3db

3db

Audioholic Slumlord
Yes it is.
Security issue in the code is definitely a code bug. No bug as in malware, but as in issue in the programming.
And this is not "over-hyped" enough.
Its definately overhyped and my reason for stating this is as follows. This vunerability is at least two years old if you check all the GNU versions of openssl is affected. Instead of drawing attention to it publically which now alerts the whole dam hacking community, the alert should have been sent by vendors as a high priority and in strict confidence to all IT managers to get this resolved. The way this was handled has been totally bongled.
 
3db

3db

Audioholic Slumlord
Since I own a software development house: Yes, it is a bug.

Now developers officially term it as: Errata :D
Yeah I can agree with that. Usually I associate bugs with maleware and viruses.
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
Its definately overhyped and my reason for stating this is as follows. This vunerability is at least two years old if you check all the GNU versions of openssl is affected. Instead of drawing attention to it publically which now alerts the whole dam hacking community, the alert should have been sent by vendors as a high priority and in strict confidence to all IT managers to get this resolved. The way this was handled has been totally bongled.
Security through obscurity doesn't work. Yes, the bug was introduced to openSSL code two years ago and despite the news broke only 3 days ago, there are traces of this vulnerability was used as early as last November. If not global news alerting everyone to this I am sure tons of admin would still be sitting on their asses and not patch the servers. As extreme example of such IT laziness I preset Yahoo webmail - they made default to SSL only on October 2013, Google done in Jan 2010.

And Again - however tiny and remote the possibility of loosing private SSL keys is actually is associated with this BUG, I don't think that you quite grasp the potential consequences.

Remember the Stuxnet? Big part of it's "success" was a pair of stolen manufacture certificates private keys. Or to initiate a man in the middle attack on secure site with zero notifications for ether side.
 
3db

3db

Audioholic Slumlord
Security through obscurity doesn't work. Yes, the bug was introduced to openSSL code two years ago and despite the news broke only 3 days ago, there are traces of this vulnerability was used as early as last November. If not global news alerting everyone to this I am sure tons of admin would still be sitting on their asses and not patch the servers. As extreme example of such IT laziness I preset Yahoo webmail - they made default to SSL only on October 2013, Google done in Jan 2010.

And Again - however tiny and remote the possibility of loosing private SSL keys is actually is associated with this BUG, I don't think that you quite grasp the potential consequences.

Remember the Stuxnet? Big part of it's "success" was a pair of stolen manufacture certificates private keys. Or to initiate a man in the middle attack on secure site with zero notifications for ether side.
As an admin, I'm fully aware of the potential threats. There is nothing like alerting the hacker community of a vunerability
 
jinjuku

jinjuku

Moderator
As an admin, I'm fully aware of the potential threats. There is nothing like alerting the hacker community of a vulnerability
The real hacker community already knows...
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
I disagree. If they were aware, there would have more reported fraudulent activity out there.
big, not HUGE difference between reported and fraudulent activity, Target hack for example (not related to heartbleed) was going on for months before become reported.
Best hacks are never reported since no one knows they happen at all
 
GO-NAD!

GO-NAD!

Audioholic Spartan
The plot thickens?

NSA exploited Heartbleed bug for two years to gather intelligence, sources say | Financial Post

If there's any substance to the allegation that the NSA has been exploiting this bug right from the start, how cynical must they be? "Hey, we can use this to spy on anyone we want. If criminals are able to steal data too, well, that's a sacrifice we're willing to make."

Looking at it from a personal perspective, if my bank account hasn't been cleaned out and my credit card hasn't racked up mysterious charges, should I be worried? Would the main concerns be industrial, governmental & military espionage?
 
Adam

Adam

Audioholic Jedi
If there's any substance to the allegation that the NSA has been exploiting this bug right from the start, how cynical must they be? "Hey, we can use this to spy on anyone we want. If criminals are able to steal data too, well, that's a sacrifice we're willing to make."
Is it possible that they could also know when someone else was using it, and then track them?
 
3db

3db

Audioholic Slumlord
The plot thickens?

NSA exploited Heartbleed bug for two years to gather intelligence, sources say | Financial Post

If there's any substance to the allegation that the NSA has been exploiting this bug right from the start, how cynical must they be? "Hey, we can use this to spy on anyone we want. If criminals are able to steal data too, well, that's a sacrifice we're willing to make."

Looking at it from a personal perspective, if my bank account hasn't been cleaned out and my credit card hasn't racked up mysterious charges, should I be worried? Would the main concerns be industrial, governmental & military espionage?
Apparently, the Canadian banks have additional security set up that prevents the exploitation of this bug by hackers.
 
3db

3db

Audioholic Slumlord
The plot thickens?

NSA exploited Heartbleed bug for two years to gather intelligence, sources say | Financial Post

If there's any substance to the allegation that the NSA has been exploiting this bug right from the start, how cynical must they be? "Hey, we can use this to spy on anyone we want. If criminals are able to steal data too, well, that's a sacrifice we're willing to make."

Looking at it from a personal perspective, if my bank account hasn't been cleaned out and my credit card hasn't racked up mysterious charges, should I be worried? Would the main concerns be industrial, governmental & military espionage?
Paranoia is alive and well in the US government departments. Big brother is watching "us"
 
lsiberian

lsiberian

Audioholic Overlord
Paranoia is alive and well in the US government departments. Big brother is watching "us"
Not directly they just monitor communications traffic to protect national security interests. You aren't on a watch list until you hit certain thresholds.
 
haraldo

haraldo

Audioholic Warlord
Apparently, the Canadian banks have additional security set up that prevents the exploitation of this bug by hackers.
I'm quite surprised that it comes up that US Banks may be affected by this, over here and also in Switzerland, all banks that I know of use at least two factor identification by using username/password and an additional key that is sent to you via SMS or using a secureid type of widget (although it's not secureid but bankid)

So I do have a hard time to see how end users may be affected with the relations to banks.

Do you really not have anything similar to this in US?

Althoough the B2B authentication between banks and partners may potentially have been affected, I reckon.... if the certificates are compromised and this is scary to think about......
I am sure, however, that any anomalies would be found and corrected though.

How about SWIFT transactions?, here we are talking huge huge piles of money going, is this can be affected, then it's scary scary....
 

Latest posts

newsletter

  • RBHsound.com
  • BlueJeansCable.com
  • SVS Sound Subwoofers
  • Experience the Martin Logan Montis
Top