Upcoming Events

International | Sci-Tech

no events match your query!

New Events

International

no events posted in last week

Blog Feeds

Anti-Empire

Anti-Empire

offsite link North Korea Increases Aid to Russia, Mos... Tue Nov 19, 2024 12:29 | Marko Marjanovi?

offsite link Trump Assembles a War Cabinet Sat Nov 16, 2024 10:29 | Marko Marjanovi?

offsite link Slavgrinder Ramps Up Into Overdrive Tue Nov 12, 2024 10:29 | Marko Marjanovi?

offsite link ?Existential? Culling to Continue on Com... Mon Nov 11, 2024 10:28 | Marko Marjanovi?

offsite link US to Deploy Military Contractors to Ukr... Sun Nov 10, 2024 02:37 | Field Empty

Anti-Empire >>

The Saker
A bird's eye view of the vineyard

offsite link Alternative Copy of thesaker.is site is available Thu May 25, 2023 14:38 | Ice-Saker-V6bKu3nz
Alternative site: https://thesaker.si/saker-a... Site was created using the downloads provided Regards Herb

offsite link The Saker blog is now frozen Tue Feb 28, 2023 23:55 | The Saker
Dear friends As I have previously announced, we are now “freezing” the blog.? We are also making archives of the blog available for free download in various formats (see below).?

offsite link What do you make of the Russia and China Partnership? Tue Feb 28, 2023 16:26 | The Saker
by Mr. Allen for the Saker blog Over the last few years, we hear leaders from both Russia and China pronouncing that they have formed a relationship where there are

offsite link Moveable Feast Cafe 2023/02/27 ? Open Thread Mon Feb 27, 2023 19:00 | cafe-uploader
2023/02/27 19:00:02Welcome to the ‘Moveable Feast Cafe’. The ‘Moveable Feast’ is an open thread where readers can post wide ranging observations, articles, rants, off topic and have animate discussions of

offsite link The stage is set for Hybrid World War III Mon Feb 27, 2023 15:50 | The Saker
Pepe Escobar for the Saker blog A powerful feeling rhythms your skin and drums up your soul as you?re immersed in a long walk under persistent snow flurries, pinpointed by

The Saker >>

Lockdown Skeptics

The Daily Sceptic

offsite link British Drivers Steering Away From New Cars In Their Droves Mon Dec 23, 2024 13:00 | Sallust
British car-buyers are turning away from new vehicles in their droves and keeping their reliable old petrol models going for far longer as Labour's Net Zero war on affordable motors heats up.
The post British Drivers Steering Away From New Cars In Their Droves appeared first on The Daily Sceptic.

offsite link Britain on Brink of Recession After Growth Revised to Zero Following Reeves?s Horror Budget Mon Dec 23, 2024 11:09 | Will Jones
Britain is on the brink of a recession after official figures were revised to show zero growth in the third quarter of the year and living standards fell, with Rachel Reeves's horror Budget blamed.
The post Britain on Brink of Recession After Growth Revised to Zero Following Reeves’s Horror Budget appeared first on The Daily Sceptic.

offsite link What Fresh Hell is This? The Climate and Nature Bill Mon Dec 23, 2024 09:00 | Paul Homewood
If you thought eco zealot Ed Miliband was bad, wait until you get a load of the Climate Change and Nature Bill, which seeks to turbocharge the Net Zero agenda and already has the support of 192 MPs. Paul Homewood has the skinny.
The post What Fresh Hell is This? The Climate and Nature Bill appeared first on The Daily Sceptic.

offsite link The Daily Sceptic Christmas Appeal Mon Dec 23, 2024 07:00 | Toby Young
The Daily Sceptic's Christmas Appeal launches today ? an opportunity for readers to show their appreciation of the work we do. Remember, donating just ?5/month or ?50/year will give you access to a range of premium perks.
The post The Daily Sceptic Christmas Appeal appeared first on The Daily Sceptic.

offsite link News Round-Up Mon Dec 23, 2024 01:12 | Richard Eldred
A summary of the most interesting stories in the past 24 hours that challenge the prevailing orthodoxy about the ?climate emergency?, public health ?crises? and the supposed moral defects of Western civilisation.
The post News Round-Up appeared first on The Daily Sceptic.

Lockdown Skeptics >>

Voltaire Network
Voltaire, international edition

offsite link Voltaire, International Newsletter N?113 Fri Dec 20, 2024 10:42 | en

offsite link Pentagon could create a second Kurdish state Fri Dec 20, 2024 10:31 | en

offsite link How Washington and Ankara Changed the Regime in Damascus , by Thierry Meyssan Tue Dec 17, 2024 06:58 | en

offsite link Statement by President Bashar al-Assad on the Circumstances Leading to his Depar... Mon Dec 16, 2024 13:26 | en

offsite link Voltaire, International Newsletter N?112 Fri Dec 13, 2024 15:34 | en

Voltaire Network >>

The latest HEARTBLEED OpenSSL bug

category international | sci-tech | news report author Friday April 11, 2014 09:43author by wageslave Report this post to the editors

The false sense of security of the internet has been completely overturned by the latest security bug to be discovered. A bug in the popular OpenSSL library used by many of the most important and frequently used server sites on the net allows arbitrary chunks of memory to be read remotely from user machines and servers, possibly containing very sensitive data, user tokens, bank details, emails and passwords. What does all this mean and how did it happen and what can we do to protect ourselves?
heartbleed.png

The latest security hole to rock the internet in the wake of the Snowden revelations is pretty huge. A bug in the OpenSSL library means that client computers can read arbitrary chunks of memory from servers all over the internet. Apparently this has been the case for the last two years.

