Jump to content

IMPORTANT NOTICE REGARDING OpenSSL 1.0.1 to OpenSSL 1.0.1f


Recommended Posts

Posted

I've noticed a lot of hacked accounts wind up being Yahoo based...wonder if it was from leveraging this exploit?

I've read from someone that claimed they compromised several Yahoo! accounts using this exploit.

This was stated from some random person on IRC and is no way a citable or credible source of information, but I wouldn't be surprised if a lot of Yahoo! accounts were compromised as a result of this vulnerability.

Aside from Heartbleed, I don't think Yahoo! should be considered an epitome of security in general.

Posted

I've just noticed a significant pattern in friends that have had hacked accounts are primarily Yahoo (or AOL...yeah AOL haha) based.

This whole situation made me think that could have been why/how.

Posted

I've just noticed a significant pattern in friends that have had hacked accounts are primarily Yahoo (or AOL...yeah AOL haha) based.

This whole situation made me think that could have been why/how.

I believe Yahoo! has suffered multiple large scale exploits and account compromises anyways,

http://www.pcworld.com/article/2092198/yahoo-acknowledges-yahoo-mail-hack.html

And in regards to Heartbleed,

http://www.zdnet.com/heartbleed-bug-affects-yahoo-imgur-okcupid-convo-7000028213/

Posted

Kirito

Thanks for the information, between you and GreenLinks I got this fixed on my server, my hosting company got on it immediately on all servers.

Posted

That list is kind of meaningless since about everyone uses the same password everywhere.

For those that do that, sure, I agree.

But for those of us that have unique secure passwords for our banking institutions, it lets us know we are safe to log in.
Posted

On a related alerting note, if you manage servers, you may want to subscribe to this list:

http://www.hostingseclist.com/

Thanks. I'm subscribed to a few mailing lists already, including Nginx's. Even meant to subscribe to OpenSSL's but have kept forgetting to.

But something like this will definitely be useful as well, to make things easier and hopefully ensure I don't miss anything.

Posted

So it would appear that you can get the private ssl keys using heartbleed:

It's also being recommended you reissue any SSL certificates you're using.

You can usually do this for free through your registrar or CA directly.

It's no surprise SSL keys can be compromised using this exploit, as the keys are of course stored in memory, and this exploit makes anything you have stored in memory vulnerable to compromise.

Enabling perfect forward secrecy support is great if you can though, this is a great example as to why. I have it supported on my server.

Posted

There was some debate as to whether or not it was possible to get the keys (given exactly where in memory they were held). It has now been proven that it is possible (in a relatively short space of time). So it should be upgraded from a recommendation to a necessary security measure.

PFS is supported in the OpenSSL library, so if you are running your own server and using OpenSSL then you should be able to do so, and doing so while you are setting up your new keys is an ideal time to implement it.

Posted

fwiw those using netgear prosafe and prosecure equipment should be ok.

fired off a question to netgear yesterday about it as I have some prosafe vpn routers.

Our engineering team has confirmed that the all the Prosafe and Prosecure products is not affected by the OpenSSL issue.

I have no idea about any other products they build though, and this is based on using netgear firmware too.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...