• Steel Soldiers now has a few new forums, read more about it at: New Munitions Forums!

  • Microsoft MSN, Live, Hotmail, Outlook email users may not be receiving emails. We are working to resolve this issue. Please add support@steelsoldiers.com to your trusted contacts.

Heartbleed - Please read

patracy

Administrator
Staff member
Administrator
14,635
4,793
113
Location
Buchanan, GA

Triple C

New member
546
3
0
Location
NAPOLEON MO
Thanks patracy, I read an article on this but couldn't tell by it if I needed to change passwords and if so which ones. This was very helpful and I appreciate you looking out for us! Thanks for all you do.
 

swbradley1

Modertator
Staff member
Super Moderator
Steel Soldiers Supporter
14,251
1,702
113
Location
Dayton, OH
For anyone interested I took a break from fly swatting and wanted to find the code snippet for myself.


Like reverse engineering a MS patch only with source code. It's in the t1_lib.c code.

OpenSSL-1.0.1-OpenSSL-1.0.1f
Bad Version
< /* Read type and payload length first */
< hbtype = *p++;
< n2s(p, payload);
< pl = p;
<
Didn't check for length in the bad version and if you asked for a heartbeat word like testing and told it that testing was 500 characters long the vulnerable server would give you 500 characters out of memory. You know, like personal information, SSNs, DL number, credit card or username and passwords. It was random. Hit the server over and over and you never know what kind of information the server would puke out. Cool.


OpenSSL-1.0.1g
Good Version
>
> /* Read type and payload length first */
xx if (1 + 2 + 16 > s->s3->rrec.length)
xx return 0; /* silently discard */
> hbtype = *p++;
> n2s(p, payload);
xx if (1 + 2 + payload + 16 > s->s3->rrec.length)
xx return 0; /* silently discard per RFC 6520 sec. 4 */
> pl = p;

(Note - The Xs indicate the checking added to fix it.)

Probably more than anyone but a c-coder would want to know but hey, it's my job. :)


Needless to say I've been a busy person since Monday.
 
Last edited:

Robo McDuff

In memorial Ron - 73M819
Steel Soldiers Supporter
2,887
1,499
113
Location
Czech Republic
I saw this a few days ago and checked my bank sites etc.

Beware, this bug is a flaw in SECURE websites (banks, internet payments etc) laying it open for hackers and the NSA, so the one site you thought was safe is wide open. In clear text: if in your URL you see the HTTPS and the green color and the lock, its a secure site. If you only see the simple HTTP without lock or color, its unaffected.

Our SS site and normal blog sites are unsecured sites so are NOT affected by this bug; they are wide open anyway unless protected by a very dedicated webmaster!

Check it yourself with this site, fill in the SECURE url of your internet banking or amazon or whatever and see if it is ok or not. As to changing your password, only change passwords for secure sites that are ok. Changing your password for a site that is still wide open does not help much and can give a dedicated hacker info on how you construe passwords (like combination of birth dates or whatever) unless you are good at making random passwords without connection to your daily life.

Update-edit: not all secure sites use the green color but the lock is or should be there
Patracy, please correct me if I talk BS somewhere
 
Last edited:

Robo McDuff

In memorial Ron - 73M819
Steel Soldiers Supporter
2,887
1,499
113
Location
Czech Republic
Start check your Android software, version 4.1 is vulnerable. And the NSA did know about it according some but not according their official press release.

Funny now that everybody is hyping about smart phones, mobile internet, cloud computing, cloud storing etc etc, more and more it becomes clear that these systems and technologies are much more vulnerable than the old fashioned simple phone with desktop. Once in a million year flaws (major downtime for google or twitter, major secure site bug) are happening with a frightening regularity.
 

zout

In Memorial
In Memorial
7,744
154
63
Location
Columbus Georgia
Thanks PT - have no clue what everyone else posted as far as those computer terms but it doesn't look good so I went to the site you posted up and recognize some of those sites.
Seeing as we all communicate through these computers would it be a bad idea just to have a separate thread/forum link for computer security to help an idiot like me ??

Again thanks for the heads up on stuff like this as you folks are on the cutting edge of it every day - folks like me without hearing about it are on the receiving end of it.
 
Top
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features of our website like our supporting vendors. Their ads help keep Steel Soldiers going. Please consider disabling your ad blockers for the site. Thanks!

I've Disabled AdBlock
No Thanks