Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: HEARTBLEED

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as locked.
taffy078 HEARTBLEED
Contributor 10th Apr, 2014 10:12
Ranking: 408
Posts: 1,335
User Since: 26th Feb, 2009
System Score: 100%
Location: UK
Last edited on 10th Apr, 2014 10:16

Yet another security disaster to put us at considerable risk,

Heartbleed has been described by one Security Technologist as being "11, on a scale of 1 to 10" according to the excellent BBC report here: http://www.bbc.co.uk/news/technology-26954540

That report says it's an attack via OpenSSL (used by Apache & Nginx), that alerts were raised two years ago, that YAHOO were not told about and so have been hit.

I'm sure it's not affected Secunia but I feel the need to ask!




--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003

taffy078 RE: HEARTBLEED
Contributor 11th Apr, 2014 07:04
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
I've finally found the PSI GUide - that says Secunia has SSL not OpenSSL so we're all safe. It would have been nice to see a reassuring comment from Secunia though. I have 96 IDs/passwords and have started changing all of the password - not one website has carried any Warning or Reassurance about Heartbleed. Aren't they concerned?

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
steffens RE: HEARTBLEED
Member 11th Apr, 2014 08:26
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
Servers can be tested for the heartbleed bug and lots of other things by mere mortals (like us!) using an online automated tool such as the SSL Server Test provided by Qualsys SSL Labs here:
<https://www.ssllabs.com/ssltest/index.html>
(N.B. If the server you specify has already been tested, then you get an answer fast from a cache of prior results; otherwise, you may have to wait a few minutes for the test to complete.)

As an example, Secunia's server gets an overall grade of "B" in Qualsys SSL Server Test, mainly because "The server supports only older protocols, but not the current best TLS 1.2." But then there's the good news that "This server is not vulnerable to the Heartbleed attack."

Enjoy!
-- EstherD
Was this reply relevant?
+0
-0
steffens RE: HEARTBLEED
Member 11th Apr, 2014 21:59
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
on 11th Apr, 2014 07:04, taffy078 wrote:
... not one website has carried any Warning or Reassurance about Heartbleed. Aren't they concerned?


My experience is similar to yours... NONE of the large banking and credit card sites I used this week had ANY information or notice concerning Heartbleed. You'd think those are precisely the kinds of companies that would WANT their customers to be reassured. Apparently not.

However, my favorite streaming music service, Hearts of Space, had this headline today when I logged into their webportal...

"WONDERING ABOUT THE 'HEARTBLEED' SECURITY BUG?
Rest easy, spacefan: Thanks to conservative update policies at our
hosting provider, the Hearts of Space service was never affected
by this security issue, and will not be vulnerable to it in the future."

So a music service IS concerned, but the banks aren't?! Something very wrong here...
-- EstherD
Was this reply relevant?
+0
-0
steffens RE: HEARTBLEED
Member 12th Apr, 2014 00:21
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
The following Electronic Frontier Foundation (EFF) article is an interesting read:

Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?
Peter Eckersley April 10, 2014
<https://www.eff.org/deeplinks/2014/04/wild-heart-w...>

And if you're a C programmer, check this one out, too:

existential type crisis : Diagnosis of the OpenSSL Heartbleed Bug
Sean Cassidy Mon 07 April 2014
<http://blog.existentialize.com/diagnosis-of-the-op...>

See if YOU can figure out what the bug is and how it allows access to the keys to the kingdom before the author of the article explains it. ;)

Enjoy!
-- EstherD
Was this reply relevant?
+0
-0
steffens RE: HEARTBLEED
Member 14th Apr, 2014 04:01
Score: 48
Posts: 64
User Since: 25th Jul 2009
System Score: N/A
Location: US
Last edited on 14th Apr, 2014 04:01
At least one company is dealing with Heartbleed in a responsible and pro-active manner. A small online Macintosh retailer in the US (VT) sent an email newsletter (linked below) to all of the customers on their email lists.
<http://blog.smalldog.com/general/general20140411/>

So where are the banks in all of this?     [crickets]
Was this reply relevant?
+0
-0
linflh RE: HEARTBLEED
Member 17th Apr, 2014 16:18
Score: 0
Posts: 3
User Since: 2nd Jul 2008
System Score: N/A
Location: US
My bank had a message on their website that they were "safe" and always had been from the Heartbleed issues and to not worry. I was happy to see that message.
Too bad the other banks didn't follow suit.
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability