Discussion:
it's not just web sites
(too old to reply)
Keith Keller
2014-04-09 22:36:01 UTC
Permalink
Those of us who know better already knew this: it's not just web sites
that could be vulnerable to the Heartbleed bug.

http://www.theregister.co.uk/2014/04/09/heartbleed_vuln_analysis

But there was an interesting list of web sites which were vulnerable as
of yesterday:

http://www.theregister.co.uk/2014/04/09/heartbleed_vuln_analysis

As Jeff noted, yahoo.com is no longer vulnerable; I would guess that
many of these sites have patched by now. And some sites are clearly
false reports: ebay.com, for example, must have some sort of SSL
support, probably on a different subdomain.

And, of course, some data is perfectly safe:

http://xkcd.com/1353/

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Jeff Liebermann
2014-04-09 23:38:38 UTC
Permalink
On Wed, 9 Apr 2014 15:36:01 -0700, Keith Keller
Post by Keith Keller
As Jeff noted, yahoo.com is no longer vulnerable; I would guess that
many of these sites have patched by now.
I just finished going down a list of about 50 web sites owned by
customers and friends. One is still unpatched. Four are dubious
because the ISP's IDS (intrusion detection system) is blocking my
probes. The rest are clean.
Post by Keith Keller
And some sites are clearly
false reports: ebay.com, for example, must have some sort of SSL
support, probably on a different subdomain.
That's the "broken pipe" error message, which is caused by the IDS
blocking. Actually, it's a good way to block an attack while buying
time to fix the web sites.

Description of various other test methods:
<http://blog.logrhythm.com/security/the-internets-bleeding-heart/>
including references to Snort IDS configuration to block or log an
attack.
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Jeff Liebermann
2014-04-10 23:35:57 UTC
Permalink
Post by Jeff Liebermann
I just finished going down a list of about 50 web sites owned by
customers and friends. One is still unpatched. Four are dubious
because the ISP's IDS (intrusion detection system) is blocking my
probes. The rest are clean.
The one site that wasn't patched turned out to be a total screwup. The
site is hosted on a dedicated server somewhere on GoDaddy.com. On
such a server, GoDaddy is not responsible for maintaining the server.
This was somewhat over the head of the web designer and reseller that
runs the dedicated server. I'm not sure exactly who eventually
patched it, but as of about Thus at 2AM, it was finally fixed.

I'm sure glad that I'm out of this business and no longer burning the
midnight oil on such exercises.
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
David Kaye
2014-04-11 00:35:39 UTC
Permalink
Post by Jeff Liebermann
I'm not sure exactly who eventually
patched it, but as of about Thus at 2AM, it was finally fixed.
What tool are you using to check for patches?
Jeff Liebermann
2014-04-11 01:30:13 UTC
Permalink
On Thu, 10 Apr 2014 17:35:39 -0700, "David Kaye"
Post by David Kaye
Post by Jeff Liebermann
I'm not sure exactly who eventually
patched it, but as of about Thus at 2AM, it was finally fixed.
What tool are you using to check for patches?
<http://filippo.io/Heartbleed/>
<https://lastpass.com/heartbleed/>
Neither is particularly definitive or reliable but are the best I
could find.

If you want to check all your customers with a script, try this:
<https://github.com/musalbas/heartbleed-masstest>

I also think you'll find this FAQ interesting reading:
<http://lists.svlug.org/archives/svlug/2014-April/058620.html>
I can't swear as to the accuracy, but it looks right.
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
David Kaye
2014-04-12 00:46:40 UTC
Permalink
Post by Jeff Liebermann
<http://filippo.io/Heartbleed/>
<https://lastpass.com/heartbleed/>
Neither is particularly definitive or reliable but are the best I
could find.
[....]


Thank you very much! I have very few customers running websites, and none
needing encryption; it is more for my own education.
Keith Keller
2014-04-11 04:59:11 UTC
Permalink
Post by David Kaye
What tool are you using to check for patches?
Anyone making claims about the quality of encryption libraries should
not have to ask this question.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
David Kaye
2014-04-12 00:44:49 UTC
Permalink
Post by Keith Keller
Anyone making claims about the quality of encryption libraries should
not have to ask this question.
So, you don't know, do you?

I'm not making any claims about the quality of encryption libraries; I'm
saying that open source is not the panacea people claim it is because people
aren't going to go over millions of lines of code to debug things. That's a
whole different story. I'm told that the encryption itself is just fine,
but the calls to it are the problem.
Jeff Liebermann
2014-04-12 01:07:00 UTC
Permalink
On Fri, 11 Apr 2014 17:44:49 -0700, "David Kaye"
Post by David Kaye
Post by Keith Keller
Anyone making claims about the quality of encryption libraries should
not have to ask this question.
So, you don't know, do you?
Yep. There are plenty of ways to confuse the test. The most common
seems to be an IDS (intrusion detection system) that sniffs traffic
looking for HeartBleed. The larger server farms seem to be using IDS
blocks in order to buy time to patch everything in sight.
Post by David Kaye
I'm not making any claims about the quality of encryption libraries; I'm
saying that open source is not the panacea people claim it is because people
aren't going to go over millions of lines of code to debug things. That's a
whole different story. I'm told that the encryption itself is just fine,
but the calls to it are the problem.
Agreed. The worst part for me is that I don't completely understand
how the various authorization and authentication techniques work. I've
made an attempt to understand wireless security, but that has also
become sufficiently complicated to boggle my mind. As the level of
complexity increases, so does the potential for holes and bugs.

When it rains, it pours. Now we have forged authentication cookies in
Wordpress. I get to update a few sites that I help maintain.
<https://wordpress.org/news/2014/04/wordpress-3-8-2/>

Can I please have the weekend off?
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Keith Keller
2014-04-12 01:34:58 UTC
Permalink
Post by David Kaye
Post by Keith Keller
Anyone making claims about the quality of encryption libraries should
not have to ask this question.
So, you don't know, do you?
I knew on Tuesday.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Steve Pope
2014-04-12 01:18:55 UTC
Permalink
WSJ piece on the "Open Secure" software development problem:

http://online.wsj.com/news/articles/SB10001424052702303873604579495362672447986?mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052702303873604579495362672447986.html

(If that does not load, title is "Heartbleed Bug's Voluntary Origins".

It makes you feel some sympathy for these guys rather than branding
them as incompetent.

Myself, relating to the slashdot links posted upthread, while it's
a great idea to make malloc() and similar allocators secure, the
fact is no server code should ever, ever, hand to a client any fragment
of uninitialized data that was pointed to by a pointer returned by an
allocator. It is the server code's responsibility to construct valid
data before giving it to a client. You cannot have sockets spewing
out data that was just randomly previously sitting in memory.

The idea that fuzzy logic, heuristics, etc. can compensate for
bad code is a non-starter.


Steve
Loading...