Heartbleed Bug (onlinessl Vulnerability)

Bitdefender Staff:


Breaking news today. As if we end users did not have enough to worry about this bad news comes along.


I pass along the IPL [u}www.heartbleed.com[/u]. I omit the news feeds. Please read article and advise us


BD subscribers about 1. and 2. and 3.


1. Since most BD subscribes buy stuff and bank on line we communicate with banks and merchants on line,


using 128ssl encryption of one flavor or another. Does BD security protect us against the Heartbleed bug


now? How?


2. Before we bought a BD program we dealt on line with banks and merchants who used OpenSSL in their


security protocols and on-lineprograms. Are we compromised?


3. If we are compromised and at rsisk, should we change our User ID and Passwords? how do we protect


ourselves now?


Please advise.

Comments

  • ozziebear
    ozziebear ✭✭✭
    Bitdefender Staff:


    Breaking news today. As if we end users did not have enough to worry about this bad news comes along.


    I pass along the IPL [u}www.heartbleed.com[/u]. I omit the news feeds. Please read article and advise us


    BD subscribers about 1. and 2. and 3.


    1. Since most BD subscribes buy stuff and bank on line we communicate with banks and merchants on line,


    using 128ssl encryption of one flavor or another. Does BD security protect us against the Heartbleed bug


    now? How?


    2. Before we bought a BD program we dealt on line with banks and merchants who used OpenSSL in their


    security protocols and on-lineprograms. Are we compromised?


    3. If we are compromised and at rsisk, should we change our User ID and Passwords? how do we protect


    ourselves now?


    Please advise.

    I'm also interested in any information Bitdefender can give us on this bug. Today the government of Canada shut down its Revenue Canada website, preventing people from filing their taxes electronically, only 3 weeks before the tax deadline. And apparently this bug may have been operating undetected for the last 2 years. So Georgia, if you have any info on this you could share, it would be appreciated.
  • I'm also concerned about this bug and whether we're protected or not and what is being done about it from the BD side.

  • The vulnerability is on the server side not your system so AV products can't really help you.


    It needs you to be extra vigilant and check the certification of the sites you visit . And above all change your passwords.


    The flaw already has a fix, but it will obviously take time for sites / servers to appy this.

  • The vulnerability is on the server side not your system so AV products can't really help you.


    Heartbleed allows a malicious actor to obtain a 64KB chunk of memory from the client OR server end of the connection. Technically, this needs to be done from the server end of the connection, but given the number of compromised or just plain malicious servers out there I don't think this part of the issue should be overlooked.


    It's my impression that the version of SSL that Bitdefender ships with isn't vulnerable, BTW.

  • To put this in to perspective, I have " borrowed" a quote from staff at another AV vendor.


    Unfortunately, there is very little you can do about this issue on the client side. Most work lies on server administrators all over the world. Severity of this issue is that you have no way to distinguish attacker from the genuine provider from client's perspective. You are probably safe if a server certificate is new (issued yesterday or so) but you can say absolutely nothing if it's not. And nobody knows if and for how long anyone exploited the issue. Not funny, at all.
  • http://mashable.com/2014/04/09/heartbleed-what-to-do/


    This blog entry at Mashable has a "what to do " info section and a list of known (so far ) affected sites.


    Note the warning that sites you visited and used bank cards etc, up to 2 years ago "could" mean that your details are compromised.


    Note also that there is no proof whatever that this issue has been used by hackers/criminals. There is nothing to show that any data / information has been stolen (yet).


    There is also a site here >> http://filippo.io/Heartbleed/ << that allows you to check websites for the problem.

  • Georgia
    Georgia ✭✭✭

    Hello,


    The Heartbleed vulnerability is currently affecting a large part of the Internet that relies on OpenSSL for secure communication. There is no known evidence about whether or not a specific SSL certificate has been compromised via this bug, so as this issue may have resulted in the compromise of the private key of the SSL certificate. Because of the nature of the flaw, there is no way to tell whether or not a certain server has been compromised during the vulnerability window, so system administrators should assume the worst-case scenario.


