Heart Bleed

[LuvMeSumZen]

One of my members just PM'd me asking me about this and I had to admit I was clueless. I did not find a single reference to it here on the forums using the search function but found plenty of results with google, but they all seem to be convoluted re-hashes with links to other sites that have yet more links ad infinitum and I cannot seem to nail down what I would consider a bonafide source of information on this virus. Is this a real threat or another in a long line of virus myths?

If it's real has anyone had first hand experience with it? Of course I hope no one has, but if anyone has maybe it should be something that should be discussed that could help the rest of us take any preventive measures that might be n order.

 

[Amaury]

http://xenforo.com/community/threads/critical-bug-openssl.72022/

 

[LuvMeSumZen]

Thanks for the links. I guess this is a tangential question but why don't such specific search terms ever even come up on this site?

 

[Jeremy P]

Searching "heartbleed" here yielded me 3 threads, one of which is the above.

 

[LuvMeSumZen]

I used "heart bleed" not "heartbleed" and got nothing. I used "heart bleed" because it's what was asked of me.

I just opened a tab and did another search using heartbleed and got 5 results. Using heart bleed got one. This thread. There's pros and cons for being too loose or too tight with search parameters. I have been a fan of XF since I jumped on board but the XF search function and even on this official forum totally sucks. It's a small price to pay for such a great software though IMO.

 

[SilverCircle]

Thanks for the links. I guess this is a tangential question but why don't such specific search terms ever even come up on this site?

Because this forum is not a security-related site?

Why not just google OpenSSL Heartbleed. Millions of results - though, at least 2/3 of them written by basically clueless "wannabe experts" or simply copied from elsewhere. Stick to the renowned sites, for example, Ars Technica or EFF have some really good stuff about it.

If it's real has anyone had first hand experience with it? Of course I hope no one has, but if anyone has maybe it should be something that should be discussed that could help the rest of us take any preventive measures that might be n order.

No rocket science here:

• Determine whether your sites are/were vulnerable.
  
• Update your software (you really should have done this days ago already).
• If you were vulnerable, consider passwords and maybe certificates used by the vulnerable service(s) (e.g. webserver, mail server etc.) stolen. Yes, big deal here, and depending on the popularity or importance of your site(s) it might be highly unlikely (attackers usually attack sites of which they think, something valuable can be taken from), but still possible.

There are no preventive measures against such bugs. They just happen and will likely happen again.

 

[Carlos]

To learn a bit more about the subject, here ya go...

https://www.namecheap.com/support/knowledgebase/article.aspx/9343

If you're lazy to click that;

A critical vulnerability nicknamed “Heartbleed” was discovered in OpenSSL, the most popular SSL module used on Linux / cPanel servers. This exploit allows a third party to steal information that would otherwise be secured and encrypted with the SSL/TLS protocol, and to steal the private keys from the certificate pair itself.

This means; even if you had/have the latest version of cPanel/Linux, your information would have been stolen without your knowing. The worst part is, your certificate would have been easy to "hack into" because your private keys would have been taken to gain access to your certificate. So, the hacker or unsuspecting person would know your password, sensitive info in your server, and whatnot - which would have exposed your entire network to attacks. Yes, even with HTTPS enabled.

There are no preventive measures against such bugs. They just happen and will likely happen again.

Many companies, many sites have already patched their sites with preventive measures against such incidents. This is related mostly to OpenSSL, most companies that don't use it are already saying that this doesn't/didn't affect them all that much.