Heartbleed Bug

estebanrey · 10 Apr 2014 at 19:06

Edward78 said:
Just OpenSSL is efected.

Affected

grudas · 10 Apr 2014 at 19:09

Meh.. It's only one version of open SSL that's affected! And trust me rarely do the sites run latest releases

for e.g. we don't even have to update because the OS on a server is 5 years old lol.. And that version of open SSL is fine.

kindai · 10 Apr 2014 at 19:15

grudas said:
Meh.. It's only one version of open SSL that's affected! And trust me rarely do the sites run latest releases for e.g. we don't even have to update because the OS on a server is 5 years old lol.. And that version of open SSL is fine.

The version that shipped with the RHEL6 branch was effected, its not a small number by any stretch of the imagination.

My RHEL6 servers fortunately are all patched and RHEL 5 is unaffected

memyselfandi · 10 Apr 2014 at 19:46

kindai said:
The version that shipped with the RHEL6 branch was effected, its not a small number by any stretch of the imagination.

My RHEL6 servers fortunately are all patched and RHEL 5 is unaffected

Actually for RHEL it was the version which shipped with RHEL 6.5 in Q4 last year and the subsequent patch versions up to the version released for this this week. So if you are on 6.4 say you are not on a version with the issue. (from Red Hat's advisory).

There's little point to resetting passwords if the service hasn't addressed the issue yet, as your new password could just be grabbed from memory in the same way ... In fact potentially it is more likely to be as now it's been so widely publicised there will be more script kiddies trying to exploit it.

kindai · 10 Apr 2014 at 20:48

memyselfandi said:
Actually for RHEL it was the version which shipped with RHEL 6.5 in Q4 last year and the subsequent patch versions up to the version released for this this week. So if you are on 6.4 say you are not on a version with the issue. (from Red Hat's advisory).

There's little point to resetting passwords if the service hasn't addressed the issue yet, as your new password could just be grabbed from memory in the same way ... In fact potentially it is more likely to be as now it's been so widely publicised there will be more script kiddies trying to exploit it.

Yea but given the .0-.5 are only second point releases, most admins will have upgraded as they came out.

Beren · 10 Apr 2014 at 21:34

Quite funny really - I regularly get emails of the OMFGWTF!!! I have virus!!! Get to the Choppa!!! We are all going to DIE!!! variety from a few of my friends who have no idea that the false facebook scam they have forwarded is probably making them more vulnerable not helping anyone.
A full on SSL vulnerability and how much have I heard? Nada

Just a few people that know what they are doing calmly fixing the problem.

Rofflay · 10 Apr 2014 at 21:47

I cba i have nothing to steal but my CC info and GL i can barely order stuff myself without a phone call from the fraud department. And they have fraud insurance anyways so go for it just do not delete my old emails

memyselfandi · 10 Apr 2014 at 21:53

kindai said:
Yea but given the .0-.5 are only second point releases, most admins will have upgraded as they came out.

Not really no, Red Hat have screwed up to many times with the 6.x releases (e.g. breaking vlaning and bonding at times with kernel updates) so a lot of places I know are not rolling out wide patching and just using targeted security patching and delaying patching of anyting not absolutely critical.

In theory yes the minor point releases are just milestones in the 6.x patch continuum for existing servers so you should just be able to patch up through them but tell that to paranoid customers who have been burnt before.

kindai · 10 Apr 2014 at 22:54

memyselfandi said:
Not really no, Red Hat have screwed up to many times with the 6.x releases (e.g. breaking vlaning and bonding at times with kernel updates) so a lot of places I know are not rolling out wide patching and just using targeted security patching and delaying patching of anyting not absolutely critical.

In theory yes the minor point releases are just milestones in the 6.x patch continuum for existing servers so you should just be able to patch up through them but tell that to paranoid customers who have been burnt before.

I must have been really lucky then? :confused:

On the 6.x branch I have had 0 issues at all the entire way.

5.x I will admit some problems with the earlier versions, but the later ones were fine.

R4z0r · 11 Apr 2014 at 08:37

Freefaller said:
Not really as my online presence is minimal, and whilst the bug has been around a while, the main sites I use haven't been affected from what I can tell or fixed. Access to online banking requires an RSA token anyway - which is the only thing I'd be really worried about.

This is a good point and illustrates why 2 factor auth is worth doing. It's possible to setup 2FA on many common sites (Dropbox, Facebook, GoogleMail, PayPal, etc.) and I would highly advise people do it.

esoteric · 20 Apr 2014 at 13:20

I tried buying Watch Dogs last week on Origin but couldn't complete the checkout, my card couldn't be verified. Tried buying some stuff off SportsDirect an hour ago and again my card couldn't be verified. So I phoned the bank up and was told my card is blocked on Verified by Visa, and on the 7th of March a payment was attempted to Western Union, not by me, so I have a new card in the post.

Makes me wonder if Heartbleed is the culprit.

MeEsH BaKkA · 20 Apr 2014 at 14:28

esoteric said:
I tried buying Watch Dogs last week on Origin but couldn't complete the checkout, my card couldn't be verified. Tried buying some stuff off SportsDirect an hour ago and again my card couldn't be verified. So I phoned the bank up and was told my card is blocked on Verified by Visa, and on the 7th of March a payment was attempted to Western Union, not by me, so I have a new card in the post.

Makes me wonder if Heartbleed is the culprit.

If the whole internet has been compromised the odds of your details being picked are probrobably equal to winning the lottery, I would assume having your card cloned in a petrol garage etc... Would be much more likely.

I could be very wrong but if you are going to snoop online I would be looking at the places where very high value goods are sold, for obvious reasons.

KIA · 20 Apr 2014 at 17:22

esoteric said:
I tried buying Watch Dogs last week on Origin but couldn't complete the checkout, my card couldn't be verified. Tried buying some stuff off SportsDirect an hour ago and again my card couldn't be verified. So I phoned the bank up and was told my card is blocked on Verified by Visa, and on the 7th of March a payment was attempted to Western Union, not by me, so I have a new card in the post.

Makes me wonder if Heartbleed is the culprit.

Highly unlikely to be heartbleed if it happened on the 7th of March.

Heartbleed Bug

More options

estebanrey

estebanrey

grudas

grudas

kindai

kindai

Sgarrista

memyselfandi

memyselfandi

kindai

kindai

Sgarrista

Beren

Beren

Rofflay

Rofflay

memyselfandi

memyselfandi

kindai

kindai

Sgarrista

R4z0r

R4z0r

esoteric

esoteric

MeEsH BaKkA

MeEsH BaKkA

KIA

KIA