Feeds

back to article Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed

All over the world, systems administrators are scrambling to fix the OpenSSL “Heartbleed” bug. At the same time, certificate sellers are preparing rub currency all over their bodies as Web admins virtually swipe the corporate Amex to revoke and renew their certs. OpenSSL's history reaches back to Eric Young's SSLeay. While it …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

nmap -O

It's lovely. Not perfect, but lovely all the same.

0
0

Re: nmap -O

The thing is that will not show info about backported fixes...

There is a test nmap script however here

https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse

3
0
Gold badge

Internet. Of. Things.

You have been warned.

11
1
Silver badge
Holmes

Re: Internet. Of. Things.

People have been warned about the NSA or serial Easy Money Bubble implosions too, for a long time.

Warnings, like deficits and Big Government, don't matter.

0
0

Check your vulnerability here.

https://www.ssllabs.com/ssltest/analyze.html

It's a good test of your SSL setup as well...

2
0

Re: Check your vulnerability here.

Nice to see they've added Heartbleed testing - it didn't check for it yesterday as that site was my first port of call and flagged up all the servers I needed to test as green, but at least has flagged up the one I know has an issue with a big fat red F.

However, it does state that the Heartbleed check is experimental, so it may report a pass even if the server actually is vulnerable. Might be worth using a few different tests, including use openssl itself on a box local to the servers being tested to cut out any intermediate termination points that might be disguising the issue.

0
0

Re: Check your vulnerability here.

WARNING: this site lists the most recently looked up flawed servers.

IF YOUR SITE IS VULNERABLE IT WILL BECOME A LIGHTNING ROD FOR ATTACKS.

2
0
Bronze badge

Re: Check your vulnerability here.

Although they do only list like the last 10 worst, and so many people use it, this list changes every second, so it isn't likely to become a lightening rod for attacks in about a second.

Not to mention the check box, which you can tick to not have your info displayed on the boards, right under the input box.

0
0

Ditch your home router

and setup a small pfsense box.

1
2
Anonymous Coward

"and setup a small pfsense box"

I would wait until it's been patched first: https://forum.pfsense.org/index.php?topic=74902.msg408806#msg408806

1
1
Silver badge

Re: "and setup a small pfsense box"

This patch is being tested at the moment and should be available within a couple of days ... and your commercial router will be update when?

1
0
Bronze badge

Re: "and setup a small pfsense box"

Or just use OpenBSD and the built-in pf rather than its derivative.

0
0

Fuck

Fuck, like fuck, it feels like there's nothing I can do to be safe on the internet.

Craig Foster that site is reporting mail.yahoo.com as an A letter grade when it's known that yahoo mail is vulnerable, i wouldn't trust that site.

0
3
T L

Re: Fuck

Keep up chuck... Yes, Yahoo was identified and reported as vulnerable. But they sorted it. Plus that's been reported toooo! :-) So you can take the fuck coloured tin foil hat off again, at least until next week, when I'm sure they'll be yet another security issue... with something! :-/

0
1

Simple solution

Telcobox = unsecure

mybox = secure

Use the telcobox for transport only and triple-play, then get LAN/WLAN and security from mybox only.

Of course, mybox must not be remotely managed, must not trust anything coming from telcobox and it should run one of the popular freewares (dd-wrt, openwrt, tomato).

Et voila.

0
1

It will not save you, http://www.theregister.co.uk/2014/03/31/cert_fail_bricks_old_juniper_kit/

maybe.

0
0

Re: Simple solution

Ask yourself:

•Can I easily find out if my router is running OpenSSL, and if so what version? (Answer: probably no)

- With OpenWRT this is pretty easy

•Can I easily upgrade to a secure version? (Answer: only if my vendor or the ISP that provided the hardware ships a firmware upgrade)

- With OpenWRT this is pretty easy

•Will old devices get upgraded? (Answer: probably not in a hurry and almost certainly not automatically)

- With OpenWRT this is pretty easy

•What can I do? (Answer: turn off remote management, if you can).

- Keep using open source router firmware? :)

1
1
Anonymous Coward

Re: Simple solution

But have they issued a patch yet?

And let's not forget, it was open source that caused this problem in the first place. The claimed benefits of open source are useless if no one qualified looks.

1
5
Silver badge

Re: Simple solution

it was open source that caused this problem in the first place.[Citation Needed]

You sure it wasn't someone making buggy code that caused this problem in the first place?

And the open source development model that made the bug more likely to be discovered and fixed?

...and the closed off, black box nature of shitty SoHo routers that prevents a lot of people from easily applying the fix?

Yes, yes and yes.

5
0

Re: Simple solution

"But have they issued a patch yet?"

