SoylentNews is people
SoylentNews
Ars Technica reports that four weeks after its disclosure huge swaths of the Internet remain vulnerable to Heartbleed. The article suggests that over 300,000 servers remain vulnerable.
What steps have you taken to protect yourself from this bug? What browser addons have you installed? Have you checked/updated the firmware on your home router? If you work in IT, what has the reaction been? Has your site been compromised? Has vulnerable code been updated, new keys genned, new certificates obtained, and old ones revoked?
Since the OpenSSL library is now undergoing a security review and a fork of it is underway as LibreSSL, it is possible that other vulnerabilities will be discovered. Then what? How likely is it that we will need to repeat this cleanup effort?
(more after the break)
The Heartbleed bug "is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet." The bug affects not only computer servers, but also routers and even some Android phones, too. Even software like LibreOffice, WinSCP, and FileMaker have versions with the bug and need to be updated. The history, behavior, and impact of this bug are well-explained and summarized on Wikipedia. Therein is this recommendation:
Although patching software (the OpenSSL library and any statically linked binaries) fixes the bug, running software will continue to use its in-memory OpenSSL code with the bug until each application is shut down and restarted, so that the patched code can be loaded. Further, in order to regain privacy and secrecy, all private or secret data must be replaced, since it is not possible to know if they were compromised while the vulnerable code was in use:[68]
- all possibly compromised private key-public key pairs must be regenerated,
- all certificates linked to those possibly compromised key pairs need to be revoked and replaced, and
- all passwords on the possibly compromised servers need to be changed.
SN's coverage of this vulnerability includes:
(Score: 2) by Hairyfeet on Friday May 09 2014, @04:14PM
The problem is what I call "zombie servers" which you'd be amazed how many of 'em are all over the net. For those that have never run into one a zombie server is one which hasn't had an admin for at least 6 months, these machines never get patched, never get messed with, yet are out there waiting to be pwned (and most already are).
I first learned of the zombie servers back when I was doing hired gun for larger businesses, I'd take an inventory to see what I had to work with and it would never fail that I'd find some old box running that had just been forgotten, some had been an old email or file server that had been lost when they moved to a new service, sometimes it was a backend VPN or DB box that had been left behind when a project was canceled, in just about all the cases the ones who had set up the system was long gone.
But you are gonna be seeing fallout from heartbleed for years because of the zombies, I've seen NT 3.5, ancient versions of RH and Derbian, I bet if somebody did a survey of what exactly is out there the amount of old zombie servers still responding to requests would be staggering. Its just what happens when a corp gets huge, things fall through the cracks.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 3, Informative) by frojack on Friday May 09 2014, @05:01PM
Zombies are often NOT totally forgotten, just incredibly reliable.
Netware was famous for this. I've found Netware servers running in my customers's sites that they were using every day for either data storage or print-server and had just assumed the work was actually being done on the brand new server the last contractor installed. He had only migrated mail and half the printers, and left file storage on the old box.
When I took my company's last netware server down (because disk space was nearly exhausted) and replaced it with Linux many years ago, it had a uptime of 4 and a half years. I hated to shut it down.
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by Hairyfeet on Friday May 09 2014, @05:19PM
That isn't what I'm talking about frojack, totally different. What you are talking about is a classic "if it ain't broke" which if you want to go by that I know plenty of places with old WinNT and Win2K boxes (not on the net of course) that have been running some backend service for God knows how long without fail...if it ain't broke? DO NOT FIX IT.
No frojack what I'm talking about is servers where the task they had to do has long since been moved to something else, its just that somewhere along the line somebody forgot to pull the plug on the old system so it just sits there waiting to be pwned. For a good example look at the backend of some of the parked domains, you'll see that many of them are on some ancient box that hasn't been used or patched in forever, it just sits there with the default "your site goes here" from like Apache 1. These systems were once upon a time useful but like that old WinNT email box I found they had moved to web hosted email years ago but someone must have said "we better leave this for a month, just in case something goes wrong with the new system" and then forgot about it. You look at the logs of a zombie and its NOT being used for this or that old application, its just gathering dust.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.