Search DaniWeb - heartbleed

Heartbleed 11 Years Ago by Stuugie …here, a good trusted source of information, has heard of Heartbleed? > Two days ago a serious vulnerability (that’…s been named “Heartbleed”) in the popular cryptographic software OpenSSL was made public. …this tidbit from [here](https://mojang.com/2014/04/heartbleed/) and have Googled it and while it's out… Re: Heartbleed 11 Years Ago by happygeek … your data that is being potentially accessed now that heartbleed is out in the open, I'd humbly suggest… right: https://www.schneier.com/blog/archives/2014/04/heartbleed.html "the probability is close to one that… the starting point on the multi-step path of Heartbleed recovery. Website operators should strongly consider replacing their X… Re: Heartbleed 11 Years Ago by mike_2000_17 I got an automatic update of openssl yesterday, as part of the regular automatic updating of all software on Linux (Kubuntu). It contains the fix for that bug, as it's [stated on the website](http://www.ubuntu.com/usn/usn-2165-1/). I would assume all other decent Linux distros' repository have been updated too in the past couple of days. If a … Ye Bloody Gods!!! 74 percent of big business yet to fix Heartbleed flaw 10 Years Ago by happygeek …to properly secure their public facing servers against the Heartbleed OpenSSL threat. That's a year after the thing…“the fact that so many systems remain vulnerable to Heartbleed highlights the difficulty of basing security on patching production …more difficult in the case of an issue like Heartbleed, where verification of the fix is much more … Re: Ye Bloody Gods!!! 74 percent of big business yet to fix Heartbleed flaw 10 Years Ago by Slavi They either don't understand the risks or they just don't care about protecting sensitive data. Think heartbleed is ranked #1 critical flaw for 2014 followed by shellshocker Re: Ye Bloody Gods!!! 74 percent of big business yet to fix Heartbleed flaw 10 Years Ago by rubberman A lot of the ignoring of these issues is due to management not wanting to deal with the costs involved. They seem to take the stance that "we aren't being hacked, so why pay the price?". The old addage of "penny wise, but pound foolish" comes to mind... Re: Ye Bloody Gods!!! 74 percent of big business yet to fix Heartbleed flaw 10 Years Ago by happygeek Talking to a number of consultants specialising in IT security, it seems that the 'big boys' are leading the way with those remediation stats. Look to the medium sized enterprises sector and remediation falls to around 10%. Their future could be, erm, interesting to say the least. Re: Ye Bloody Gods!!! 74 percent of big business yet to fix Heartbleed flaw 10 Years Ago by Slavi I agree with rubben, could be cost issue and they'd rather not deal with it until its too late, thats why #DFIR is becoming so popular (Hey I got hacked, come and fix everything as it didn't happen) Although it's understandable to not spend money on top of what has already been, I guess it's better to do spend some rather than be left out of … Warning: Linux security bashed by 22 year old remote code execution bug 10 Years Ago by happygeek … discovered which some security experts suggest could be bigger than Heartbleed. The bug, reported as '[CVE-2014-6271:remote code execution… routers, Macs running OS X, servers, websites etc etc. The Heartbleed reference comes courtesy not only of the potential widespread target… Is OpenSource really that secure? 9 Years Ago by Aeonix … the legitimate code and change client/server handlers (to allow [Heartbleed](http://heartbleed.com/)), that "owners" and contributors don't… Re: Warning: Linux security bashed by 22 year old remote code execution bug 10 Years Ago by rubberman Yes. Most distributions have already released the patches required to fix this. Now, people just have to update their systems to incorporate the fixes. This will be simpler than installing the heartbleed SSL bug patches with fewer possible side-effects (we hope). Drupal 7 SQL injection prevention API vulnerable to SQL injection attacks 10 Years Ago by happygeek … shares similarities with other recently discovered exploits such as ShellShock, Heartbleed, and the Poodle SSL vulnerability in that it is something… 20 year old LogJam bug proves that 'crypto is hard' 9 Years Ago by happygeek … connections used by thousands of HTTPS sites and email servers. Heartbleed, LogJam, FREAK, Superfish and so many other examples reinforce that… Re: Google is now ranking websites with HTTPS higher in its search results 10 Years Ago by PixelatedKarma … and webmasters to provide encrypted websites, it