1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Heart Bleed

Discussion in 'Off Topic' started by LuvMeSumZen, Apr 13, 2014.

  1. LuvMeSumZen

    LuvMeSumZen Active Member

    One of my members just PM'd me asking me about this and I had to admit I was clueless. I did not find a single reference to it here on the forums using the search function but found plenty of results with google, but they all seem to be convoluted re-hashes with links to other sites that have yet more links ad infinitum and I cannot seem to nail down what I would consider a bonafide source of information on this virus. Is this a real threat or another in a long line of virus myths?

    If it's real has anyone had first hand experience with it? Of course I hope no one has, but if anyone has maybe it should be something that should be discussed that could help the rest of us take any preventive measures that might be n order.
     
  2. Amaury

    Amaury Well-Known Member

  3. LuvMeSumZen

    LuvMeSumZen Active Member

    Thanks for the links. I guess this is a tangential question but why don't such specific search terms ever even come up on this site?
     
  4. Jeremy P

    Jeremy P Well-Known Member

    Searching "heartbleed" here yielded me 3 threads, one of which is the above.
     
  5. LuvMeSumZen

    LuvMeSumZen Active Member

    I used "heart bleed" not "heartbleed" and got nothing. I used "heart bleed" because it's what was asked of me.

    I just opened a tab and did another search using heartbleed and got 5 results. Using heart bleed got one. This thread. There's pros and cons for being too loose or too tight with search parameters. I have been a fan of XF since I jumped on board but the XF search function and even on this official forum totally sucks. It's a small price to pay for such a great software though IMO.
     
  6. SilverCircle

    SilverCircle Well-Known Member

    Because this forum is not a security-related site?

    Why not just google OpenSSL Heartbleed. Millions of results - though, at least 2/3 of them written by basically clueless "wannabe experts" or simply copied from elsewhere. Stick to the renowned sites, for example, Ars Technica or EFF have some really good stuff about it.

    No rocket science here:
    • Determine whether your sites are/were vulnerable.
    • Update your software (you really should have done this days ago already).
    • If you were vulnerable, consider passwords and maybe certificates used by the vulnerable service(s) (e.g. webserver, mail server etc.) stolen. Yes, big deal here, and depending on the popularity or importance of your site(s) it might be highly unlikely (attackers usually attack sites of which they think, something valuable can be taken from), but still possible.
    There are no preventive measures against such bugs. They just happen and will likely happen again.
     
  7. Carlos

    Carlos Well-Known Member

    To learn a bit more about the subject, here ya go...

    https://www.namecheap.com/support/knowledgebase/article.aspx/9343

    If you're lazy to click that;
    This means; even if you had/have the latest version of cPanel/Linux, your information would have been stolen without your knowing. The worst part is, your certificate would have been easy to "hack into" because your private keys would have been taken to gain access to your certificate. So, the hacker or unsuspecting person would know your password, sensitive info in your server, and whatnot - which would have exposed your entire network to attacks. Yes, even with HTTPS enabled.
    Many companies, many sites have already patched their sites with preventive measures against such incidents. This is related mostly to OpenSSL, most companies that don't use it are already saying that this doesn't/didn't affect them all that much.
     
    Last edited: Apr 14, 2014
    Amaury likes this.

Share This Page