0

Hi All,

I'm wondering if anyone from here, a good trusted source of information, has heard of Heartbleed?

Two days ago a serious vulnerability (that’s been named “Heartbleed”) in the popular cryptographic software OpenSSL was made public. This weakness could potentially be exploited to steal information, such as login information, that normally would be protected by encryption. This software is used by roughly two thirds of the internet so a lot of services were or are at risk of being affected.

I got this tidbit from here and have Googled it and while it's out there as an "issue" apparently banks aren't worried about it and if they're not worried about about it should we all be?

I'm curious to see some interpretations from yous.

3
Contributors
2
Replies
42
Views
4 Years
Discussion Span
Last Post by happygeek
0

I got an automatic update of openssl yesterday, as part of the regular automatic updating of all software on Linux (Kubuntu). It contains the fix for that bug, as it's stated on the website. I would assume all other decent Linux distros' repository have been updated too in the past couple of days. If a vulnerability can be found and fixed within a couple of days, I feel pretty safe. I'm pretty sure these kinds of vulnerabilities are found all the time, it's only a matter of how quick they are patched, and to that Linus' law still holds: "given enough eyeballs, all bugs are shallow".

I think that Mojang's reaction was a bit rash. As far as I understand the reports, this bug was just stumbled upon by some developer, and quickly fixed as a consequence. There is no evidence anyone actually used it or was even aware of it before the developers who reported it found it.

As for people who are still vulnerable to this because they are still using an older version, well, that's their problem. Core security tools like openssl are the kind of things you should be updating as soon as updates are available, obviously.

if they're not worried about about it should we all be?

What do you mean? We don't have worry, now, about that exploit since it has already been fixed. Or are you implying that we should be worried about why the banks were not worried? Well, I would say that the ineptitude of your average bank's IT department can definitely be worriesome at times, as in most other places.

That said, kudos to you Stuugie for breaking that story here faster than Davey (happygeek)!

0

Yes, the vulnerability was just stumbled upon but it is rather rash to suggest that it's 'their problem' if people haven't updated their servers yet. If their servers are serving you, and it's your data that is being potentially accessed now that heartbleed is out in the open, I'd humbly suggest it is your problem as well.

I'd say that these reports have it about right:

https://www.schneier.com/blog/archives/2014/04/heartbleed.html

"the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies" Bruce Schneier

and

http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/

"All of this means that applying the OpenSSL patch is only the starting point on the multi-step path of Heartbleed recovery. Website operators should strongly consider replacing their X.509 certificates after applying the update and getting all users and administrators to change passwords as well. While it's possible that none of this data has been compromised, there's no way to rule it out, either." Dan Goodin

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.