Implications of OpenSSL HeartBleed
HeartBleed can be, if not already, the biggest information vulnerability at all.
For some reason, the activity of the discussion in the original topic is not very high, which causes me a very high degree of surprise.
What happened?
On January 1, 2012, Robin Seggelmann sent and steve checked the commit , which added HeartBeat to OpenSSL. It is this commit that introduced the vulnerability, which was called HeartBleed.
')
How dangerous is she?
This vulnerability allows you to read operative memory in chunks up to 64KB in size. Moreover, the vulnerability is two-way, which means that not only can you read data from a vulnerable server, but an attacker’s server can get a part of your RAM if you are using a vulnerable version of OpenSSL.An attacker can connect to, say, a vulnerable Internet bank, get a private SSL key from RAM and perform an MITM attack on you, and your browser will behave as if nothing had happened, because the certificate is correct. Or simply can get your username and password.
What is the scale of the tragedy?
I estimate that about of the websites use OpenSSL for HTTPS connections, and about of them have been vulnerable to this day.
Vulnerability was / is, at least, at:
- 10 banks
- 2 payment systems
- 8 VPN providers
- mail.yandex.ru
- mail.yahoo.com
Using the vulnerability, mail.yandex.ru could receive users' letters along with HTTP headers (and, substituting a cookie, log in as this user), and, for example, in AlphaBank, receive unencrypted POST data with a login and password from Alpha Click (Internet banking).
What did I do?
I could not just sit and watch as the personal data of users flow into the hands of intruders.
First of all, I wrote to some VPN providers that provide access via the OpenVPN protocol, since he could be vulnerable. Then, I began to look for vulnerabilities in systems where vulnerabilities pose the greatest threat: banks, payment systems, mail / jabber servers. I called and wrote to vulnerable services. As a rule, it is extremely difficult to get to the security service of banks, and they only respond to the mail.
| Service | The time of sending the letter | Time to make a call | Vulnerability closing time | Reissued certificate | Leaked data |
|---|---|---|---|---|---|
| mail.yandex.ru | 12:46, 13:27 (in bug bounty, to respond faster) | 12:47 | 14:07 | Not | Mail, cookie |
| Alfa Bank | 12:51 | One to two | 2:00 pm | Not | User logins and passwords, transactions, personal user data, cookies. Deny vulnerability !! |
| Liqpay | 13:15 | - | 15:15 | Not | No (garbage, pieces of perl-scripts) |
| Interkassa | 13:15 | 13:20 | 18:28 | Yes | Transactions, cookie |
| Raiffeisen | 13:35 | 13:30 | ~ 19: 00 | Not | N / A |
| Bank opening" | 15:36 | - | in the evening | Not | N / A |
| Bank of Moscow | - | ~ 15: 30 | ~ 17: 00, only the site was vulnerable | - | - |
| Yahoo.com | - | - | 22:20 | Yes | User logins and passwords, mail, cookie |
| Imani Bank | - | 14:31, 20:20 | 09.04 10:55 | Yes | User logins and passwords, transactions, cookies, personal user data |
| Russian standard | 13:00 | 19:36, 09.04 10:38 | 09.04 13:00 | Not | Transactions, cookies, personal user data |
| OTP Bank | 09.04 14:20 | 09.04 14:19 | 09.04 15:03 | Not | Transactions, cookies, personal user data |
| Russlavbank | ~ 16: 00 | - | 09.04 ~ 12:00, only the site was vulnerable | - | - |
| Bank Zenith | - | 21:50, 09/04 11:15, 09/04 15:25 | 09.04 18:20 | Not | User logins and passwords, cookies |
| Ak Bars Bank | - | - | 11.04 15:30 | Not | User logins and passwords, transactions |
What should I do as a user?
If you are using Linux , you need to upgrade to the latest available version of OpenSSL. Most distributions already contain a patched version in the repositories.
If you are on OSX , you are very likely to use OpenSSL 0.9.8, which is not vulnerable if you did not install the newer version manually.
If you are using Windows , then most likely you do not have OpenSSL. If you installed it manually (for example, via cygwin), then make sure that your version does not contain a vulnerability.
After you upgrade to OpenSSL, restart all applications that use it!
Keep in mind - there is a rather high probability that other people already have your passwords . Change them, but not now. Now do not go to vulnerable sites. Check the site for vulnerabilities can be on the links below.
What should I do as a site owner / system administrator?
First of all, you should immediately see if your version of OpenSSL is vulnerable or not. For HTTPS there are three services: filippo.io/Heartbleed , possible.lv/tools/hb and www.ssllabs.com/ssltest . Update the version if necessary. Make sure you install the patch version, or 1.0.1.g.
If you had a vulnerable version of OpenSSL, you should revoke the old SSL certificate - it is most likely compromised. If you had a vulnerability in the service - be sure to notify users that they change passwords, and reset the session if you use them (PHPSESSID, JSESSID)
And I want the details!
You can read the analysis of vulnerabilities here , get more information here and here .
629 sites from the top 10,000 are vulnerable .
News on cnet.com.
Article on banki.ru
Bonus: the conversation of the blind with the deaf , Michael
Source: https://habr.com/ru/post/218661/
All Articles