Showing posts with label heartbleed. Show all posts
Showing posts with label heartbleed. Show all posts
Wednesday, April 19, 2017
Heartbleed Bug Week Two Affected Website Testing and The Other Shoe
Heartbleed Bug Week Two Affected Website Testing and The Other Shoe
--
[UPDATED 2014-04-17 ~11:00 AM ET. A link to Mashables list of affected websites was added.]
This is week two of the Heartbleed bug and its ramifications. A lot has been learned. A lot is still happening. A lot more problems are still to come.
Im extremely disappointed that few websites have directly addressed this problem and kept their customers informed. Apparently, security is still considered a minor inconvenience to website administrators, with a wide variety of responses to the Heartbleed security hole, as youll see ahead.
TEST PAGES
Thankfully, there are now some very good resources for finding out whether specific websites remain affected. Here is a list of six pages I know of where you can test any website against the Heartbleed bug. Try them in the order of usefulness Ive provided below. If one test errors out, try the next one.
http://watchtower.agilebits.com
https://www.ssllabs.com/ssltest/
https://filippo.io/Heartbleed/
http://www.digicert.com/help/
http://heartbleed.criticalwatch.com
https://lastpass.com/heartbleed/
Thanks to Brian Krebs for getting the ball rolling collecting these sites. Ill add more to this list as I find them. Note that using these test pages can be annoying and disconcerting. On some test pages, I ran into errors of various sorts about 50% of the time.
TEST RESULTS
Fortunately, lists of FAILed websites are showing up on the net, saving us some time and trouble. Here is one at Github, listing affected websites as of April 8th, 2014, the day after the SSL security hole was made public. Scroll down its page to Overview to see the list:
https://github.com/musalbas/heartbleed-masstest
NOTE: Many of the sites on this out-of-date list have now been patched! Yahoo, for example, made a big deal out of patching its website in a hurry.
Mashable has also provided a listing of affected websites here. Note that it is also out-of-date:
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
At the time I wrote this article, many sites had still not been patched. Heres one unhappy example:
hypovereinsbank.de
Click to enlarge the image for viewing
And so forth.
NOW WHAT?
So! Are we ready to change our passwords at all the websites that verify as having patched their OpenSSL implementations?
Yes! Do it!
But! Theres another problem! Remember how I pointed out last week that phishing is going to result from the Heartbleed bug? The phishing problem may become doubly bad:
THE OTHER SHOE DROPS
Because, as I pointed out last week, Heartbleed can allow the cleartext robbery of website security certificates, ALL security certificates at affected sites MUST BE REVOKED and REPLACED.
Why? Because with a stolen SSL security certificate, a hacker can pretend to officially BE the website from which the certificate was stolen! Thats VERY bad and will lead to lots of troubles. Its also ignorant, lazy and cheapskate of the websites administrators.
It turns out that remarkably few websites have so far revoked their potentially stolen security certificates! Welcome to our modern world of bad biznizz. :-P Insert your favorite expletives here: [_____]
Lets use an example!
HAPPY RESULTS
Use a GOOD web browser that actually CHECKS Internet security certificates for credibility. One such browser is good old Apple Safari! Bravo Apple! Each time you visit a website, Safari checks the security certificate for that website against a number of factors. One of them is whether that certificate is on a Certificate Revocation List (CRL).
http://en.wikipedia.org/wiki/Revocation_list
When you visit a website that has had its security certificate revoked, you get a message in Safari!
This past week, mentor Steve Gibson very kindly set up the perfect place to show what it looks like when you run into a revoked security certificate. Travel here to see Steves demonstration:
https://www.grc.com/revocation.htm
In a box, slightly down the page, youll see his test page link. Click on it:
https://revoked.grc.com
What youll see in Safari is:
Click to enlarge the image for viewing
If you then click on the Show Certificate button, you will see this:
Click to enlarge the image for viewing
Therefore, you hit the Cancel button and leave the site. Theres something profoundly wrong with it, danger, danger. Do not go there. Thank you Safari!
SAD RESULTSLets say we live in Turkey and get an email we believe is from the Istanbul branch of HypoVereinsbank, where we have all our life savings stored. The email message says something like:
Dear Valued Customer,Great! A deal! They offered up the link to their website within the message! How convenient.
We are offering a new 5% back on purchases feature to select account holders. To sign up for this new perk, please log into your HypoVereinsbank.co.tr account and click the Join the 5% Back Club button on the page.
Hurry now! Limited time offer! Dont let this deal pass you by! Prices do not include shipping and handling.
[If you check out the actual web address behind HypoVereinsbank account, youll find that Ive faked a different IP address that is NOT HypoVereinsbank! In reality, Ive provided a LAN IP link that goes nowhere on the Internet, making in innocuous. But I could put anything there. Note that I am NOT picking on HypoVereinsbank in Turkey. Im only using them as a valid example of a bank that had not patched the Heartbleed bug at the time of this writing.]
So we click the link to HypoVereinsbank.co.tr. Were sent to the FAKE website for the bank. Were presented with everything looking just perfect and fine. Safari sees NO problems! The stolen, unrevoked certificate is presented to Safari, all his happy.
UH OH.
