The International Simutrans Forum

Information and Announcements => Information & Announcements => Archived Announcements => Topic started by: Isaac Eiland-Hall on April 08, 2014, 10:47:00 PM

Title: "Heartbleed" exploit
Post by: Isaac Eiland-Hall on April 08, 2014, 10:47:00 PM
I'm expecting news of this to spread far and wide.

First, here's some information:

http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/

http://heartbleed.com/

http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities

The server was patched a few hours ago at this point. There is no way I'm aware of at this time to detect compromise. The good news is that of the majority of servers on the internet, most were vulnerable, meaning any particular server may well not have been compromised. The bad news is that any protected information might have been compromised and no way to tell.
Title: Re: "Heartbleed" exploit: means serious Internet security hole
Post by: IgorEliezer on April 08, 2014, 11:56:11 PM
I've been following this huge disaster that hit the Internet hard for hours.

Long story short: the exploit found in the OpenSSL allowed to get password and personal details in bare plain textfile from millions of sites.

http://twitter.com/search?q=heartbleed (http://twitter.com/search?q=heartbleed)
http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/ (http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/)

For those who want to test if a site is still vulnerable: http://filippo.io/Heartbleed/ (http://filippo.io/Heartbleed/)
Title: Re: "Heartbleed" exploit
Post by: Isaac Eiland-Hall on April 09, 2014, 01:58:31 AM
Speaking of you, many many thanks to Igor for sending me a PM about this. I was out much of the day. I'd seen a brief article about this, but hadn't noticed the severity of it yet, so he enabled my securing the server faster - as soon as I saw his PM. Thank you, kind sir.

This is my official PanamaCityPC reply:

http://news.panamacitypc.com/2014/04/notice-about-bluebonnetserver-and-the-heartbleed-bug/

This is a brief message regarding the Heartbleed bug that is all over the news today.

In brief, I became aware of the seriousness of the bug/exploit a few hours ago and took immediate action to open OpenSSL on the server to the latest bugfix release, followed by a server reboot to ensure no un-updated binaries were running.

At this time, there is no way to tell if a particular server has been compromised; or rather, if data from a particular server has been accessed. The best solution I have seen involves securing the server (which is now done), and resetting all passwords on the server, which is a huge undertaking, and not practical to do for all applications running on the server.

I therefore highly recommend that if there is an application running under your account, such as a forum or WordPress or other software installation, that you immediately recommend to all users that they change their account passwords immediately.

This affects easily a half million servers on the internet; I personally tend to believe that the vast majority of those probably have not been accessed; but the seriousness of this incident prompts a "better safe than sorry" response.

If you require further information or assistance, please do not hesitate to email helpdesk@panamacitypc.com and we will assist you as soon as possible.

Sincerely,
-Isaac Eiland-Hall
PanamaCityPC.com – BlueBonnetServer.com
Title: Re: "Heartbleed" exploit
Post by: Ters on April 09, 2014, 05:05:50 AM
Well, whatever information they can get out is down to sheer luck and depends on the particular application. In my opinion, there have been worse vulnerabilites. The most shocking part is that what is perhaps the number on SSL implementation can let such things go unnoticed through to a release, but that's human nature I guess.

Since this forum doesn't require (I haven't checked if it even supports) HTTPS, the kind of things this exploit would give access to is out in the open anyway.
Title: Re: "Heartbleed" exploit
Post by: IgorEliezer on April 09, 2014, 07:31:24 AM
Everything is not lost...

(http://imgs.xkcd.com/comics/heartbleed.png)
http://xkcd.com/1353/
Title: Re: "Heartbleed" exploit
Post by: Ters on April 09, 2014, 04:02:56 PM
Quote from: IgorEliezer on April 09, 2014, 07:31:24 AM
Everything is not lost...

The mouse-over apparently is. And my memory of where that quote was from (a co-worker had to give me a copy of his memory of it).
Title: Re: "Heartbleed" exploit
Post by: dom700 on April 10, 2014, 12:56:59 PM
Well, since the password here is not important and otherwise unused, I will not change it. If someone managed to pick up my password, congratulations ;)
I was only afraid that the SSL on my own systems might be compromised, but the version I am running is too old for the bug xD