New Heartbeat Bug - Are You at Risk?

Hello all,

I don’t know much about this new threat but I just read that an estimated 66% of all internet servers could be (potentially) vulnerable to attack. Anyway, it might be worth your while to have a look at this Forbes article regarding same. Also, please note they provide 3 links to sites for for additional vulnerability testing:

http://www.forbes.com/sites/jameslyne/2014/04/08/heartbeat-heartbleed-bug-breaks-worldwide-internet-security-again-and-yahoo/

Again, don’t know much more than what I read in the Forbes article but I intend to educate myself very quickly. In fact, I have already tested my banking sites and email servers to get some feeling of relative safety when using same. Also, I’m wondering if/how Avast may (or may not ) help with any additional protection against this bug. Experts please respond if you can add anything here!

FYI,

plsrepli

http://blog.avast.com/2014/04/09/heartbleed-affects-much-of-internet-time-to-change-your-passwords-again/

Unfortunately, there is very little you can do about this issue on the client side. Most work lies on server administrators all over the world. Severity of this issue is that you have no way to distinguish attacker from the genuine provider from client’s perspective. You are probably safe if a server certificate is new (issued yesterday or so) but you can say absolutely nothing if it’s not. And nobody knows if and for how long anyone exploited the issue. Not funny, at all.

Thank you Drake for that detailed explanation. I think you’ve just about covered the generic areas of concern and I hope others will follow the additional links provided as well.

Best regards,

plsrepli

One interesting point from Sophos in their Naked Security newsletter yesterday or today: they say there’s little or no point changing your password with a given site/service until after they’ve updated to the latest OpenSSL version and gotten a fresh certificate, otherwise you’ll just have to do it again afterwards.

Also, they say that smaller, low-budget sites which rarely update and are using relatively old versions of OpenSSL may be safe anyway … it sounds like the vulnerability is only in all earlier builds of the current version, with the bug being fixed in the newest build just released.

http://filippo.io/Heartbleed/ can be used to test a site to see if the heartbeat bug exists now, but it doesn’t tell you if that site had the bug five minutes ago.

Hopefully in a few days most sites will have closed up the heartbeat vulnerability.

I’m planning on a systematic session of changing my password to my financial sites in a few days.

Not only servers need to be updated, also the routers people are using at home.

I’d imagine that, as end-users, getting these updates for routers and dsl modems with built-in routers will take a bit of time. Should come in as a firmware update when it happens.

When that will be, is anyone’s guess.

http://mashable.com/2014/04/09/heartbleed-what-to-do/

Note the "what to do " info section and a list of known (so far ) affected sites.

There is a warning that sites you visited and used bank cards etc, up to 2 years ago “could” mean that your details are compromised.

Note however that there is no proof whatever that this issue has been used by hackers/criminals. There is nothing to show that any data / information has been stolen (yet).

NO, not necessarily. People need to ask their manufacturers support desk / forum.

Some, but certainly not all routers may be affected.

I have seen today , people on several sites , spreading panic and falsehoods about this problem.

As usual in situations like this, the panic and rumours are spread by those that have no real knowledge of the reality whatever.

ASK your manufacturer if the product you use is affected.

I have the BILLION 7800N and it is definitely safe.

Tests and Questions

possible.lv heartbleed test @ http://possible.lv/tools/hb/
results follow:
/Looking for TLS extensions on https://blog.avast.com

ext 65281 (renegotiation info, length=1)
ext 00011 (EC point formats, length=4)
ext 00035 (session ticket, length=0)
ext 00015 (heartbeat, length=1) ← Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check.
Actively checking if CVE-2014-0160 works: Your server appears to be patched against this bug.

Checking your certificate
Certificate is valid before 0day. ← Your stuff may be compromised. Consider changing the certificate and passwords.
//
Looking for TLS extensions on https://forum.avast.com

ext 65281 (renegotiation info, length=1)
TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.
/end of results

LastPass Heartbleed checker @ https://lastpass.com/heartbleed
results follow:

/WARNING: forum.avast.com was confirmed as vulnerable either publicly via statement or on 4/8/2014 LINK

Site: forum.avast.com
Server software: ASW
Was vulnerable: Possibly (might use OpenSSL, but we can’t tell)
SSL Certificate: Possibly Unsafe (created 3 months ago at Jan 15 00:00:00 2014 GMT)
Assessment: It’s not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.
//
WARNING: blog.avast.com was confirmed as vulnerable either publicly via statement or on 4/8/2014 LINK

Site: blog.avast.com
Server software: nginx
Was vulnerable: Probably (known use OpenSSL, but might be using a safe version)
SSL Certificate: Possibly Unsafe (created 3 months ago at Jan 15 00:00:00 2014 GMT)
Assessment: It’s not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.
/end results

[b]These results appear to show Avast may have fixed SSL but certificates are still showing old issue dates.

I am client and and do not maintain SSL certificates but have question regarding the re-keying versus revoke and re-issue.
When re-keying a certificate does CA give the certificate new issue date and keep old expire date ??

Question being some are saying re-keying and not revoking certificate will take care of security issue but is that reflected in the
certificate dates ??[/b]

These two sites maybe considered low priority and do not merit cost versus risk of buying new certificates but the client may stop
trusting the old certificates. Right or Wrong ??