Jump to content

  •  

  • Photo

    What is Heartbleed Virus? How to protect against it?


    • Please log in to reply
    11 replies to this topic

    #1 Jason

    Jason

      HSS Elite

    • Members
    • 1,213 posts
    • LocationBentonville, AR

    Posted 11 April 2014 - 06:44 AM

    Just received this notification this morning from Drivepop.com.  Aside from courtesy being spelled incorrectly, it's a big vague as to just exactly what Heartbleed, the severity, etc.

     

    A curtosy notice about the Heartbleed virus and how it affects your DrivePop account.

    A significant flaw named the “Heartbleed Bug” has been discovered and poses a large security threat to the internet as a whole. The Heartbleed bug is present in the software library OpenSSL which is used by many websites to privately send data to and from an internet server.

    The DrivePop website, Livedrive subdomain servers, and the drivepop.com & livedrive.com SSL certificate end points were not vulnerable to the Heartbleed bug when it was publicly disclosed on April 7th 2014.

    Any secure communication with our servers, such as logging into the members area, would not be affected by any attacks following the public disclosure of the Heartbleed bug.

    The Heartbleed bug has had a profound impact on the transmission of secure data throughout the Internet. It is for that reason that we are encouraging our customers to reset their member area passwords at their earliest convenience as a matter of common password maintenance. Please remember to always make your passwords unique, random, and periodically rotate them. We also encourage you to change your password, on any others that you use, as many services throughout the world have been affected.


    • 0

    #2 ikon

    ikon

      HSS Elite Master

    • Donating Member
    • 14,250 posts

    Posted 11 April 2014 - 04:25 PM

    I'm not sure why drivepop.com would ask you to change your password if their servers aren't vulnerable.

     

    Basically, Heartbleed exploits a vulnerability in OpenSSL, which is the protocol that handles the HTTPS connections. Some people are claiming that as many as 2/3 or the web servers on the Internet could be affected. Using this exploit, it would be possible for 3rd parties to intercept the communication between a client and a web server and thereby find out login IDs and passwords. Here's a quote from heartbleed.com:

     

    "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."


    • 0

    If at first you don't succeed, do it like your mother told you.


    #3 Jason

    Jason

      HSS Elite

    • Members
    • 1,213 posts
    • LocationBentonville, AR

    Posted 11 April 2014 - 07:03 PM

    This is scary stuff. Have they given any indication how long this vulnerability has existed? Or what validated it?
    • 0

    #4 ikon

    ikon

      HSS Elite Master

    • Donating Member
    • 14,250 posts

    Posted 12 April 2014 - 11:52 AM

    At least 2 years. I believe the US 3-letter agencies have known about it for some time, and have been exploiting it for "national security purposes".


    • 0

    If at first you don't succeed, do it like your mother told you.


    #5 oj88

    oj88

      HSS Champion

    • Donating Member
    • 300 posts
    • LocationAsia/Manila

    Posted 12 April 2014 - 05:52 PM

    Here's a good infographic of how the bug works...

    heartbleed_explanation.png

    http://xkcd.com/1354/
    • 0

    Windows Home Server 2011
    Asrock M3A785GM-LE
    AMD Athlon II X4 630 + 8GB DDR3
    Drive Bender pool: 16TB (4 x 3TB + 1 x 4TB)


    #6 Drashna (WGS)

    Drashna (WGS)

      HSS Elite

    • Members
    • 1,660 posts
    • LocationSan Diego

    Posted 13 April 2014 - 12:51 AM

    The Heartbleed bug affects OpenSSL (v1.0.1 through 1.0.1f).

    That means unless you've installed and configured something that uses it on your server, Windows Server is unaffected by it.

    This is because the built in web server (IIS) does not use OpenSSL at all. It uses a proprietary implementation of SSL/TLS/etc that isn't affected by the bug.

     

     

    As for how long this has been an issue? 1.0.1 has been out since March 2012. So.... a while. But that's only with installations that include the heartbeat module/library. (included by default, though, IIRC)

    https://www.openssl.org/news/


    • 0
    Christopher Courtney
    Microsoft MVP for Windows Home Server 2009-2012
    Lead Moderator for We Got Served
    Director of Customer Relations for CoveCube (StableBit)
     
    Windows Server 2012R2 Essentials
    Norco RPC-4220, SuperMicro X10SAT, Intel E3 1245v3 (Haswell) 32GB RAM (non-ECC), OCZ Vertex 4 128GB OS disk, StableBit DrivePool: 31TB, 3x IBM ServeRAID m1015 crossflashed to "IT" (HBA) mode.

    #7 schoondoggy

    schoondoggy

      HSS Master

    • Moderators
    • 2,512 posts

    Posted 13 April 2014 - 10:07 PM

    McAfee has released a site tester:

    http://tif.mcafee.com/heartbleedtest

     

    and an Android app tester:

    http://www.androidpo...-just-guessing/


    • 0

    #8 ikon

    ikon

      HSS Elite Master

    • Donating Member
    • 14,250 posts

    Posted 15 April 2014 - 01:28 PM

    Lastpass has one on their site too: https://lastpass.com/heartbleed/


    • 0

    If at first you don't succeed, do it like your mother told you.


    #9 Jason

    Jason

      HSS Elite

    • Members
    • 1,213 posts
    • LocationBentonville, AR

    Posted 07 June 2014 - 12:04 PM

    Since signed up for Lastpass. Used to use 1Password for Mac. LP is best invention to come along in quite some time.
    • 0

    #10 ikon

    ikon

      HSS Elite Master

    • Donating Member
    • 14,250 posts

    Posted 07 June 2014 - 12:26 PM

    LastPass is great. If you buy the Premium version (which is only $1/mo) you can then add YubiKey 2nd Factor Authentication to the mix http://www.yubico.com/products/. YubiKey gives you one-time password protection to your ordinary logins.


    • 0

    If at first you don't succeed, do it like your mother told you.


    #11 Jason

    Jason

      HSS Elite

    • Members
    • 1,213 posts
    • LocationBentonville, AR

    Posted 07 June 2014 - 12:31 PM

    Yes - am a premium member. Tempted to buy another subscription for my wife so we can share logins. I'm not currently using a Yubikey. Now I'm intrigued.
    • 0

    #12 ikon

    ikon

      HSS Elite Master

    • Donating Member
    • 14,250 posts

    Posted 07 June 2014 - 12:45 PM

    I have 3 YubiKeys, all registered with LastPass. I carry 1 on my key chain so I can always log into my LastPass account.


    • 0

    If at first you don't succeed, do it like your mother told you.





    Skins By Invisioneers