really was the heartbleed bug that helped raise awareness of the need for securing… the internet. The ironic thing about the heartbleed bug is that it was a series of vulnerabilities found… Re: My Blog 10 Years Ago by RobertHDD … to change passwords every month. Last years attack was from HeartBleed an OpenSLL bug which Trend Micro pointed out a tool… check if browsers were infected with that bug so that HeartBleed cant steal your passwords and credit card details even people… Re: Password 101 (part 1): hashes and salts 10 Years Ago by Hiroshe … of them have to do with software vunerabilities, like say heartbleed, or SQL injection. Some of the most effective have to… Re: More bad news for Android; but is it quite as bad as made out? 10 Years Ago by Kelly Burby … their security application accordingly?? I remebered last time when some heartbleed flaw was detected an application is firstly made live to… Re: Google is now ranking websites with HTTPS higher in its search results 10 Years Ago by Mudassir Hasan Before Google's announcement, most of the experts were guessing that security may be new ranking parameter but Heartbleed Bug make it confirmed that security is the next ranking factor. Re: There's no such thing as a secret online 10 Years Ago by PixelatedKarma … as Edward Snowden and the massive media campaign on the heartbleed bug. However when we see the end of people willfully… Re: Cyber-attack 'superfecta' statistics released 10 Years Ago by RobertHDD You got to know that HEARTBLEED AND FLAME and superfecta's have really made cyberspace look this bad. Re: Warning: Linux security bashed by 22 year old remote code execution bug 10 Years Ago by Gribouillis I don't dare execute your test line now. Re: Warning: Linux security bashed by 22 year old remote code execution bug 10 Years Ago by blud Test line should be safe, but yeah talk about a bad day for sysadmins. Re: Warning: Linux security bashed by 22 year old remote code execution bug 10 Years Ago by Gribouillis The test line is **not** safe. Here is my result $ env x='() { :;}; echo vulnerable' bash -c "start patching now" vulnerable start: Tâche inconnue : patching `Tâche inconnue` means `unknown task`. So bash echoed vulnerable and then tried to run the `start` command. On my system, `/sbin/start` is a symlink to the `initctl… Re: Warning: Linux security bashed by 22 year old remote code execution bug 10 Years Ago by mike_2000_17 Yeah, the test command should be: $ env x='() { :;}; echo vulnerable' bash -c "if [ $? -ne 0 ] ; then echo \"start patching now\"; fi" I tried it and it printed "vulnerable" for me, but I checked my updates and bash got updated to 4.3 and now the test command no longer shows it to be vulnerable. Yay! Re: Warning: Linux security bashed by 22 year old remote code execution bug 10 Years Ago by happygeek Arse. I missed an echo, apologies... Now fixed. Re: Warning: Linux security bashed by 22 year old remote code execution bug 10 Years Ago by happygeek Some interesting comments coming in from the ITSec industry: Jaime Blasco, AlienVault Labs Director. > We have been running a Honeypot since yesterday that basically emulates a system that is vulnerable. We found several machines trying to exploit the vulnerability. The majority of them are only probing to check if systems are vulnerable. >… Re: Warning: Linux security bashed by 22 year old remote code execution bug 10 Years Ago by happygeek This just hit my inbox from the ZScaler ThreatLabZ folk: > Within hours of the public disclosure of this vulnerability, the Zscaler ThreatLabZ research team started seeing incidents of attacks targeting this vulnerability in the wild to download additional malware. It appears that Nginx and Apache web servers configured to use mod_cgi are two … Re: Warning: Linux security bashed by 22 year old remote code execution bug 10 Years Ago by Slavi Thanks 4 sharing Re: Warning: Linux security bashed by 22 year old remote code execution bug 10 Years Ago by JasonHippy Here's some great advice for Linux sys-admins who want to detect and block attempts by would-be attackers who are testing your servers for this bug, or who have already taken advantage of it: http://www.linuxbrigade.com/bash-shellshock-bug-find-youve-tested/ Even if your server has already been patched, it probably makes sense to block anybody who… Re: Warning: Linux security bashed by 22 year old remote code execution bug 10 Years Ago by blud If you patched on Thursday or Friday, the patch wasn't complete. CVE-2014-7169 covers the new exploit. Test code [code]env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo[/code]