April 08, 2014, 05:58:34 PM »

Hot on the tail of security flaws with GnuTLS (http://forum.kitz.co.uk/index.php?topic=13660.0) comes a potentially more serious flaw with OpenSSL effecting many Linux distro's. Read about it here http://heartbleed.com/.

List of known OpenSSL vulnerabilities here http://www.openssl.org/news/vulnerabilities.html

There is a site to test if you are effected here http://possible.lv/tools/hb/ OR
If you're running any of these versions 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1, 1.0.2-beta1, you are likely affected by this vulnerability

This should work to check your OpenSSL version with this command. OpenSSL version -a

Logged
Growing old is mandatory; Growing up is optional

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
Re: OpenSSL; Serious Vulnerablility
« Reply #1 on: April 08, 2014, 06:03:35 PM »

I heard about it a day ago and there is a fix available now although in most distros you need to install it manually as it's not in the repos yet.

Stuart

BTW the command on Fedora has to be lower case!
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: OpenSSL; Serious Vulnerablility
« Reply #2 on: April 08, 2014, 06:48:34 PM »

Trouble with bugs like this is you can update your home system to your heart's content and still remain vulnerable.

The distinction is (correct me if I'm wrong anybody) that it affects the servers too.   So if you are connecting to a secure Linux based server operated by, say, a social network, an email host, or a bank, then it is the server that needs to be updated otherwise your data may leak to an attacker.

And by above reasoning, even windows users are vulnerable if (say) their bank uses an affected server. :(
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: OpenSSL; Serious Vulnerablility
« Reply #3 on: April 09, 2014, 12:32:14 AM »

Code: [Select]
The distinction is (correct me if I'm wrong anybody) that it affects the servers too.
Im with you on that 7LM, in fact anyone exploiting this type of bug would likely only target servers.

I cant imagine many home users running SSL.  SSL is only really needed for websites that operate financial or similar sensitive type transactions or personal information, such as banks or online stores, which in turn are most likely to use Linux.   
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Berrick

  • Reg Member
  • ***
  • Posts: 287
Re: OpenSSL; Serious Vulnerablility
« Reply #4 on: April 09, 2014, 06:58:58 AM »

Quote
I cant imagine many home users running SSL

What about those who use SSL VPN (OpenVPN)? kinda brings a whole new meaning to OPEN ;)
Logged
Growing old is mandatory; Growing up is optional

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
Re: OpenSSL; Serious Vulnerablility
« Reply #5 on: April 09, 2014, 09:54:56 AM »

I just found the fixes for this are available now for Fedora from the repos.

Stuart
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

geep

  • Reg Member
  • ***
  • Posts: 452
    • My ST546 Statistics
Re: OpenSSL; Serious Vulnerablility
« Reply #6 on: April 09, 2014, 05:21:42 PM »

Slackware fixed too: 2014-04-08 - [slackware-security] openssl (SSA:2014-098-01)

Cheers,
Peter

Added: Just tried the tester here: https://www.ssllabs.com/ssltest/index.html with several of my online banks.
Most came out with a B or A- rating. But one came out with an F rating.
I have contacted the bank pointing this out, and telling them a major competitor gets a B rating.

But I'm left wondering how realistic the tests are, and does this low rating mean that I am really exposed.
Or is it just theoretical stuff that doesn't mean anything in the real world.

PPS - just noticed on the ssllabs website that ebay.co.uk is rated F - which seems to be the lowest rating.
« Last Edit: April 09, 2014, 06:28:02 PM by geep »
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: OpenSSL; Serious Vulnerablility
« Reply #7 on: April 09, 2014, 06:54:56 PM »


But I'm left wondering how realistic the tests are, and does this low rating mean that I am really exposed.


It is  interesting test but try as I may, none that I could think of appear to be vulnerable to this new heartbleed issue.   As you say, ebay scores poorly, but even then it's not vulnerable to heartbleed.   So it appears there is no reason to be any more concerned today than a week ago. :)

The banking (etc) sites that worry me the most are the ones that simply encourage bad habits.   Nat Savings for example, I recently discovered, have very strict password requirements... it must be case mixed, mixed alpha & numeric, and must contain at least one punctuation mark, and contain no less than 6 , no more than 8 characters.   

