Heartbleed bug

Hide sidebar Show sidebar
3db

3db

Audioholic Slumlord
BoredSysAdmin said:
Yes it is.
Security issue in the code is definitely a code bug. No bug as in malware, but as in issue in the programming.
And this is not "over-hyped" enough.
Click to expand...
Its definately overhyped and my reason for stating this is as follows. This vunerability is at least two years old if you check all the GNU versions of openssl is affected. Instead of drawing attention to it publically which now alerts the whole dam hacking community, the alert should have been sent by vendors as a high priority and in strict confidence to all IT managers to get this resolved. The way this was handled has been totally bongled.
 
3db

3db

Audioholic Slumlord
jinjuku said:
Since I own a software development house: Yes, it is a bug.

Now developers officially term it as: Errata :D
Click to expand...
Yeah I can agree with that. Usually I associate bugs with maleware and viruses.
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
3db said:
Its definately overhyped and my reason for stating this is as follows. This vunerability is at least two years old if you check all the GNU versions of openssl is affected. Instead of drawing attention to it publically which now alerts the whole dam hacking community, the alert should have been sent by vendors as a high priority and in strict confidence to all IT managers to get this resolved. The way this was handled has been totally bongled.
Click to expand...
Security through obscurity doesn't work. Yes, the bug was introduced to openSSL code two years ago and despite the news broke only 3 days ago, there are traces of this vulnerability was used as early as last November. If not global news alerting everyone to this I am sure tons of admin would still be sitting on their asses and not patch the servers. As extreme example of such IT laziness I preset Yahoo webmail - they made default to SSL only on October 2013, Google done in Jan 2010.

And Again - however tiny and remote the possibility of loosing private SSL keys is actually is associated with this BUG, I don't think that you quite grasp the potential consequences.

Remember the Stuxnet? Big part of it's "success" was a pair of stolen manufacture certificates private keys. Or to initiate a man in the middle attack on secure site with zero notifications for ether side.
 
3db

3db

Audioholic Slumlord
BoredSysAdmin said:
Security through obscurity doesn't work. Yes, the bug was introduced to openSSL code two years ago and despite the news broke only 3 days ago, there are traces of this vulnerability was used as early as last November. If not global news alerting everyone to this I am sure tons of admin would still be sitting on their asses and not patch the servers. As extreme example of such IT laziness I preset Yahoo webmail - they made default to SSL only on October 2013, Google done in Jan 2010.

And Again - however tiny and remote the possibility of loosing private SSL keys is actually is associated with this BUG, I don't think that you quite grasp the potential consequences.

Remember the Stuxnet? Big part of it's "success" was a pair of stolen manufacture certificates private keys. Or to initiate a man in the middle attack on secure site with zero notifications for ether side.
Click to expand...
As an admin, I'm fully aware of the potential threats. There is nothing like alerting the hacker community of a vunerability
 
jinjuku

jinjuku

Moderator
3db said:
As an admin, I'm fully aware of the potential threats. There is nothing like alerting the hacker community of a vulnerability
Click to expand...
The real hacker community already knows...
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
3db said:
I disagree. If they were aware, there would have more reported fraudulent activity out there.
Click to expand...
big, not HUGE difference between reported and fraudulent activity, Target hack for example (not related to heartbleed) was going on for months before become reported.
Best hacks are never reported since no one knows they happen at all
 
GO-NAD!

GO-NAD!

Audioholic Spartan
The plot thickens?

NSA exploited Heartbleed bug for two years to gather intelligence, sources say | Financial Post

If there's any substance to the allegation that the NSA has been exploiting this bug right from the start, how cynical must they be? "Hey, we can use this to spy on anyone we want. If criminals are able to steal data too, well, that's a sacrifice we're willing to make."

Looking at it from a personal perspective, if my bank account hasn't been cleaned out and my credit card hasn't racked up mysterious charges, should I be worried? Would the main concerns be industrial, governmental & military espionage?
 
Adam

Adam

Audioholic Jedi
GO-NAD! said:
If there's any substance to the allegation that the NSA has been exploiting this bug right from the start, how cynical must they be? "Hey, we can use this to spy on anyone we want. If criminals are able to steal data too, well, that's a sacrifice we're willing to make."
Click to expand...
Is it possible that they could also know when someone else was using it, and then track them?
 
3db

3db

Audioholic Slumlord
GO-NAD! said:
The plot thickens?

NSA exploited Heartbleed bug for two years to gather intelligence, sources say | Financial Post

If there's any substance to the allegation that the NSA has been exploiting this bug right from the start, how cynical must they be? "Hey, we can use this to spy on anyone we want. If criminals are able to steal data too, well, that's a sacrifice we're willing to make."

Looking at it from a personal perspective, if my bank account hasn't been cleaned out and my credit card hasn't racked up mysterious charges, should I be worried? Would the main concerns be industrial, governmental & military espionage?
Click to expand...
Apparently, the Canadian banks have additional security set up that prevents the exploitation of this bug by hackers.
 
3db

3db

Audioholic Slumlord
GO-NAD! said:
The plot thickens?

NSA exploited Heartbleed bug for two years to gather intelligence, sources say | Financial Post

If there's any substance to the allegation that the NSA has been exploiting this bug right from the start, how cynical must they be? "Hey, we can use this to spy on anyone we want. If criminals are able to steal data too, well, that's a sacrifice we're willing to make."

Looking at it from a personal perspective, if my bank account hasn't been cleaned out and my credit card hasn't racked up mysterious charges, should I be worried? Would the main concerns be industrial, governmental & military espionage?
Click to expand...
Paranoia is alive and well in the US government departments. Big brother is watching "us"
 
lsiberian

lsiberian

Audioholic Overlord
3db said:
Paranoia is alive and well in the US government departments. Big brother is watching "us"
Click to expand...
Not directly they just monitor communications traffic to protect national security interests. You aren't on a watch list until you hit certain thresholds.
 
haraldo

haraldo

Audioholic Warlord
3db said:
Apparently, the Canadian banks have additional security set up that prevents the exploitation of this bug by hackers.
Click to expand...
I'm quite surprised that it comes up that US Banks may be affected by this, over here and also in Switzerland, all banks that I know of use at least two factor identification by using username/password and an additional key that is sent to you via SMS or using a secureid type of widget (although it's not secureid but bankid)

So I do have a hard time to see how end users may be affected with the relations to banks.

Do you really not have anything similar to this in US?

Althoough the B2B authentication between banks and partners may potentially have been affected, I reckon.... if the certificates are compromised and this is scary to think about......
I am sure, however, that any anomalies would be found and corrected though.

How about SWIFT transactions?, here we are talking huge huge piles of money going, is this can be affected, then it's scary scary....
 
You must log in or register to reply here.

Latest posts

newsletter

  • RBHsound.com
  • BlueJeansCable.com
  • SVS Sound Subwoofers
  • Experience the Martin Logan Montis

Sitemap

Sitemap

Site Information

Site Information

HTML

audio forum
  • Facebook
  • Youtube
  • Twitter
  • instagram
  • rss
Top