Makoto Posted April 10, 2014 Author Posted April 10, 2014 I've noticed a lot of hacked accounts wind up being Yahoo based...wonder if it was from leveraging this exploit? I've read from someone that claimed they compromised several Yahoo! accounts using this exploit. This was stated from some random person on IRC and is no way a citable or credible source of information, but I wouldn't be surprised if a lot of Yahoo! accounts were compromised as a result of this vulnerability. Aside from Heartbleed, I don't think Yahoo! should be considered an epitome of security in general.
Clover13 Posted April 10, 2014 Posted April 10, 2014 I've just noticed a significant pattern in friends that have had hacked accounts are primarily Yahoo (or AOL...yeah AOL haha) based. This whole situation made me think that could have been why/how.
Makoto Posted April 10, 2014 Author Posted April 10, 2014 I've just noticed a significant pattern in friends that have had hacked accounts are primarily Yahoo (or AOL...yeah AOL haha) based. This whole situation made me think that could have been why/how. I believe Yahoo! has suffered multiple large scale exploits and account compromises anyways, http://www.pcworld.com/article/2092198/yahoo-acknowledges-yahoo-mail-hack.html And in regards to Heartbleed, http://www.zdnet.com/heartbleed-bug-affects-yahoo-imgur-okcupid-convo-7000028213/
Grumpy Posted April 11, 2014 Posted April 11, 2014 Mashable, or someone, got in contact with some of the major providers and got their feedback about their implementations. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ That list is kind of meaningless since about everyone uses the same password everywhere.
Neil2 Posted April 11, 2014 Posted April 11, 2014 Kirito Thanks for the information, between you and GreenLinks I got this fixed on my server, my hosting company got on it immediately on all servers.
Aiwa Posted April 11, 2014 Posted April 11, 2014 That list is kind of meaningless since about everyone uses the same password everywhere. For those that do that, sure, I agree. But for those of us that have unique secure passwords for our banking institutions, it lets us know we are safe to log in.
Grumpy Posted April 11, 2014 Posted April 11, 2014 On a related alerting note, if you manage servers, you may want to subscribe to this list: http://www.hostingseclist.com/
Makoto Posted April 11, 2014 Author Posted April 11, 2014 On a related alerting note, if you manage servers, you may want to subscribe to this list: http://www.hostingseclist.com/ Thanks. I'm subscribed to a few mailing lists already, including Nginx's. Even meant to subscribe to OpenSSL's but have kept forgetting to. But something like this will definitely be useful as well, to make things easier and hopefully ensure I don't miss anything.
Peter F. Posted April 12, 2014 Posted April 12, 2014 So it would appear that you can get the private ssl keys using heartbleed:http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge On the back of that I'd suggest that everyone who had a vulnerable server revoke their ssl keys immediately. It would also be a good time for people to enable PFS on their servers while they are doing that.
Makoto Posted April 12, 2014 Author Posted April 12, 2014 So it would appear that you can get the private ssl keys using heartbleed: It's also being recommended you reissue any SSL certificates you're using. You can usually do this for free through your registrar or CA directly. It's no surprise SSL keys can be compromised using this exploit, as the keys are of course stored in memory, and this exploit makes anything you have stored in memory vulnerable to compromise. Enabling perfect forward secrecy support is great if you can though, this is a great example as to why. I have it supported on my server.
Peter F. Posted April 12, 2014 Posted April 12, 2014 There was some debate as to whether or not it was possible to get the keys (given exactly where in memory they were held). It has now been proven that it is possible (in a relatively short space of time). So it should be upgraded from a recommendation to a necessary security measure. PFS is supported in the OpenSSL library, so if you are running your own server and using OpenSSL then you should be able to do so, and doing so while you are setting up your new keys is an ideal time to implement it.
Makoto Posted April 12, 2014 Author Posted April 12, 2014 You can test your server for forward secrecy support (among other things) here:https://www.ssllabs.com/ssltest/analyze.html
Dmacleo Posted April 12, 2014 Posted April 12, 2014 fwiw those using netgear prosafe and prosecure equipment should be ok. fired off a question to netgear yesterday about it as I have some prosafe vpn routers. Our engineering team has confirmed that the all the Prosafe and Prosecure products is not affected by the OpenSSL issue. I have no idea about any other products they build though, and this is based on using netgear firmware too.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.