Then we log in, our ID and password are stolen, we possibly get asked a bunch of other personal identity questions in order to sign up for the FAKE 5% Back Club offer. We have been PWNed.
THEREFORE:
Its important that ALL Heartbleed bug affected websites revoke their old security certificates and get new certificates. ALL.
Enough of that nightmare for today.
CONCLUSION, for now:
1) Check out what websites have been affected by the Heartbleed bug.
2) Check out whether those websites are NOW patched.
3) Change your password there ASAP.
4) Keep an eye out for potential phishing scams using stolen security certificates.
THE FUTURE
Hopefully well see forced revocation of security certificates via certificate authorities against all websites that have been affected by the Heartbleed bug. That move would save we Internet users a lot of grief.
:-Derek
--
Available link for download
Wednesday, December 21, 2016
Heartbleed Bug Part 3 OR More OpenSSL Shoes Keep Dropping And They Hurt!
Heartbleed Bug Part 3 OR More OpenSSL Shoes Keep Dropping And They Hurt!
--
[Updated June 7th at ~10:45 am, thanks to assistance from my colleague Al Varnell.]Ive been delaying writing up another sequel in my Heartbleed Bug series of articles. Todays revelations kicked me back into gear. This is insane and soooo disappointing:
Stop. Put down the cup. Six new bugs found in OpenSSL – including a hole for snoopers
On a scale of 1 to Heartbleed, this is a 7
I could link to more professional reports of this new OpenSSL mess. But the subject deserves The Registers harsh *snark* treatment. (O_o)
OpenSSL today pushed out fixes for six security vulnerabilities – including a flaw that enables man-in-the-middle (MITM) eavesdropping on encrypted connections, and another that allows miscreants to drop malware on at-risk systems.[Expletives Deleted], this is awful.
Here is the list of security holes:
https://www.openssl.org/news/secadv_20140605.txt
The worst of these six holes, quoting The Registry:
A DTLS invalid fragment bug (CVE-2014-0195, affects versions 0.9.8, 1.0.0 and 1.0.1) can be used to inject malicious code into vulnerable software on apps or servers.
. . . .
An SSL/TLS MITM vulnerability (CVE-2014-0224, potentially affects all clients, and servers running 1.0.1 and 1.0.2-beta1) is arguably worse.
. . . .
All OpenSSL users should be updating.For Mac users, the ramification is that Apple has some patching to do! At this time, Apple uses OpenSSL v0.9.8y, which has the CVE-2014-0195 security hole. Thats very bad. Apple has to patch: EVERY version of OS X, including 10.9.3. Hopefully, the upcoming 10.9.4 update will have either updated or entirely removed OpenSSL.
As of OS X 10.7.x, Apple deprecated OpenSSL in favor of Common Crypto. However, Apple still has OpenSSL v0.9.8y within OS X for occasions when Common Crypto is not suitable. My colleague Al Varnell left a comment below regarding why Apple still integrates OpenSSL:
My reading of why Apple provides openssl 0.98y is as a convenience to third party developers that rely on openssl for whatever reasons and that it never uses it for any OS X or Apple apps, so I dont know that they will be in any hurry to replace it.Theoretically, Apple will release a new 2014 Security Update to solve their OpenSSL problems. Keep an eye out.
NOTE: There are also XWindows applications and services using OpenSSL. Therefore, if you have installed any X11/XQuartz/Fink/MacPorts stuff, UPDATE THEM NOW. You know what to do. (I dont cover XWindows apps in this blog as it is beyond the scope of my intended audience).
Update: Al Varnell notes:
I did check early yesterday morning and MacPorts had already updated their version to 1.0.1h which is the newly recommended version to fix all currently known issues. That might be one quick way of reducing risk.
~ ~ ~ ~ ~
Several resources have been made available to help Mac users sort out:
A) What websites are still unpatched.
B) What websites are/were affected.
C) What websites require users to create a new password due to the bug.
My colleague Josh Long has put together an excellent list of Heartbleed Bug affected and unaffected websites. Save it to your desktop and refer to it as you surf the net. Or go through the list of websites you log into and check whether you must change your password there or not:
Heartbleed Affected More Sites Than You Realized
Given the enormity of this list, I strongly recommend that you search within this page for any sites you use, rather than trying to look through it alphabetically. Please note that there are several sections. Be sure to especially look at the first two sections; if you use any sites listed in those sections, youll want to change your passwords for those sites (and anywhere else you may have shared the same password) as soon as possible.Josh provides the following sections in his Heartbleed list:
Another tool Ive found is the Chromebleed add-on for the Chromium series of browsers:
- Change Passwords NOW
- Change Passwords NOW (but make sure you do it while connected to a trusted network) [IOW: Not while on an open Wi-Fi hub]
- Unknown/Ambiguous
- Known Safe - No Password Change Needed (according to the company and/or third-party tests)
- Further Notes and Explanations
- Other Lists of Current/Past Allegedly Affected Sites
- Test Pages - How to Check Whether a Site Is/Was Vulnerable
https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic
If readers find other such tools, please let us know in the comments! Thanks.
:-Derek
--
Available link for download
Subscribe to:
Posts (Atom)