Darkside  

Voltar   Darkside > Darkside > Comunidade

Responder
 
Thread Tools
Jeep
fagmin
 

XFIRE ID: ds-jeep Steam ID: jeep_ds
Default Heartbleed

09-04-14, 07:39 #1
http://techcrunch.com/2014/04/07/mas...-the-internet/

[SPOILER]
I saw a t-shirt one time. “I’m a bomb disposal technician,” it read. “If you see me running, try to keep up.”

The same sort of idea can be applied to net security: when all the net security people you know are freaking out, it’s probably an okay time to worry.

This afternoon, many of the net security people I know are freaking out. A very serious bug in OpenSSL — a cryptographic library that is used to secure a very, very large percentage of the Internet’s traffic — has just been discovered and publicly disclosed.

Even if you’ve never heard of OpenSSL, it’s probably a part of your life in one way or another — or, more likely, in many ways. The apps you use, the sites you visit; if they encrypt the data they send back and forth, there’s a good chance they use OpenSSL to do it. The Apache web server that powers something like 50% of the Internet’s web sites, for example, utilizes OpenSSL.

Through a bug that security researchers have dubbed “Heartbleed“, it seems that it’s possible to trick almost any system running any version of OpenSSL from the past 2 years into revealing chunks of data sitting in its system memory.

Why that’s bad: very, very sensitive data often sits in a server’s system memory, including the keys it uses to encrypt and decrypt communication (read: usernames, passwords, credit cards, etc.) This means an attacker could quite feasibly get a server to spit out its secret keys, allowing them to read to any communication that they intercept like it wasn’t encrypted it all. Armed with those keys, an attacker could also impersonate an otherwise secure site/server in a way that would fool many of your browser’s built-in security checks.

And if an attacker was just gobbling up mountains of encrypted data from a server in hopes of cracking it at some point? They may very well now have the keys to decrypt it, depending on how the server they’re attacking was configured (like whether or not it’s set up to utilize Perfect Forward Secrecy.)

The exploit relies on a bug in the implementation of OpenSSL’s “heartbeat” feature, hence the “Heartbleed” name. Security firm Codenomicon has written an in-depth breakdown of the Heartbleed bug here.

To quote their findings:

We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

It seems the bug has been in OpenSSL for 2+ years (since December 2011, OpenSSL versions 1.0.1 through 1.0.1f) before its publicly announced discovery today. Even worse, it appears that exploiting this bug leaves no trace in the server’s logs. So there’s no easy way for a system administrator to know if their servers have been compromised; they just have to assume that they have been.

The bug was discovered and reported to the OpenSSL team by Neel Mehta of Google’s security team. OpenSSL released an emergency patch for the bug along with a Security Advisory this afternoon.


http://gizmodo.uol.com.br/heartbleed/

[SPOILER]
Nos últimos 15 anos, talvez um pouco mais, aprendemos a nos sentir bem seguros na internet. Aquele site certamente cuida muito bem do número do seu cartão de crédito – tão bem como qualquer loja física. Mas talvez seja melhor não ter tanta certeza; um bug por aí afeta uma das mais importantes medidas de segurança há anos, e dá a hackers acesso à chave do paraíso. Conheça o Heartbleed.

Aperto de mãos secreto
O coração das transações seguras na internet depende de um par de tecnologias chamada Secure Sockets Layer (SSL), e também do seu irmão mais novo Transport Layer Security (TLS). Para a maior parte das coisas, ambos são a mesma coisa. Você pode agradecer ao TLS/SSL pelo pequeno cadeado que aparece ao lado de endereços de sites seguros, e o https:// com o qual alguns endereços começam. Enquanto isso, nos bastidores, o TSL/SSL é o que comanda a troca de chaves criptográficas que permite a navegadores e servidores saberem se eles são quem dizem ser. Os protocolos são os guardiões do aperto de mão digital secreto que mantém a informação privada entre apenas você e o site que você quer acessar.

TSL/SSL é uma parte muito grande do que é a internet que conhecemos hoje, e felizmente ainda funciona muito bem. O que está causando a brecha perigosa é uma biblioteca de software chamada OpenSSL. É basicamente um pacote de código aberto que pessoas podem usar para conseguir a proteção de criptografia TSL/SSL com rapidez e facilidade. O problema? Conta com um buraco há anos. Um buraco chamado “Heartbleed”.

Observando de perto
O OpenSSL funciona muito bem em teoria, mas graças a um pequeno erro de códigos e uma falha resultada dele, pessoas maliciosas podem abusar de certas versões populares do OpenSSL para pegar fatias de dados privados que deveriam ser protegidos pelo código TSL/SSL que mantém eles seguros. Os hackers podem observar o aperto de mãos secreto de perto para ver como ele é feito.