    As a user, it is important that you change your passwords.


    The Heartbleed Bug fools you into accessing false sites. Beware of sites that ask you to check for vulnerability. This may be a way of inviting the Heartbleed Bug into your system to steal your data. So far a few sites which have been attacked by the Heartbleed Bug are confirmed. As previously mentioned, it is important that you change your password to the following sites and all sites (once patches have been confirmed) to be safe.


    For server administrators who are running a critical service that is exposed to the Internet and relies on OpenSSL, we advise to immediately take the server out of production, update theOpenSSL library with the patched one, revoke and renew the SSL certificate and log out all user accounts to ensure that the upcoming sessions are secured.


    Please don't hesitate to contact us, should you need any assistance:


    phone: http://www.bitdefender.com/support/consumer-phone.html


    chat: http://www.bitdefender.com/support/chat-support.html


    mail: http://www.bitdefender.com/en/Main/contactEmail

  • Hello,


    The Heartbleed vulnerability is currently affecting a large part of the Internet that relies on OpenSSL for secure communication. There is no known evidence about whether or not a specific SSL certificate has been compromised via this bug, so as this issue may have resulted in the compromise of the private key of the SSL certificate. Because of the nature of the flaw, there is no way to tell whether or not a certain server has been compromised during the vulnerability window, so system administrators should assume the worst-case scenario.


    As a user, it is important that you change your passwords.


    The Heartbleed Bug fools you into accessing false sites. Beware of sites that ask you to check for vulnerability. This may be a way of inviting the Heartbleed Bug into your system to steal your data. So far a few sites which have been attacked by the Heartbleed Bug are confirmed. As previously mentioned, it is important that you change your password to the following sites and all sites (once patches have been confirmed) to be safe.


    For server administrators who are running a critical service that is exposed to the Internet and relies on OpenSSL, we advise to immediately take the server out of production, update theOpenSSL library with the patched one, revoke and renew the SSL certificate and log out all user accounts to ensure that the upcoming sessions are secured.


    Please don't hesitate to contact us, should you need any assistance:


    phone: http://www.bitdefender.com/support/consumer-phone.html


    chat: http://www.bitdefender.com/support/chat-support.html


    mail: http://www.bitdefender.com/en/Main/contactEmail


    If you use LastPass please read the following. You can see what their security check looks like by clicking on link.



    LastPass Now Checks If Your Sites Are Affected by Heartbleed


    Yesterday we informed our community of the Heartbleed OpenSSL bug. In our blog post, we explained how this security issue impacted our service and what our users should know about the situation. We also built a tool to help our users start checking to see if their sites and services had reissued their certificates, so that users would know if it was safe to start updating passwords for those sites: https://lastpass.com/heartbleed


    To help our users take action and protect themselves in the wake of Heartbleed, we've added a feature to our Security Check tool. LastPass users can now run the LastPass Security Check to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time.


    The LastPass Security Check can be run from the LastPass Icon menu. Click the LastPass icon in the browser toolbar, click the Tools menu, and select the Security Check.


    In the Security Check results, we alert you to sites affected by Heartbleed:


    So according to LastPass a website password should not be updated until a new certificate has been issued by the website.

  • For me, very useful information Nesivos, especially since I use LastPass exclusively (sorry Wallet). Having run the Tools/Security Check, one of my stored accounts showed a vulnerably/breech, Adobe.com. Others that I don't use LastPass for (Bank etc), will be checked with their Heartbleed web search checker, and called if needed to find out their server security on their end, and when to change my password(s)


    @ Georgia, thank you for posting so quickly to something this serious, and for Diogenes 2009 in starting this thread.

  • About the only one i'm concerned about is my bank and that was/is secure.

  • To put this in to perspective, I have " borrowed" a quote from staff at another AV vendor.


