Heartbleed bug By Danyelle

By @Danyelle
POSTED: 10 Apr 2014 02:57
CATEGORY: Miscellaneous
FEATURED: Yes (@Haruspex)
(Go to comments)

Okay so this is just a quick little blog to inform you all.

Yesterday, April 8th, security researchers recently found a security flaw in OpenSSL, which is a popular data encryption standard that, when hackers know about it, can take as much information as they want from servers we assume are secure. It could happen just about anywhere, Google, Facebook, Yahoo, anywhere that was said or thought to be secure.

Computers send out things called "heartbeats" to make sure that the computer is connected to another computer with a secure connection. A heartbeat is a packet of data that asks for a response. In Heartbleed, a packet of data very similar to the other, disguises itself to trick the computer, then gets sent out, and makes it so data stored in the computers memory gets sent.

It sends out your passwords, usernames, anything you have uploaded on the server, and even credit card numbers could be pulled out of the data.

Some of your accounts may already be compromised, so, if you're paranoid, change every password you have, on every website. Just in case.

+5 -0

dropkick500
16 Apr 2014 15:48

if any of you go on armor games,you dont need to change your password.i tested it.it gave me a c,but it said it wasnt vulnerable to the heartbleed bug.

sieSweet
12 Apr 2014 05:58

omg thats scary!!!

Danyelle
12 Apr 2014 06:05
In reply to sieSweet

Most websites already fixed the issue, you can check certain websites you use on SSL tests to see if they are okay to use, or if they have bad ratings on it.
Just google "SSL test" or "heartbleed test", whatever comes up first and whichever works the best.

sieSweet
12 Apr 2014 06:08
In reply to Danyelle

thanx!

Danyelle
12 Apr 2014 15:02
In reply to sieSweet

Yup!! :&#68

HullBreach
12 Apr 2014 01:21

Don't worry about it on the SDK websites, since they are not behind SSL.

Danyelle
12 Apr 2014 02:15
In reply to HullBreach

I kinda figured. Since when I tried to test it, nothing showed up. Thanks for letting us know :p

jsa005
10 Apr 2014 20:27

A more technical view for nerds: The "Heartbleed" bug is exploited by naughty people sending malformed TLS heartbeat packets, and when OpenSSL responds, it also accidentally leaks 64 bytes of memory (RAM) into the response. Naughty people can keep sending these malformed packets to keep getting more of the memory, 64 bytes at a time. The memory can contain information including users' passwords among other things, like the server's SSL private key, which it uses to encrypt the SSL traffic.

On a note for people making websites:
If you have a website that uses HTTPS (SSL), test it for Heartbleed. Search Google for 'Heartbleed Test'.
If you get a result saying your website is vulnerable, update OpenSSL now. You need to update to the latest version. If you have OpenSSL <=1.0.0, or you run a Windows server using Microsoft IIS, you should be fine. If not, UPDATE.
If you host your website on a dedicated server or VPS, update OpenSSL using your system's package manager (eg. yum, aptitude, packman) or, in the case of a Windows server, the OpenSSL website. If you're running a Mac OS X server, there should be a patch available through Apple Software Update.

If you host your website on shared hosting and the Heartbleed test shows your site is vulnerable, contact your web host about this issue now.

Monstercat
10 Apr 2014 20:54
In reply to jsa005

Was going to type the technical information about it but most people don't understand it, lol.

jsa005
10 Apr 2014 20:29
In reply to jsa005

For more info on this, visit http://heartbleed.com/.

dropkick500
16 Apr 2014 15:42
In reply to jsa005

i bookmarked that site.

Monstercat
10 Apr 2014 03:49

Lol, you are exaggerating the issue tenfold.

Readers, don't panic.

There has already been a patch to the Open SSL branch with the 1.01g update days before this was announced to the public. This means that you really should not worry. Major companies like Google, Facebook, Yahoo, Twitter, etc. get these patches before anyone else, rest assured that they have already fixed this issue. They are not stupid. They are not letting this serious of an issue be for a long time. Think about it.

This is mainly concerning to the owners of smaller companies and their employees which use the Open SSL encryption standard, which do not get patches right away. But I'm sure none of you kiddies are associated with a small company, so you should be fine.

Danyelle
10 Apr 2014 12:19
In reply to Monstercat

I don't see how I was exaggerating lol I just wrote what I saw but ooooookay. Whatever lol.

fordcars
05 Jun 2014 16:26
In reply to Danyelle

Well actually, since Google has tuns of servers, it took days to update all of them

Heartbleed bug

Comments