Isso é um problema por alguns motivos. Em primeiro lugar, se os hackers observarem o aperto de mãos secreto que está sendo feito quando você faz login na sua conta de email do Yahoo, eles conseguem ver suas informações. Nome de usuário, senha, talvez até número de cartão de crédito, dependendo do que você está fazendo.

Mas isso é pouco perto do perigo real. Os hackers podem ver como o site faz para pegar os seus dados. Como o site se identifica para você para fazer isso. Eles podem, depois, usar a chave criptográfica para enganar pessoas fazendo elas pensarem que estão diante de um lugar confiável, enquanto ao fundo realizam um ataque para roubar dados, e eles também conseguem ver transações que já foram feitas. E, como eles estão com a chave em mãos, e não entraram pela janela, conseguem sair sem deixar rastros.

Então como isso me afeta?
Felizmente, não são todas as versões do OpenSSL que são vulneráveis a essa falha, e já existe uma versão corrigida disponível. Mas considerando o tempo que demorou para a falha ser descoberta, ainda é cedo para achar que estamos totalmente seguros novamente.

A lista de sites que usam o pacote defeituoso é longa, e, como o ataque não deixa rastros, é difícil saber se você foi vítima. Você precisa pensar que deve ter sido. E, se você é usuário de algum desses sites, pode considerar que suas credenciais foram roubadas:

yahoo.com
imgur.com
flickr.com
redtube.com
kickass.to
okcupid.com
steamcommunity.com
hidemyass.com
wettransfer.com
usmagazine.com
500px.com
E mesmo que esses sites já tenham corrigido o OpenSSL problemático, a questão está longe de ser solucionada. Os sites também precisam fazer o equivalente tecnológio a trocar os cadeados criptográficos. E, ainda assim, qualquer dado já roubado antes ainda estará vulnerável, e assim continuará para sempre.

Felizmente, não há nenhum gigante de comércio online envolvido nisso. Nada de Amazon, Google, Microsoft. Nem LastPass, nem 1Password. Mas ainda é uma brecha sem precedentes e provavelmente nunca saberemos quantos sites foram atacados através dela.

Enquanto isso, não há muito o que fazer. Evite os sites afetados e mude suas senhas depois que eles corrigirem a falha. Você não pode usar um chapéu de papel alumínio, mas às vezes a melhor solução é apenas fechar os olhos quando receber a próxima fatura do seu cartão de crédito.


como testar se um site esta vulneravel-> http://filippo.io/Heartbleed/
extensao chrome -> https://chrome.google.com/webstore/d...cafdggilajhpic







Last edited by Jeep; 09-04-14 at 07:48..
Jeep is offline   Reply With Quote
jacu
Trooper
 

09-04-14, 08:25 #2
Faz um resumo aí, Jeep

Somos preguiçosos

jacu is offline   Reply With Quote
Jeep
fagmin
 

XFIRE ID: ds-jeep Steam ID: jeep_ds
09-04-14, 08:30 #3
"fodeu"

basicamente o openssl que era usado para fazer o meio de campo com criptografia tinha um bug, alguem poderia se conectar e atraves desse bug pegar trechos de memoria do servidor onde ele estava rodando, com isso pegar varios tipos de informacao, como logins, senhas, numeros de cartao, etc etc.

em tese foi corrigido, mas ate ai, ninguem dizia que era bugado antes tambem.

Jeep is offline   Reply With Quote
Bombastic
The Alpha Male
 

09-04-14, 09:22 #4
É tranquilo corrigir pra quem tem algum tipo de servidor com ssl

um apt-get upgrade/update resolve

vaaaarios servidores meus estavam com esse problema

o chato eh re-gerar todas as chaves ssl depois q possam ter sido comprometidas =/


btw: quem usa heroku é bom mudar as configuracoes de database tb
https://status.heroku.com/incidents/606

Bombastic is offline   Reply With Quote
Mordred_X
Mandalorian
 

Steam ID: mordred_x
09-04-14, 14:00 #5
"I looked at some of the data dumps from vulnerable sites, and it was ... bad. I saw emails, passwords, password hints. SSL keys and session cookies. Important servers brimming with visitor IPs. Attack ships on fire off the shoulder of Orion, c-beams glittering in the dark near the Tannhäuser Gate. I should probably patch OpenSSL."

