On 4/11/2014 7:15 PM, Greg Freemyer wrote:
On April 11, 2014 10:37:26 AM EDT, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
On 04/11/2014 06:52 AM, Greg Freemyer wrote:
Still I haven't heard about any real misuse of this bug. Are there any examples of compromised servers etc.? Between the announcement of the vulnerability and the roll-out of the
On Fri, Apr 11, 2014 at 9:38 AM, Vojtěch Zeisek <vojtech.zeisek@opensuse.org> wrote: patches, absolutely.
Security teams immediately put up traffic sniffers and watched their clients passwords, credit card numbers etc. flying out the door. They also saw the SSL private security keys flying out. Did you find references for actual in-the-wild exploitation, Greg? I found some references to testing scenarios, but not actual data exfiltrations.
This link from EFF thinks the only confirmed exploit kind of smells like an intelligence agency:
https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-...
Regards, Lew From: http://arstechnica.com/security/2014/04/heartbleed-vulnerability-may-have-be...
"Terrence Koeman of MediaMonks told Ars he found signs of attempts to use the exploit dating back to November 2013. He used the packet content of a successful exploit of the Heartbleed vulnerability to check inbound packets logged by his servers and found a number of incoming packets from a network suspected of harboring a number of “bot” servers that were apparently scans for the vulnerability—sending Heartbleed-style requests to two different development servers in requests that were about five minutes apart."
So this was either cyber criminals or the NSA. I'll assume it was cyber criminals, but who knows.
Regardless, someone was scanning for the vulnerability 5 months ago. And this is not a complex vulnerability to leverage, once you find a vulnerable server, just keep sending authentication requests with invalid credentials. Using a spread out botnet defeats fail2ban style defenses.
My personal opinion is the world's governments should treat this as a global catastrophe and pay to have every credit card on the planet reissued at a minimum.
Greg
Your assertion that this is not a complex vulnerability to leverage may need some proof. People who have tried to leverage it have not been very successful. See http://blog.cloudflare.com/answering-the-critical-question-can-you-get-priva... You might get something, but deliberate attempts to do so are harder than you seem to think. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org