For those who don't understand what this means, an SSL library is being used whenever you see that padlock icon appear in the address area of your browser. This usually happens when you are connecting to a website which requires some privacy such as your banking site or your webmail or other such servers.

To put this in perspective, about 66% of internet servers use a particular OpenSSL library to manage these sensitive connections with their clients.

So what is the problem?
ok the problem is this. When your computer connects to a server using this OpenSSL library, your computer and the server have a protocol called a "heartbeat" whereby they exchange a bit of data back and forth at regular intervals to maintain the connection. If this heartbeat stops, the connection is closed. Makes sense. However an error was introduced in the code used in this process (Rather suspiciously it was on new years eve, December 31 2011, when few people were looking. ).

The error was as follows:
in order to maintain the heartbeat, crucially, the client sends a few pieces of data to the server
heartbeat_type, pl, payload

where heartbeat_type defines the information structure to be used,
pl is the length of "payload" in bytes
and "payload" is some arbitrary piece of data.

once the server gets this data, it temporarily stores the "payload" data in its memory somewhere.
It then uses the software function memcopy(bp,pl,payload) to copy this data into a suitably formatted data packet to transmit back to the client.

The client then receives the packet, and it knows the server is alive, the two computers communicate for a bit, or not as the case may be, then the heartbeat process is repeated again after a suitable interval. And so on until the client disconnects from the server

ok that all sounds fine. Or it would be assuming the client was not malicious. Because it turns out the client can "lie" to the server when setting up this heartbeat data. The client can pretend the payload is much larger than it actually is because as you may have noticed, the client sends both the length of the payload and the payload itself to the server. And crucially, the server does NOT check the length is actually correct. This is the crux of the problem. A "buffer underrun"

So if a malicious client connects to the server and sends a false length of "64K" (the largest size it will accept) but only sends one "byte" in the payload, then the server dutifully sends back 64k of data.

Now out of the 64k sent back by the server, only 1k is actually our original payload. So what exactly is in the rest of this data packet returned from our server? This is a very good question!. The answer is whatever was in the memory of the server adjacent to where it temporarily stored our payload. This could be absolutely anything. Security certificates, Passwords, IP addresses, emails, user security tokens, anything.
And if you stay connected to the server, you can do this all night until something juicy comes back in the response from the server.
No doubt you can see the problem now.

A malicious server can also do the same thing to any client that connects to it.

Was it intentional?
At the moment it is not clear whether it was malicious. However if you have been keeping up with the Edward Snowden revelations, you will know that the NSA are up to all sorts of tricks to get your information, and this one is basically an open door for them to read the memory of 66% of internet servers. This includes many of the top services we all use on a regular basis. They could also compromise anyone they can trick into connecting to one of their servers too. A tactic the Snowden leaks show that they do use. It's all certainly very suspicious, and the timing of this code change is particularly suspicious in my book. it looks like it may have been used to monitor IRC traffic which is where the likes of anonymous would be hanging out.
https://www.eff.org/deeplinks/2014/04/wild-heart-were-i...-2013

What should I do to protect myself?
It is suggested that you update your OS if you are using any of the flavours of linux which are using the compromised library version.
(OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are vulnerable )
this ships with the following versions of linux:

Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)

Update to OpenSSL version 1.0.1g as soon as you can through the usual system updating procedures for linux

Apple say their OSX is safe but if you are using OSX mavericks, they recommend updating to 10.9.2 just to be safe. Some free programs may use the library so they will need updating

Windows is not affected according to microsoft, although some free programs may use the OpenSSL library and they will need updating.

Alas, that is not the end of it. The bug has been in the wild for two years. There is always the possibility that your passwords etc may have been compromised on many of the internet servers you use. It is recommended you change all your passwords on the internet services you use.

It is highly recommended you wait until these servers have updated their security certificates and replaced any compromised SSL code on their servers and given the all clear before you log on and change your passwords

You should check out this site for some helpful information on some of the main sites, but it is by no means a full list:
http://mashable.com/2014/04/09/heartbleed-bug-websites-...cted/

The official site for information is here:
http://heartbleed.com/

For those of you who are a bit more technically minded, there is a good analysis here:
http://blog.existentialize.com/diagnosis-of-the-openssl....html

A simpler explanation here:
http://gizmodo.com/how-heartbleed-works-the-code-behind...41209

© 2001-2024 Independent Media Centre Ireland. Unless otherwise stated by the author, all content is free for non-commercial reuse, reprint, and rebroadcast, on the net and elsewhere. Opinions are those of the contributors and are not necessarily endorsed by Independent Media Centre Ireland. Disclaimer | Privacy