Uh, yes... Patched on the 8th of April, but compiling from source is not difficult either.

Confirming whether you're safe or not is as simple as:

# opkg list | grep openssl

Updating to the latest version is as easy as

# wget http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/libopenssl_1.0.1g-1_ar71xx.ipk

# wget http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/openssl-util_1.0.1g-1_ar71xx.ipk

# opkg install libopenssl_1.0.1g-1_ar71xx.ipk

# opkg install openssl-util_1.0.1g-1_ar71xx.ipk

# reboot

As far as "It was open source that caused the problem in the first case" - I don't even know whether to bother explaining the errors in logic. How does publishing the source code of a program cause it to be insecure? Either it's secure or it's not.

1
0
Coat

That is what you get for using Windows

Oh, wait..........

Well, someone had to say it :-)

I've just bought an old Cisco router to try and get away from the bulk Soho consumer routers because Virgin Media won't fix bugs in their supplied product.

Now I have to go back to school to learn how to configure the blasted thing.

Oh, and given that it runs IOS how come Apple haven't sued Cisco yet?

Mine's the one with the infinite pockets to hold all the CLI manuals.

6
0

Re: That is what you get for using Windows

> I've just bought an old Cisco router [...] Now I have to go back to school to learn how to configure the blasted thing.

You want "Cisco Routers for the Desperate, 2nd Edition" - http://www.nostarch.com/cisco2.htm

0
0
Silver badge
Unhappy

Re: That is what you get for using Windows

And don't forget to patch the million and one security holes that the Cisco will have....

As for IOS name, have you been asleep for the last 4 years?

1
0
bed

Using a Cisco router

A Cisco 837 ADLS router, which copes with "Up to 8Mbps" just fine, may only cost £30 off the web. Cisco's web site has plenty of examples of how to configure various routers. You may have to get your head round Access Control Lists when locking the thing down or, worse, allowing some external access. You may not legitimately be able to maintain IOS – if that is of concern. But probably are much more secure option than whatever the ISP supplies.

Cheers

0
0
Silver badge

Re: Using a Cisco router

I have that router.

Its not really Cisco and it doesn't run IOS - it was badge engineered linksys I think. Whatever. Cisco bought a company to get into low end, and then sold it again.

http://en.wikipedia.org/wiki/Linksys

It is however a decent router with nearly all the features a geek needs and most importantly, they actually do work.

And it runs hotter than hell.

0
0

Re: That is what you get for using Windows

If it's old you might be fine. From what I can see the issue only affects the newer versions of openssl, older versions like 0.9.8 and below don't have the vulnerability, so some older kit will likely be fine. For instance Watchguard report some of their older firewalls are unaffected, and I believe CentOS 5.x is also fine as it doesn't support OpenSSL newer than 0.9.8, unlike any of the CentOS 6.x versions which have the newer one and therefore need looking at.

0
0
Silver badge
Pint

Re: That is what you get for using Windows

I have a Cisco iPhone. Seriously.

0
0
Anonymous Coward

nearly impossible [...] to work out what version of software

so: "it's nearly impossible for the average end user to work out what version of software a consumer broadband router is running."

Hmm. If the router is running linux, surely all I have to do is check the source code handily supplied to me by the manufacturer ... (ROFL)

wait, wait ... wasn't my ROFL big enough for you? Am I not allowed to chuckle at both (a) the idea of average users checking src code, and (b) manufacturers (not) supplying source code?

2
2

Re: nearly impossible [...] to work out what version of software

*Puzzled Frown*

2
0

I've just tested some banks to see if they are vulnerable using https://www.ssllabs.com/ssltest/analyze.html

.

Lloyds, Nationwide and Barclaycard all pass.

American Express comes up with "Warning: Inconsistent server configuration".

Not sure what that means, but.....

Alan

0
0
Anonymous Coward

So you are admitting to performing a security probe without authorisation from the server owner? Congratulations on becoming a criminal.

0
2
Silver badge

So you are admitting to performing a security probe without authorisation from the server owner? Congratulations on becoming a criminal.

Under what law? The special Internet law that doesn't exist?

Unless of course you know in which jurisdiction the OP resides, and can quote the relevant passages from the relevant acts verbatim.

0
0
Bronze badge

remote management?

I've always wondered *why* anyone would need to remotely manage their home router?

The only scenario I can think of is that the router is locked down super tight (static addresses for every device on the LAN) and the person adminning it is out of town for a couple of weeks when a family member buys a new device and wants to connect it to the LAN.

3
1
Silver badge

Re: remote management?

"I've always wondered *why* anyone would need to remotely manage their home router?"

If they did want to they're likely to know to SSH into an internal machine and manage it from there.

