The Heartbleed Bug and Wonderland Forums (and WonderWiki)

For discussion of non-Wonderland topics - please read rules!

Moderators: ~xpr'd~, tyteen4a03, Stinky, Emerald141, Qloof234, jdl

Post Reply
User avatar
tyteen4a03
Rainbow AllStar
Posts: 4380
Joined: Wed Jul 12, 2006 7:16 am
Contact:

The Heartbleed Bug and Wonderland Forums (and WonderWiki)

Post by tyteen4a03 » Sat Apr 19, 2014 11:53 pm

I'm pretty sure you've all heard about the Heartbleed bug, which causes millions of websites to be vulnerable. It works by having the server spit out their data from their RAM, which can contain sensitive information such as your personal information and passwords.

I'd just like to let you know that Wonderland Forums and WonderWiki are NOT affected by this bug.

Here's why:
1. Wonderland Forums and WonderWiki does not make use of SSL technology to secure your actions on the forums.
2. MS's server has OpenSSL 0.9.8 installed (you can verify here), and the Heartbleed bug only affects OpenSSL 1.0.1 and 1.1. WonderWiki server does use the affected versions, but since WonderWiki does not use SSL, you are not affected.

Now obviously I cannot speak for BMTMicro, MS's payment provider, but I am sure they have been working hard to mitigate the vulnerability.

If you are paranoid, do this:
1. Check if the service you use is affected by Heartbleed. If they have not patched, don't do anything on the website! Your information cold be leaked this way (although rather unlikely)
2. Change your passwords AFTER the service has patched their servers. Make sure to use a strong password to make the crackers' job harder.
3. Change your passwords every so often. Avoid using one password for all services - Password Managers like KeyPass and Dashlane should help you with achieving that.

Stay safe!
tyteen4a03
Last edited by tyteen4a03 on Sun Jul 06, 2014 4:05 pm, edited 3 times in total.
and the duck went moo

Beep bloop
User avatar
StinkerSquad01
Rainbow AllStar
Posts: 4249
Joined: Mon Aug 09, 2010 3:39 am

Post by StinkerSquad01 » Sat Apr 19, 2014 11:54 pm

MS's server has OpenSSL 0.9.8 installed (you can verify here), and the Heartbleed bug only affects OpenSSL 1.1 and 1.2.
Hooray outdated-ness! :lol:
User avatar
tyteen4a03
Rainbow AllStar
Posts: 4380
Joined: Wed Jul 12, 2006 7:16 am
Contact:

Post by tyteen4a03 » Sat Apr 19, 2014 11:56 pm

StinkerSquad01 wrote:
MS's server has OpenSSL 0.9.8 installed (you can verify here), and the Heartbleed bug only affects OpenSSL 1.1 and 1.2.
Hooray outdated-ness! :lol:
I've poked MS over and over to update his stack... he has done nothing.

OpenSSL 0.9.8 is stable and is safe to use, so nothing to worry about. PHP 5.2 on the other hand...
and the duck went moo

Beep bloop
User avatar
VirtLands
Rainbow Master
Posts: 756
Joined: Thu Dec 29, 2005 1:49 am

OpenSSL & HeartBleed

Post by VirtLands » Wed Apr 23, 2014 7:24 pm

tyteen4a03 wrote:I've poked MS over and over to update his stack... he has done nothing..

-------------------------------------------
Fascinating topic.
I don't even understand a little bit of SSL; .
The HeartBleed problem seems to be of a temporary nature, thank goodness.

The HeartBleed Bug ::
http://heartbleed.com/
http://tinyurl.com/jvpaat6

I believe that (most) hackers were completely unaware of the HeartBleed
access, and that by the time they found out about it, it was already patched up. ;)

OpenSSL -->> https://www.openssl.org/
---------------------------------------------------------------

Free CrypTool cryptography Downloads ::
http://www.cryptool.org/en/cryptool2-en
http://www.cryptool.org/en/cryptool1-en
http://www.cryptool.org/en/
..
Muzozavr
Rainbow Spirit Chaser
Posts: 5643
Joined: Wed Jan 11, 2006 2:55 pm

Post by Muzozavr » Thu Apr 24, 2014 10:56 pm

The Heartbleed bug is not as easy to use as the press made it out to be, anyway. It compromises random 64K of server memory. Sure, a persistent attacker could repeat the exploit over and over, but the point is, it's not that easy to extract secret data from it.

Sure, the immediate reaction of any sensible specialist in the field is to panic, which has already happened.
Bruce Schneier wrote:Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
On the other hand, the same person later admits the picture isn't quite as clear:
Bruce Schneier wrote:I wonder if there is going to be some backlash from the mainstream press and the public. If nothing really bad happens -- if this turns out to be something like the Y2K bug -- then we are going to face criticisms of crying wolf.
Bruce Schneier quoting Cloudflare wrote:Here's the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible.
Bruce Schneier wrote:We have one example of someone successfully retrieving an SSL private key using Heartbleed. So it's possible, but it seems to be much harder than we originally thought.
The Heartbleed bug is exploitable much more easily on Apache (judging by comments I've read) but it really depends on the circumstances. The cloudflare challenge was eventually cracked multiple times, proving the real danger to probably be somewhere between the catastrophic and the negligible.

To see a way someone cracked the cloudflarechallenge thing, read this: https://gist.github.com/epixoip/10570627

TLDR: Heartbleed, while one of the most serious and wide-reaching bugs ever, is not a vulnerability that can be randomly exploited by script kiddies. This is not "code it up and watch the server go boom". This is a vulnerability that can be exploited by a serious, persistent hacker who is probably not surfing around cracking random servers. Script kiddies who "just want to watch the world burn" get much more use of thousands of unprotected sites with stupidly simple vulnerabilities.
Rest in peace, Kym. I hardly knew ya.
Rest in peace, Marinus. A bright star, you were ahead of me on my own tracks of thought. I miss you.
User avatar
VirtLands
Rainbow Master
Posts: 756
Joined: Thu Dec 29, 2005 1:49 am

HeartBleeding

Post by VirtLands » Fri Apr 25, 2014 12:35 am


Get your HeartBleed Firefox addons ::

HeartBleed Monitor -- Notifies you when you visit a webpage vulnerable to Heartbleed.
https://addons.mozilla.org/en-US/firefo ... pandcoming

HeartBleed Notifier -- Notifies you of sites affected by the Heartbleed vulnerability via an icon.
https://addons.mozilla.org/en-US/firefo ... pandcoming

!
Post Reply