Heartbleed Bug (onlinessl Vulnerability)

Diogenes 2009

Bitdefender Staff:

Breaking news today. As if we end users did not have enough to worry about this bad news comes along.

I pass along the IPL [u}www.heartbleed.com[/u]. I omit the news feeds. Please read article and advise us

BD subscribers about 1. and 2. and 3.

1. Since most BD subscribes buy stuff and bank on line we communicate with banks and merchants on line,

using 128ssl encryption of one flavor or another. Does BD security protect us against the Heartbleed bug

now? How?

2. Before we bought a BD program we dealt on line with banks and merchants who used OpenSSL in their

security protocols and on-lineprograms. Are we compromised?

3. If we are compromised and at rsisk, should we change our User ID and Passwords? how do we protect

ourselves now?

Please advise.

Find more posts tagged with

Comments

ozziebear

Bitdefender Staff:

Breaking news today. As if we end users did not have enough to worry about this bad news comes along.

I pass along the IPL [u}www.heartbleed.com[/u]. I omit the news feeds. Please read article and advise us

BD subscribers about 1. and 2. and 3.

1. Since most BD subscribes buy stuff and bank on line we communicate with banks and merchants on line,

using 128ssl encryption of one flavor or another. Does BD security protect us against the Heartbleed bug

now? How?

2. Before we bought a BD program we dealt on line with banks and merchants who used OpenSSL in their

security protocols and on-lineprograms. Are we compromised?

3. If we are compromised and at rsisk, should we change our User ID and Passwords? how do we protect

ourselves now?

Please advise.

I'm also interested in any information Bitdefender can give us on this bug. Today the government of Canada shut down its Revenue Canada website, preventing people from filing their taxes electronically, only 3 weeks before the tax deadline. And apparently this bug may have been operating undetected for the last 2 years. So Georgia, if you have any info on this you could share, it would be appreciated.

vet_ca

I'm also concerned about this bug and whether we're protected or not and what is being done about it from the BD side.

AdrianHa

The vulnerability is on the server side not your system so AV products can't really help you.

It needs you to be extra vigilant and check the certification of the sites you visit . And above all change your passwords.

The flaw already has a fix, but it will obviously take time for sites / servers to appy this.

tarfrahw

The vulnerability is on the server side not your system so AV products can't really help you.

Heartbleed allows a malicious actor to obtain a 64KB chunk of memory from the client OR server end of the connection. Technically, this needs to be done from the server end of the connection, but given the number of compromised or just plain malicious servers out there I don't think this part of the issue should be overlooked.

It's my impression that the version of SSL that Bitdefender ships with isn't vulnerable, BTW.

AdrianHa

To put this in to perspective, I have " borrowed" a quote from staff at another AV vendor.

Unfortunately, there is very little you can do about this issue on the client side. Most work lies on server administrators all over the world. Severity of this issue is that you have no way to distinguish attacker from the genuine provider from client's perspective. You are probably safe if a server certificate is new (issued yesterday or so) but you can say absolutely nothing if it's not. And nobody knows if and for how long anyone exploited the issue. Not funny, at all.

AdrianHa

http://mashable.com/2014/04/09/heartbleed-what-to-do/

This blog entry at Mashable has a "what to do " info section and a list of known (so far ) affected sites.

Note the warning that sites you visited and used bank cards etc, up to 2 years ago "could" mean that your details are compromised.

Note also that there is no proof whatever that this issue has been used by hackers/criminals. There is nothing to show that any data / information has been stolen (yet).

There is also a site here >> http://filippo.io/Heartbleed/ << that allows you to check websites for the problem.

Georgia

Hello,

The Heartbleed vulnerability is currently affecting a large part of the Internet that relies on OpenSSL for secure communication. There is no known evidence about whether or not a specific SSL certificate has been compromised via this bug, so as this issue may have resulted in the compromise of the private key of the SSL certificate. Because of the nature of the flaw, there is no way to tell whether or not a certain server has been compromised during the vulnerability window, so system administrators should assume the worst-case scenario.

As a user, it is important that you change your passwords.

The Heartbleed Bug fools you into accessing false sites. Beware of sites that ask you to check for vulnerability. This may be a way of inviting the Heartbleed Bug into your system to steal your data. So far a few sites which have been attacked by the Heartbleed Bug are confirmed. As previously mentioned, it is important that you change your password to the following sites and all sites (once patches have been confirmed) to be safe.

For server administrators who are running a critical service that is exposed to the Internet and relies on OpenSSL, we advise to immediately take the server out of production, update theOpenSSL library with the patched one, revoke and renew the SSL certificate and log out all user accounts to ensure that the upcoming sessions are secured.