Mordred_X is offline   Reply With Quote
vegetous
Trooper
 

XFIRE ID: carniceiru
09-04-14, 16:40 #6
e lá vai a NSA ter que descobrir outra forma de nos espionar!

vegetous is offline   Reply With Quote
vitorueda
Trooper
 

10-04-14, 16:48 #7
Quais sites que eu deveria me preocupar além de Yahoo e Heroku ?

vitorueda is offline   Reply With Quote
Mordred_X
Mandalorian
 

Steam ID: mordred_x
10-04-14, 16:53 #8
Quote:
Postado por vitorueda Mostrar Post
Quais sites que eu deveria me preocupar além de Yahoo e Heroku ?
http://gizmodo.com/the-heartbleed-vu...nge-1561817244

Mordred_X is offline   Reply With Quote
B.2Y.S
Trooper
 

XFIRE ID: B2YS Steam ID: b2ys
10-04-14, 20:14 #9
Pelamor oia o tanto de site... e a preguiça pra mudar as senhas haeoihaeui

B.2Y.S is offline   Reply With Quote
Jeep
fagmin
 

XFIRE ID: ds-jeep Steam ID: jeep_ds
11-04-14, 09:02 #10
xkcd simplificando o bug (pra variar)

 


sinceramente, eu estava esperando algo fodastico, do tipo "po, ninguem nunca ia pensar nisso, que mega exploit", ja isso ai parece completamente proposital de tao tosco.

Jeep is offline   Reply With Quote
rockafeller
Chief Rocka
 

11-04-14, 09:18 #11
 

rockafeller is offline   Reply With Quote
Stranger
Trooper
 

12-04-14, 10:56 #12
http://www.bloomberg.com/news/2014-0...consumers.html

Obama_segurando_cartaz_com_eu_já_sabia.jpg

Stranger is offline   Reply With Quote
Never Ping
🌀 Trooper
 

Gamertag: Willian Braga PSN ID: Never_Ping XFIRE ID: neverping Steam ID: neverping
24-04-14, 14:00 #13
http://arstechnica.com/information-t...libressl-fork/

OpenSSL code beyond repair, claims creator of “LibreSSL” fork
OpenBSD developers "removed half of the OpenSSL source tree in a week."

OpenBSD founder Theo de Raadt has created a fork of OpenSSL, the widely used open source cryptographic software library that contained the notorious Heartbleed security vulnerability.

OpenSSL has suffered from a lack of funding and code contributions despite being used in websites and products by many of the world's biggest and richest corporations.

The decision to fork OpenSSL is bound to be controversial given that OpenSSL powers hundreds of thousands of Web servers. When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess.

"Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers," de Raadt told Ars in an e-mail. "The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself."

The LibreSSL code base is on OpenBSD.org, and the project is supported financially by the OpenBSD Foundation and OpenBSD Project. LibreSSL has a bare bones website that is intentionally unappealing.

"This page scientifically designed to annoy web hipsters," the site says. "Donate now to stop the Comic Sans and Blink Tags." In explaining the decision to fork, the site links to a YouTube video of a cover of the Twisted Sister song "We're not gonna take it."

LibreSSL is initially built for OpenBSD and will support multiple operating systems after the code and funding are shored up. The OpenBSD operating system itself was created as a fork of NetBSD in 1995.

When asked what he meant by OpenSSL containing "discarded leftovers," de Raadt said there were "Thousands of lines of VMS support. Thousands of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically."

There were also "thousands of lines of APIs that the OpenSSL group intended to deprecate 12 years or so ago and [are] still left alone."

De Raadt told ZDNet that his team has removed 90,000 lines of C code. "Even after all those changes, the codebase is still API compatible," he said. "Our entire ports tree (8,700 applications) continue to compile and work after all these changes."

The OpenBSD team started working on LibreSSL about a week ago, he told Ars.

OpenSSL Software Foundation President Steve Marquess declined comment on LibreSSL, saying, "I haven't had the chance to look at what they're doing so I don't want to comment at this time."

In a blog post last week, Marquess described OpenSSL's struggle to obtain funding and code contributions.

"I’m looking at you, Fortune 1000 companies," Marquess wrote. "The ones who include OpenSSL in your firewall/appliance/cloud/financial/security products that you sell for profit, and/or who use it to secure your internal infrastructure and communications. The ones who don’t have to fund an in-house team of programmers to wrangle crypto code, and who then nag us for free consulting services when you can’t figure out how to use it. The ones who have never lifted a finger to contribute to the open source community that gave you this gift. You know who you are."

As for Heartbleed, "the mystery is not that a few overworked volunteers missed this bug," Marquess wrote. "The mystery is why it hasn’t happened more often."

The Heartbleed flaw, which can expose user passwords and the private encryption keys used to protect websites, was accidentally added to the code by a volunteer contributor and went undetected for two years. There's more information and discussion about the forking of OpenSSL here.

Never Ping is offline   Reply With Quote
Responder

Thread Tools

Regras de postagem
Você não pode criar novos tópicos
Você não pode postar
Você não pode enviar anexos
Você não pode editar seus posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Atalho para Fóruns



O formato de hora é GMT -3. horário: 04:07.


Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.