Solved

HeartBleed bug

Posted on 2014-04-11
5
400 Views
Last Modified: 2014-04-13
I am a noice, and I know the Heatbleed is basically a memory leak taht exposes pw, content, potentially crypto keys....

but in laymans terms, what are the issues moving forward

what will occur as far as fixes (or attacks) in the near future, and how will that affect us
0
Comment
Question by:Anthony Lucia
5 Comments
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 39995330
Heartbleed only affects a limited number of versions of OpenSSL.  However it has been present for two years.  Here http://heartbleed.com/ is the official site and information.  Many sites have already been fixed but recommend you change your passwords on those sites in case they were revealed in the previous two year.  Note that any particular system can have several copies and versions of OpenSSL in different programs.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 200 total points
ID: 39995387
As sites are fixed (after sites are fixed, in other words) you should change your password there (changing passwords is a good idea periodically anyhow)

In order to know if a site HAS been fixed, then one of the two plugins for Firefox or Chrome is a good idea, or look out for a statement from the site owner (or both :)

if you own a site, consider replacing the secret key/certificate after ensuring the ssl module was upgraded; this may not be needed in all cases (for instance, a code review of nginx has shown it does not store the secret key in memory near where the heartbleed bug could "reveal" it) but again, may be good policy (and will make your users feel better).

A clearer understanding can be gained of the bug by looking at the very useful infographic over on xkcd:

http://xkcd.com/1354/

and above all, don't panic! while this bug has been around for two years now, the conditions for exploiting it are relatively narrow and the risk, while real, of any specific set of credentials being revealed is actually quite low.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 100 total points
ID: 39996049
Agreed, and it does not affect IIS installations at all:
http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx
You can run windows + apache + ssl however, so not all windows web servers are unaffected, but IIS ones are not affected.
-rich
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 200 total points
ID: 39996128
Apache also has a choice of module - mod_ssl uses openssl (so needs updating) but mod_gnutls uses gnutls (which had its own issue a few weeks back, but isn't affected by heartbleed)

apache tomcat (the serverside java engine from the same project) also does not use openssl.

nginx does (so needs patching) [deleted] (may need users to change credentials after patching)

UPDATE - nginx has been proven vulnerable to secret key disclosure for a window after a reboot, so keys on that platform should be considered compromised and replaced.

ouch.
0
 
LVL 25

Accepted Solution

by:
Tony Giangreco earned 100 total points
ID: 39997397
Updating your SSL components should help.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Manual DNS and blocking mapped drives 8 90
IT Contract Fee 17 133
SQL 2012 database restore problem 6 67
7 camera surveillance system hacked 6 18
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now