Please don't hesitate to contact us, should you need any assistance:

phone: http://www.bitdefender.com/support/consumer-phone.html

chat: http://www.bitdefender.com/support/chat-support.html

mail: http://www.bitdefender.com/en/Main/contactEmail

Nesivos

Hello,

The Heartbleed vulnerability is currently affecting a large part of the Internet that relies on OpenSSL for secure communication. There is no known evidence about whether or not a specific SSL certificate has been compromised via this bug, so as this issue may have resulted in the compromise of the private key of the SSL certificate. Because of the nature of the flaw, there is no way to tell whether or not a certain server has been compromised during the vulnerability window, so system administrators should assume the worst-case scenario.

As a user, it is important that you change your passwords.

The Heartbleed Bug fools you into accessing false sites. Beware of sites that ask you to check for vulnerability. This may be a way of inviting the Heartbleed Bug into your system to steal your data. So far a few sites which have been attacked by the Heartbleed Bug are confirmed. As previously mentioned, it is important that you change your password to the following sites and all sites (once patches have been confirmed) to be safe.

For server administrators who are running a critical service that is exposed to the Internet and relies on OpenSSL, we advise to immediately take the server out of production, update theOpenSSL library with the patched one, revoke and renew the SSL certificate and log out all user accounts to ensure that the upcoming sessions are secured.

Please don't hesitate to contact us, should you need any assistance:

phone: http://www.bitdefender.com/support/consumer-phone.html

chat: http://www.bitdefender.com/support/chat-support.html

mail: http://www.bitdefender.com/en/Main/contactEmail

If you use LastPass please read the following. You can see what their security check looks like by clicking on link.

LastPass Now Checks If Your Sites Are Affected by Heartbleed

Yesterday we informed our community of the Heartbleed OpenSSL bug. In our blog post, we explained how this security issue impacted our service and what our users should know about the situation. We also built a tool to help our users start checking to see if their sites and services had reissued their certificates, so that users would know if it was safe to start updating passwords for those sites: https://lastpass.com/heartbleed

To help our users take action and protect themselves in the wake of Heartbleed, we've added a feature to our Security Check tool. LastPass users can now run the LastPass Security Check to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time.

The LastPass Security Check can be run from the LastPass Icon menu. Click the LastPass icon in the browser toolbar, click the Tools menu, and select the Security Check.

In the Security Check results, we alert you to sites affected by Heartbleed:

So according to LastPass a website password should not be updated until a new certificate has been issued by the website.

columbo

For me, very useful information Nesivos, especially since I use LastPass exclusively (sorry Wallet). Having run the Tools/Security Check, one of my stored accounts showed a vulnerably/breech, Adobe.com. Others that I don't use LastPass for (Bank etc), will be checked with their Heartbleed web search checker, and called if needed to find out their server security on their end, and when to change my password(s)

@ Georgia, thank you for posting so quickly to something this serious, and for Diogenes 2009 in starting this thread.

daman1

About the only one i'm concerned about is my bank and that was/is secure.

Diogenes 2009

To put this in to perspective, I have " borrowed" a quote from staff at another AV vendor.

Hello:

You seem very knowledgeable, and appear to have read, digested the techno-babble on the "heartbleed.com" website. I had hoped

the more knowledgeable members of BD Forum like Georgia and you would do so and comment, as you did. Someone, Georgia or

you? are advising us we clients can do little, other than change passwords, etc. and that only after the Servers kill the Heartbleed Bug

a/k/a CVE-2014-0160 dead by changing their security keys. This post is to thank you for reading and parsing Heartbleed. com for us.

If so, then I have to tell you, many of us have got big problems with the banks and merchants and utilities, etc, we do business with,

a big problem. I checked my correspondents (banks and merchants today, using the LastPass Heartbleed checker. It is fully as bad as

they say. I guesstimate 90% of my correspondents are using OpenSSL in their security software. This is the good news. The bad news

is when you contact them and get past the receptionist or customer service person to a technician, then ask him or her how they are

addressing the threat, they profess not know know what you are talking about. Most technical people I have been able to talk to have

never heard of the Heartbleed bug. When you explain the problem they say it is not their problem, yet! From their replies, I take it they

for the most part use third party software incorporating OpenSSL, and do not write and use their home grown software.

So, if I get your advice, I cannot fix someone else's security software problem because it is someone else's software problem (Servers).