    Hello:


    You seem very knowledgeable, and appear to have read, digested the techno-babble on the "heartbleed.com" website. I had hoped


    the more knowledgeable members of BD Forum like Georgia and you would do so and comment, as you did. Someone, Georgia or


    you? are advising us we clients can do little, other than change passwords, etc. and that only after the Servers kill the Heartbleed Bug


    a/k/a CVE-2014-0160 dead by changing their security keys. This post is to thank you for reading and parsing Heartbleed. com for us.


    If so, then I have to tell you, many of us have got big problems with the banks and merchants and utilities, etc, we do business with,


    a big problem. I checked my correspondents (banks and merchants today, using the LastPass Heartbleed checker. It is fully as bad as


    they say. I guesstimate 90% of my correspondents are using OpenSSL in their security software. This is the good news. The bad news


    is when you contact them and get past the receptionist or customer service person to a technician, then ask him or her how they are


    addressing the threat, they profess not know know what you are talking about. Most technical people I have been able to talk to have


    never heard of the Heartbleed bug. When you explain the problem they say it is not their problem, yet! From their replies, I take it they


    for the most part use third party software incorporating OpenSSL, and do not write and use their home grown software.


    So, if I get your advice, I cannot fix someone else's security software problem because it is someone else's software problem (Servers).


    But, I digress. Best advice given now is; 1. Change your your user id and password. 2. Do not change them until the correspodents advise


    you do do so, oif ever.


    Final question for you (and Georgia). Why are so many Security Certificates either missing or out of date? How are we, users, to read


    a security certificate?


    Thank you for your advice.

  • Heartbleed Bug

    Bitdefender Staff:


    Breaking news today. As if we end users did not have enough to worry about this bad news comes along.


    I pass along the IPL [u}www.heartbleed.com[/u]. I omit the news feeds. Please read article and advise us


    BD subscribers about 1. and 2. and 3.


    1. Since most BD subscribes buy stuff and bank on line we communicate with banks and merchants on line,


    using 128ssl encryption of one flavor or another. Does BD security protect us against the Heartbleed bug


    now? How?


    2. Before we bought a BD program we dealt on line with banks and merchants who used OpenSSL in their


    security protocols and on-lineprograms. Are we compromised?


    3. If we are compromised and at rsisk, should we change our User ID and Passwords? how do we protect


    ourselves now?


    Please advise.

  • 1) I doubt BD protects you or rather, I can't see how it would. The "problem" is as mentioned on the servers running X version of OpenSSL.


    2) Doubtful but possibly yes. For example banks (most at least hopefully) have already patched all internet facing servers and non-internet, then they'd have re-issued certificates. Would you know about this - of course not, they won't tell you.


    3) Changing ID/PWD is only worth it once the certs have been re-issued. Has that been done, you don't know.

  • Hello:


    You seem very knowledgeable, and appear to have read, digested the techno-babble on the "heartbleed.com" website. I had hoped


    the more knowledgeable members of BD Forum like Georgia and you would do so and comment, as you did. Someone, Georgia or


    you? are advising us we clients can do little, other than change passwords, etc. and that only after the Servers kill the Heartbleed Bug


    a/k/a CVE-2014-0160 dead by changing their security keys. This post is to thank you for reading and parsing Heartbleed. com for us.


    If so, then I have to tell you, many of us have got big problems with the banks and merchants and utilities, etc, we do business with,


    a big problem. I checked my correspondents (banks and merchants today, using the LastPass Heartbleed checker. It is fully as bad as


    they say. I guesstimate 90% of my correspondents are using OpenSSL in their security software. This is the good news. The bad news


    is when you contact them and get past the receptionist or customer service person to a technician, then ask him or her how they are


    addressing the threat, they profess not know know what you are talking about. Most technical people I have been able to talk to have


    never heard of the Heartbleed bug. When you explain the problem they say it is not their problem, yet! From their replies, I take it they


    for the most part use third party software incorporating OpenSSL, and do not write and use their home grown software.


