The MagicBox Forums  

Go Back   The MagicBox Forums > General Topics > PC / Games / Internets Discussion

Reply
 
Thread Tools Display Modes
Old 04-13-2014, 04:46 AM   #1
Rubeus
Registered User
 
Rubeus's Avatar
 
Join Date: Apr 2002
Posts: 6,995
Heartbleed bug affects gadgets everywhere (cellphone, routers, etc)

I also heard Android phones with OS v4.1.1 are affected - http://mashable.com/2014/04/11/devic...to-heartbleed/

... and NSA has been using this to hack into many places for the last 2 years.

Quote:
The Internet bug Heartbleed doesn't just affect websites. It also has shown up in the gadgets we use to connect to the Internet.

Tech giants Cisco (CSCO, Fortune 500) and Juniper (JNPR) have identified about two dozen networking devices affected by Heartbleed, including servers, routers, switches, phones and video cameras used by small and large businesses everywhere. The companies are also reviewing dozens more devices to determine whether they're impacted by the bug as well.

That means for two years now, someone could have been able to tap your phone calls and voicemails at work, all your emails and entire sessions at your computer or iPhone. You also could have been compromised if you logged into work from home remotely. And you'll probably never know if you were hacked.

"That's why this is being dubbed the biggest exploit of the last 12 years. It's so big and encompassing," said Sam Bowling, a senior infrastructure engineer at the web hosting service Singlehop.

What does exposure actually mean? What could be hacked? Here is a rundown, provided by researchers at security provider SilverSky and Singlehop.

Work phone: At least four types of Cisco IP phones were affected. If the phones are not behind a protective network firewall, someone could use Heartbleed to tap into your phone's memory banks. That would yield audio snippets of your conversation, your voicemail password and call log.

Company video conference: Some versions of Cisco's WebEx service are vulnerable. Hackers could grab images on the shared screen, audio and video too.

VPN: Some versions of Juniper's virtual private network service are compromised. If anyone tapped in, they could grab whatever is on your computer's memory at the time. That includes entire sessions on email, banking, social media -- you name it.

Smartphone: To let employees access work files from their iPhones and Android devices, some companies opt for Cisco's AnyConnect Secure Mobility Client app for iOS, which was impacted by Heartbleed. An outsider could have seen whatever you accessed with that app.

Switches: One type of Cisco software that runs Internet switches is at risk. They're notoriously hard to access, but they could let an outsider intercept traffic coming over the network.

Cisco, Juniper and Apple (AAPL, Fortune 500) did not respond to questions from CNNMoney. But on its site, Juniper told customers, "We are working around the clock to provide fixed versions of code for our affected products."

But fixing the bug on those devices won't be easy. Cisco and Juniper can't just press a button and immediately replace the vulnerable software running on the machines. The onus is on each person or company using those devices. And that's where the problem lies.

"Many small and medium businesses aren't likely to ever upgrade, and they're going to have a tremendous amount of exposure for a very long time," said John Viega, an Web security expert and an executive at security provider SilverSky.

That is why changing passwords isn't necessarily enough to overcome the potential damage caused by the Heartbleed bug. Even if a website isn't vulnerable when communicating with its customers, the company's servers might still be exposed.

The problem doesn't seem to be widespread on the consumer side, though. Linksys and D-Link make many of the routers we use to connect to the Web from home, and they say none of their devices are affected. However, Netgear (NTGR) has not posted updates or returned for comment.

http://money.cnn.com/2014/04/11/tech...artbleed-gear/
Rubeus is offline   Reply With Quote
Connect With Facebook to "Like" This Thread

Old 04-13-2014, 04:52 PM   #2
Drunken Savior
Registered User
 
Drunken Savior's Avatar
 
Join Date: Sep 2002
Posts: 19,488
FYI, this is a fundamental problem with OpenSSL and not some virus or something. Until a website updates their OpenSSL certificate, they are exploitable. So do not think that simply changing your password will make you safe. The website has to first update their OpenSSL certificate and then you have to change your password.

This was accurate as of April 10:



For other sites, HERE IS A MORE COMPREHENSIVE LIST.

Additionally, both Steam and Origin were affected and have been patched. So update your passwords there as well!
__________________

Games I'm hyped for
The Last of Us Part 2, RE2 Remake, The Last Night

Current Platforms:
PC (i7-7700K, 16GB, GTX 980Ti), Wii U, PS4

Last edited by Drunken Savior; 04-13-2014 at 05:50 PM.
Drunken Savior is offline   Reply With Quote
Old 04-13-2014, 05:41 PM   #3
spider-prime
NOW IN CINEMAPHONIC QUADROVISION!
 
spider-prime's Avatar
 
Join Date: Aug 2003
Location: I hated going to weddings cause all the grandmas would poke me saying "you're next, you're next". They stopped saying that when I did it to them at Funerals.
Posts: 22,130
Once new devices with fixed versions for this exploit is out, I'm buying a new router. Mine is old anyways.

I'm glad I don't use a lot of sites with passwords other than games. So I'm good for all of those

but gasps! Someone could have checked my log and found out I go to big titty transvestites sites!
spider-prime is offline   Reply With Quote
Old 04-14-2014, 11:27 AM   #4
bujeezus
Registered User
 
bujeezus's Avatar
 
Join Date: Feb 2010
Location: deep south
Posts: 845
but everybody already knows that.
__________________
"I'll play almost anything but I won't finish almost anything there's a difference." Escaflowne2001
bujeezus is offline   Reply With Quote
Old 04-14-2014, 09:16 PM   #5
Escaflowne2001
... ... ... ...
 
Escaflowne2001's Avatar
 
Join Date: Dec 2002
Location: Thetford, Norfolk, England
Posts: 17,416
If it's been a problem for like 2 years isn't a bit late by now anyway....
Escaflowne2001 is offline   Reply With Quote
Old 05-22-2014, 05:11 AM   #6
Joe Redifer
Olé!
 
Joe Redifer's Avatar
 
Join Date: Dec 2002
Location: Denver, Colorado
Posts: 20,029
What does updating a certificate mean? Is that like a license? So it expires and all of a sudden it just opens up until you renew? That's a big sign saying "NEVER USE SSL" if I ever saw one. It should be safe no matter the status of the certificate. Is the certificate on paper? I bet it is. It probably even has a gold stamp on it. You then scan it into the computer as a lossy JPG and then everything is patched.
Joe Redifer is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 09:44 AM.


Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.