But, I digress. Best advice given now is; 1. Change your your user id and password. 2. Do not change them until the correspodents advise

you do do so, oif ever.

Final question for you (and Georgia). Why are so many Security Certificates either missing or out of date? How are we, users, to read

a security certificate?

Thank you for your advice.

Diogenes 2009

Heartbleed Bug

Bitdefender Staff:

Breaking news today. As if we end users did not have enough to worry about this bad news comes along.

I pass along the IPL [u}www.heartbleed.com[/u]. I omit the news feeds. Please read article and advise us

BD subscribers about 1. and 2. and 3.

1. Since most BD subscribes buy stuff and bank on line we communicate with banks and merchants on line,

using 128ssl encryption of one flavor or another. Does BD security protect us against the Heartbleed bug

now? How?

2. Before we bought a BD program we dealt on line with banks and merchants who used OpenSSL in their

security protocols and on-lineprograms. Are we compromised?

3. If we are compromised and at rsisk, should we change our User ID and Passwords? how do we protect

ourselves now?

Please advise.

error-id10t

1) I doubt BD protects you or rather, I can't see how it would. The "problem" is as mentioned on the servers running X version of OpenSSL.

2) Doubtful but possibly yes. For example banks (most at least hopefully) have already patched all internet facing servers and non-internet, then they'd have re-issued certificates. Would you know about this - of course not, they won't tell you.

3) Changing ID/PWD is only worth it once the certs have been re-issued. Has that been done, you don't know.

AdrianHa

Hello:

You seem very knowledgeable, and appear to have read, digested the techno-babble on the "heartbleed.com" website. I had hoped

the more knowledgeable members of BD Forum like Georgia and you would do so and comment, as you did. Someone, Georgia or

you? are advising us we clients can do little, other than change passwords, etc. and that only after the Servers kill the Heartbleed Bug

a/k/a CVE-2014-0160 dead by changing their security keys. This post is to thank you for reading and parsing Heartbleed. com for us.

If so, then I have to tell you, many of us have got big problems with the banks and merchants and utilities, etc, we do business with,

a big problem. I checked my correspondents (banks and merchants today, using the LastPass Heartbleed checker. It is fully as bad as

they say. I guesstimate 90% of my correspondents are using OpenSSL in their security software. This is the good news. The bad news

is when you contact them and get past the receptionist or customer service person to a technician, then ask him or her how they are

addressing the threat, they profess not know know what you are talking about. Most technical people I have been able to talk to have

never heard of the Heartbleed bug. When you explain the problem they say it is not their problem, yet! From their replies, I take it they

for the most part use third party software incorporating OpenSSL, and do not write and use their home grown software.

So, if I get your advice, I cannot fix someone else's security software problem because it is someone else's software problem (Servers).

But, I digress. Best advice given now is; 1. Change your your user id and password. 2. Do not change them until the correspodents advise

you do do so, oif ever.

Final question for you (and Georgia). Why are so many Security Certificates either missing or out of date? How are we, users, to read

a security certificate?

Thank you for your advice.

1) The Last Pass checker ......... read the fine print. It only advises on past conditions of a server.

2) Read >> http://news.yahoo.com/trying-protect-yours...-150922215.html << there are many Heartbleed checkers, BUT you could find yourself in serious trouble using them.

It is ( certainly in the US and UK ) illegal to to run checks like this on any server you do not own, or do not have the owners express permission to run checks on.

3) Old Certificates are not always a problem, many were not vulnerable.

4) The best course of action is to ask your vendors/banks/suppliers what action they have taken. Most sensible sites have posted notices.

It is pointless changing passwords on a vulnerable site/server, wait until you know it is safe, otherwise you make the new password available to hackers.

5) Remember also, this vulnerability does not affect all sites/servers. Much of the press gives the impression that all sites are affected.

6) Last step, if you connect to the internet via a router ask the manufacturer if their firmware is vulnerable, and if so when will they patch the firmware.

Nesivos

About the only one i'm concerned about is my bank and that was/is secure.

My understanding is that most financial institutions at least most large ones do not use OpenSSL and therefore would not be subject to Heartbleed. However, the best thing to do is to contact your financial institution and ask them.

Nesivos

April 11, 2014

FFIEC Issues Heartbleed Warning; Major Banks Say They're Protected

Thursday (April 10th), Bank Technology News ran websites of the largest banks through a Heartbleed bug "checker" run by LastPass, a provider of a password storage service. All were found to be safe except Citigroup's, which was termed "Possibly Unsafe" in that it might use OpenSSL. LastPass recommended that users wait for the site to upgrade before changing their passwords.