2 Replies Latest reply on Apr 10, 2014 2:33 PM by Hayton

    Sites vulnerable to HeartBleed

    Hayton

      I created an editable document listing some known vulnerable sites but it doesn't show up on the Security Awareness page.

       

      Here is a link to the document - https://community.mcafee.com/docs/DOC-5827

        • 1. Re: Sites vulnerable to HeartBleed
          catdaddy

          Thank you for this, very informative.

          • 2. Re: Sites vulnerable to HeartBleed
            Hayton

            As more information about the impact of this vulnerability becomes available it is clear that we have to draw a distinction between whether servers (and the secure websites running on them) are safe now, and whether they were ever at risk over the past couple of years of being exploited to divulge confidential information.

             

            Most of the big-name sites moved fast to patch OpenSSL with the latest version or to recompile the existing version with an option that prevents data theft. That everyone moved so fast is a recognition of the potentially disastrous consequences of leaving their servers open to intruders, and also to the exemplary way in which the news of this discovery was spread, as also to the concise explanation in the heartbleed.com release of the severity and urgency of the problem.

             

            But because a server has been patched and the weakness removed, that does not mean that it has not been silently attacked in the months before we all became aware of the problem. Attacks against servers to exploit this weakness leave no trace, nothing in the logs to indicate that anything has happened. So if a secure website is on a previously-vulnerable server the only safe course of action is to assume that it has been attacked, and your passwords (among other things) have been stolen.

             

            It's also not enough simply to remove the vulnerability from the server : security certificates used by websites on those servers should be revoked and new ones issued. This will take a little time to implement, but is essential since those too may have been compromised.

             

            So the list of previously-vulnerable websites is a guide to those sites where passwords should be changed as soon as possible. The really alarming news is that on that list you will see not only Yahoo (including Flickr and Tumblr) but also Facebook, GitHub, GoDaddy, AWS (Amazon Web Services) and - surprisingly - GMail. That's a surprise because Google have said that their use of Perfect Forward Secrecy should have protected the contents of emails being snooped - but not, perhaps, kept email account passwords from being read.

             

            McAfee's advice to us, the users, includes these important points :

             

            • Customers should be aware that server certificates that are or were protecting data could have been leaked. Attackers with compromised server certificates can perform a man-in-the-middle-attack

             

            • Ensure that Internet browsers are set to check for revoked certificates

             

             

            Vulnerable:

            • Android
            • Browsers on Linux platforms could be vulnerable
            • Third-party code using Python/Ruby/Perl OpenSSL libs may be vulnerable
            • Windows programs linked against vulnerable versions of OpenSSL may be vulnerable
            • OpenVPN
            • Applications using OpenSSL 1.0.1


              Not vulnerable:

              • Internet Explorer, Firefox, Chrome: all use the Windows Crypto implementation
              • Internet Information Server
              • Applications using OpenSSL 1.0.1g or later

               

               

              More reading (there's plenty more to choose from) -|

              http://blogs.mcafee.com/mcafee-labs/heartbleed-vulnerability-opens-the-door-to-s sl-heartbeat-exploits

              https://community.mcafee.com/docs/DOC-5829

              https://kc.mcafee.com/corporate/index?page=content&id=SB10071

               

              https://security.stackexchange.com/questions/55249/what-clients-are-proven-to-be -vulnerable-to-heartbleed

              https://lastpass.com/heartbleed/

              http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

               

               

              Late edit : quote from Googleperson -

              Google spokeswoman Dorothy Chou specifically said: "Google users do not need to change their passwords."

               

              Note, this leaves the position unclear for GMail users. Better safe than sorry : change your GMail password(s) now.

               

              Heartbleed Bug: Tech firms urge password reset

               

              Message was edited by: Hayton on 10/04/14 20:33:11 IST