[ALUG] Public urged to reset all passwords
Frankosiligi Solomon
franco.noc at gmail.com
Thu Apr 10 12:22:27 EAT 2014
Brief Summary,
*What is it about?*
The vulnerability, dubbed as the Heartbleed Bug, that exists on all OpenSSL
implementations that use the Heartbeat extension. When exploited on a
vulnerable server, it can allow an attacker to read a portion up to 64 KB's
worth of the computer's memory at a time, without leaving any traces.
This small chunk of memory could contain user-critical personal
information* private
keys, usernames, passwords (in cleartext in a lot of cases), credit card
information, and confidential documents* for example. The attacker could
request this chunk again and again in order to get as much information as
they want and this bug could be exploited by anyone on the Internet,
anywhere.
*Which versions of OpenSSL are affected?*
As per the OpenSSL advisory: "Only 1.0.1 and 1.0.2-beta releases of OpenSSL
are affected including 1.0.1f and 1.0.2-beta1."
*Which is Unaffected Version?*
The fixed version is 1.0.1g, which was released on April 7, 2014.
*Do You Want to Test Your System/Site?*
Go to this url:* http://filippo.io/Heartbleed/
<http://filippo.io/Heartbleed/>*
*What should you do if you are affected?*
Affected users must upgrade to OpenSSL version 1.0.1g which has the
Heartbleed bug fixed.
If an upgrade is not possible you must recompile your applications to turn
off the Heartbeat extension. This can be accomplished by using the
-DOPENSSL_NO_HEARTBEATS flag.
SSL certificates must also be revoked and replaced with new ones. With SSL
certificates installed with the affected version of OpenSSL, the private
keys could be potentially exposed. With no specific method of knowing which
existing certificates are affected, new SSL certificates must be generated.
End-users should also consider changing their passwords for their online
accounts as the Heartbleed bug exposes sensitive information such as
usernames and passwords. To avoid compromised accounts, users must reset
all their passwords as soon as they are *prompted to do so*. They should
also monitor for any suspicious activity involving their accounts.
*Need to Know More?*
*http://blog.trendmicro.com/trendlabs-security-intelligence/skipping-a-heartbeat-the-analysis-of-the-heartbleed-openssl-vulnerability/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20Anti-MalwareBlog%20%28Trendlabs%20Security%20Intelligence%20Blog%29
<http://blog.trendmicro.com/trendlabs-security-intelligence/skipping-a-heartbeat-the-analysis-of-the-heartbleed-openssl-vulnerability/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20Anti-MalwareBlog%20%28Trendlabs%20Security%20Intelligence%20Blog%29>*
*http://timesofindia.indiatimes.com/tech/computing/Heartbleed-bug-All-you-need-to-know/articleshow/33541279.cms
<http://timesofindia.indiatimes.com/tech/computing/Heartbleed-bug-All-you-need-to-know/articleshow/33541279.cms>*
On Thu, Apr 10, 2014 at 11:57 AM, TGH Solutions <info at tgharusha.com> wrote:
> Actually, you should first verify that the service you're changing the
> password on has updated its website. If you change passwords on a
> compromised site that hasn't updated then you're leaking your new password.
>
> https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
>
> Mustafa
>
> _______________________________________________
> The Arusha Linux User Group: http://unix.or.tz
> Linux mailing list
> Linux at lists.habari.co.tz
> http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux
>
> The Arusha LUG mailing list is generously hosted by Habari Node Ltd:
> http://www.habari.co.tz/
>
> The above comments and data are owned by whoever posted them (including
> attachments if any). The mailing list host is not responsible for them in
> any way.
>
--
Frankosiligi Solomon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20140410/30295361/attachment-0001.html>
More information about the Linux
mailing list