Somebody probably advised NS&I thatbsuch passwords are difficult to hack, and they thought that meant 'secure'.  But IMHO 99% of people will have to make a written note of such a password in which case it doesn't require an SSL vulnerability, all it takes is a casual house burglar who finds your password book.    :(
Logged

c6em

  • Reg Member
  • ***
  • Posts: 504
Re: OpenSSL; Serious Vulnerablility
« Reply #8 on: April 09, 2014, 07:12:11 PM »

reminds me when at work many years ago I had an ultra secure long password
Then along come the smart arrses who implemented a rule it must be changed every xx days.
So my passwords became 'Monday', 'Tuesday', 'Wednesday' etc to be endlessly rotated.
I recall the next stage was that they had to have a number in them
so I think I then used Monday1, Monday2, Monday3,
Basically I didn't give a toss.....
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: OpenSSL; Serious Vulnerablility
« Reply #9 on: April 09, 2014, 09:37:10 PM »

(OpenVPN)? kinda brings a whole new meaning to OPEN ;)

heh - doesnt it just  :D
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Berrick

  • Reg Member
  • ***
  • Posts: 287
Re: OpenSSL; Serious Vulnerablility
« Reply #10 on: April 10, 2014, 08:03:19 AM »

Quote
Then along come the smart arrses who implemented a rule it must be changed every xx days

Password policies are a difficult one and comes down to acceptance of risk, you have to find a balance. IF you make them to difficult people just write them down (as others have mentioned) and IMHO if that happens you might as well not have a password. But no matter how easy you make it for users to have very secure access people still don't follow process.

eg. We implemented a very complex password policy which would have made it impossible for the password to be guessed. It also made it un usable for us humans. So we issued smart cards to all the people that needed one and installed keyboards that required the user to put the card into. If the card was removed the user was logged out. All the user had to do was input a pin number of their choosing and follow company policy which stated when they were away from their desk they took the card with them. Failure to follow process was on pain of death and people still left the cards inserted  ???.

I wonder if these same people would leave their atm card in the atm  :lol:

Logged
Growing old is mandatory; Growing up is optional

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: OpenSSL; Serious Vulnerablility
« Reply #11 on: April 10, 2014, 08:22:07 AM »

I think the bank password strategy is more about liability shift than anything else.

By enforcing a policy of 'unhackable' passwords they can claim to be making best efforts.  The fact you'll probably have to write it down is not their problem.   They may even tell you not to do so, even though they know you will.

And if you then write the password down, especially if they told you not to, I suspect they could claim you are to blame if anything goes wrong.     I don't know if they have ever done so but, in the event of a catastrophic drain of funds caused by something such as this 'heartbleed', I suspect they could use it to save their skins bonuses.
Logged

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
Re: OpenSSL; Serious Vulnerablility
« Reply #12 on: April 10, 2014, 08:29:42 AM »

Fortunately both the financial institutions I have dealings with have issued the small calculator type devices which I have to put my debit card into to generate a pass code so capturing this data makes it much less likely they will be able to use this to hack in. Sadly the do not enforce the use of this and still allow anyone to use with their original login credentials which is stupid in my view.

Stuart
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

Berrick

  • Reg Member
  • ***
  • Posts: 287
Re: OpenSSL; Serious Vulnerablility
« Reply #13 on: April 10, 2014, 09:04:30 AM »

Banks balance risk and cost against ease of use so providing they cant prove you are grossly negligent will generally accept the loss.

It may interest ppl to know that easycard are pushing out new systems to online shops where you don't re iterate the long card number and security code on the back to the sales person. You enter it via the keypad on the phone. Easycard claim it is 100% safe?
Logged
Growing old is mandatory; Growing up is optional

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: OpenSSL; Serious Vulnerablility
« Reply #14 on: April 10, 2014, 09:36:30 AM »

Not sure of my facts, but I'm coming around to the idea that home users (SSL clients) are at risk too, as the client software apparently contains the bug as well as server-side

The attack mechanism would presumably be as follows…

1) You connect to a legit SSL server, such as your bank
2) You then connect to a malicious site that happens to use SSL, or even a legit one that's already been compromised.
3) Since the malicious system can execute the broken SSL code on your system it is able to run the exploit which, I believe, is to get memory snapshots of your system, which may contain all sorts of things like passwords and keys.

I understand it affects some Android phones too, BTW.
Logged
Pages: [1] 2 3 4
 

anything