    So, if I get your advice, I cannot fix someone else's security software problem because it is someone else's software problem (Servers).


    But, I digress. Best advice given now is; 1. Change your your user id and password. 2. Do not change them until the correspodents advise


    you do do so, oif ever.


    Final question for you (and Georgia). Why are so many Security Certificates either missing or out of date? How are we, users, to read


    a security certificate?


    Thank you for your advice.


    1) The Last Pass checker ......... read the fine print. It only advises on past conditions of a server.


    2) Read >> http://news.yahoo.com/trying-protect-yours...-150922215.html << there are many Heartbleed checkers, BUT you could find yourself in serious trouble using them.


    It is ( certainly in the US and UK ) illegal to to run checks like this on any server you do not own, or do not have the owners express permission to run checks on.


    3) Old Certificates are not always a problem, many were not vulnerable.


    4) The best course of action is to ask your vendors/banks/suppliers what action they have taken. Most sensible sites have posted notices.


    It is pointless changing passwords on a vulnerable site/server, wait until you know it is safe, otherwise you make the new password available to hackers.


    5) Remember also, this vulnerability does not affect all sites/servers. Much of the press gives the impression that all sites are affected.


    6) Last step, if you connect to the internet via a router ask the manufacturer if their firmware is vulnerable, and if so when will they patch the firmware.

  • About the only one i'm concerned about is my bank and that was/is secure.


    My understanding is that most financial institutions at least most large ones do not use OpenSSL and therefore would not be subject to Heartbleed. However, the best thing to do is to contact your financial institution and ask them.

  • April 11, 2014


    FFIEC Issues Heartbleed Warning; Major Banks Say They're Protected


    Thursday (April 10th), Bank Technology News ran websites of the largest banks through a Heartbleed bug "checker" run by LastPass, a provider of a password storage service. All were found to be safe except Citigroup's, which was termed "Possibly Unsafe" in that it might use OpenSSL. LastPass recommended that users wait for the site to upgrade before changing their passwords.


    more on link


    Note: This was over 10 days ago.

  • COMMonkey
    edited May 2014

    Hi,


    All BitDefender Windows products seem to be using a vulnerable version of the OpenSSL library.


    The DLL is located at C:\Program Files\Bitdefender\Bitdefender\ssleay32.dll, and the version is 1.0.0d, which is listed as being vulnerable to the heartbleed bug.


    Any word on when will the clients be patched with a non-vulnerable version?


    Thanks.

  • Rohugh
    Rohugh ✭✭

    There is already a discussion topic about this including advice from Georgia.


    http://forum.bitdefender.com/index.php?showtopic=53151

  • COMMonkey
    edited May 2014
    There is already a discussion topic about this including advice from Georgia.


    http://forum.bitdefender.com/index.php?showtopic=53151


    I don't see anything about info or impact of the OpenSSL library in the BitDefender Windows apps in that thread - just a generic tech response answer (and a misleading one at that: "The Heartbleed Bug fools you into accessing false sites." - what?).


    Any real insight on when the apps are going to get patched would be appreciated.

  • Nesivos
    edited May 2014
    Hi,


    All BitDefender Windows products seem to be using a vulnerable version of the OpenSSL library.


    The DLL is located at C:\Program Files\Bitdefender\Bitdefender\ssleay32.dll, and the version is 1.0.0d, which is listed as being vulnerable to the heartbleed bug.


    Any word on when will the clients be patched with a non-vulnerable version?


    Thanks.


    Only products that use the following versions of OpenSSL are vulnerable:


    1.0.1 beta 1 – beta 3


    1.0.1


    1.0.1.a – 1.0.1f


    1.0.2 beta 1


    1.0.0 is not vulnerable. The vulnerbility was created due to sloppy programming during the update of OpenSSL to 1.01 You can check this by searching the web.