3
0

Re: remote management?

I suspect that remote management may include your ISP updating firmware on your router.

May also include remote management to fix finger trouble by unskilled users.

When routers are provided as part of a turnkey solution then remote support capability is more or less a given.

2
0

Re: Your phone works on electricity

it's not for the users, it's generally for the ISP tech's to check/fix configs when people call up. IIRC they mostly use TR-069.

1
0

Re: remote management?

Store and access files on router connected storage.

Bittorrent

Music and movie streaming

Bandwidth and data management (caps)

Clueless family

DYN DNS type service

Whitelist or blacklist sites

Change traffic priority rules

Restart a consumer grade router that ran out of memory

See if your house is there after a disaster

There's probably a better way to do many of these things, but remote management through a simpler than setting a box up yourself webpage makes them so simple. I can remotely access my router, just in case. (Turned off atm until I can call support tomorrow)

0
0
Bronze badge

Re: remote management?

I wonder how often the remote management is on by default in these devices? The ADSL+WLAN router I bough several years ago had it disabled, and after some thinking I left it that way, not seeing any good reasons to enable it, just lots of risks. But I could imagine some manufacturers having a different policy, in which case those devices are probably pwned by now.

0
0
Silver badge

Re: remote management?

is so the ISP can manage it because you are dumb user.

0
0

Your observation is flawed

While this vulnerability is rather catastrophic, you're looking for demons in additional places where they do not lie. To the extent that any of these home routers and access points bother with SSL _at all_, they are using self-signed certificates which are already insecure and worthless. Being able to steal the private key from a device using a self-signed certificate to begin with isn't much further of a vulnerability.

0
1
Stop

Re: Your observation is flawed

No I think you misunderstand. The vulnerability allows _all_ the memory on the device to be leaked (albeit in 64kb chunks). There could be _anything_ in there - I guess any web traffic sent in plain text will be visible (presumably anything encrypted in the browser would be fine)

3
1

Re: Your observation is flawed

Isn't the scope of the compromise limited to the type of hardware? For firmware devices with a simple process and memory model, I can see the compromise extending to _all_ the memory.

But for other devices, including the webservers at companies, it seems the access would be more limited. How can _all_ the memory be compromised when the OpenSSL library would be loaded inside a process context with memory protection that prevents you seeing the memory of other processes? It seems you should only get it for the particular process(es) using OpenSSL in support of each IP ports communications.

0
0

Re: Your observation is flawed

Why do you consider a self signed certificate worthless? I don't see how paying a 3rd party to sign your cert with their trusted root certificate makes things anymore secure, it just means browsers trust them by default.

If you add the self signed cert to your trusted certificates you'll know if someones trying to spoof your host or something funny is going on.

5
0

Re: Your observation is flawed

Incorrect; process separation means you should only be able to dump memory available to that process.

0
0
Silver badge

Re: Your observation is flawed

That's because the definition of self-signed certificates includes two types of certificates:

1) certificates created by a device/software during its installation process

2) certificates signed by a non-global CA

#1 above can, depending on the author of the installation script, create identical certificates on every device.

#2 is what you get when you build your own, internal, CA. Either using openssl and a handful of scripts or a package like ejbca. You can create certificates equal to, or better than, certificates issued by any global root CA. At nearly zero cost.

1
0
Silver badge

Re: Your observation is flawed

You can create certificates equal to, or better than, certificates issued by any global root CA. At nearly zero cost.

Butbutbut, you don't get the green address bar or the little padlock, and the browser will shout at you! That makes it insecure!

0
0
Gold badge
Facepalm

Re: Your observation is flawed

"But for other devices, including the webservers at companies"
But wasn't the first post about home routers and access points? How many companies use a home router for their webserver? :-/ (Judging by the speed of some of them more than one!)

0
0

Re: Your observation is flawed

Hmm; ok, that's fair. I could see this leaking the administrative password, or replication passwords, or cloud service ones. That's rather bad.

0
0

Have been using Mikrotik for my home routers for a couple of years now. Not only are they cheaper than your 'generic' consumer routers, but they are much better specified, and more configurable. I have no problems recommending them.

Add the fact that they're not susceptible to the current SSL issue, and it's all good.

0
0
Anonymous Coward

not older kit?

I thought this vulnerability only related to 1.0.1 and later? Older OSes and routers etc may well be running 0.9.x or possibly earlier. RHEL5/Centos5 was on 0.9.8 the last time I looked, for example. Yes, I know RH backports some stuff so version numbers aren't always indicative, and maybe you rolled your own rather than using an rpm or .deb or whatever.

1
0

Page:

This topic is closed for new posts.