[Cialug] CentOS SSL

Josh More jmore at starmind.org
Wed Apr 9 20:53:26 CDT 2014


There's some concern in the security community that some of the new SSL
check sites that have appeared are collecting data for less than honourable
purposes.

No proof that I know of, but a lot of suspicion.

-Josh


On Wed, Apr 9, 2014 at 8:50 PM, Brett Neese <brett at brettneese.com> wrote:

> i like this website better: http://privatekeycheck.com/
>
> Brett Neese
> 563-210-3459
>
>
>
> On Thu, Apr 10, 2014 at 9:47 AM, Brian Broughton
> <brian-broughton at mchsi.com>wrote:
>
> > Found this ruby script to test your devices or servers for this issue
> >
> > Https://get hub.com/emboss/heartbeat
> >
> > What do you all think, this produce valid results?
> >
> > Sent from my HTC One on the Verizon Wireless 4G LTE network
> >
> > ----- Reply message -----
> > From: "Josh More" <jmore at starmind.org>
> > To: "Central Iowa Linux Users Group" <cialug at cialug.org>
> > Subject: [Cialug] CentOS SSL
> > Date: Wed, Apr 9, 2014 8:36 PM
> >
> > Yep.
> >
> > Should be here by 3pm tomorrow:
> > https://www.sans.org/webcasts/archive/2014
> >
> > Also, there's a test PCAP here if you want to play: http://bit.ly/0FErmw
> >
> > And a test Python script here: http://bit.ly/1ksnuLe
> >
> > -Josh
> >
> >
> >
> > On Wed, Apr 9, 2014 at 8:31 PM, Brian Broughton
> > <brian-broughton at mchsi.com>wrote:
> >
> > > For those who sat in on this presentation, I was interrupted several
> > times
> > > during the presentation, anybody get the address where the webinar is
> > going
> > > to be shared from?
> > >
> > > -----Original Message-----
> > > From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org] On
> > > Behalf
> > > Of Daniel A. Ramaley
> > > Sent: Wednesday, April 09, 2014 5:57 PM
> > > To: Josh More
> > > Cc: Central Iowa Linux Users Group
> > > Subject: Re: [Cialug] CentOS SSL
> > >
> > > That's probably enough of a starting point for what i need to argue.
> > > Thank you!
> > >
> > > On 2014-04-09 at 17:53:02 Josh More wrote:
> > > > I don't have anything public, though some might be released at
> > > > tonight's SANS webcast.  (
> > > > https://www.sans.org/webcasts/openssl-heartbleed-vulnerability-98105)
> > > >
> > > > There has been a lot of discussion on several private security lists.
> > > > Signatures are being written for the common IDS systems (Tipping
> Point
> > > > and SourceFire are mostly what are being discussed) and people have
> > > > been going through their saved packet captures.  Many are reporting
> > > > tons of hits starting on Monday.  A smaller number are reporting hits
> > > > stretching back through the last year or two.
> > > >
> > > > The problem is that you can't easily tell a legit heartbeat hit from
> a
> > > > malicious one. However, evidence strongly suggests that it's been
> > > > actively abused since Monday and likely abused prior to that.
> > > >
> > > > If you have old packet captures to analyze, this might be the
> evidence
> > > > you need.  If not, it's your call as to whether it's worth the
> hassle.
> > > > If you are responsible for protecting a lot of people's sensitive
> > > > information or a few people's critical information, I'd say it
> > > > probably is.  If not, probably not.
> > > >
> > > > -Josh
> > > >
> > > >
> > > >
> > > > On Wed, Apr 9, 2014 at 5:28 PM, Daniel A. Ramaley
> > > >
> > > > <daniel.ramaley at drake.edu>wrote:
> > > > > Do you have any links that back up the "growing evidence" that the
> > > > > bug has been exploited? Yesterday we had a fun night at work
> > > > > patching everything. But i'd like to make the argument to
> management
> > > > > that we really ought to rotate our certificates as well.
> > > > > Since we *just* did that due to expiration, i'm going to need some
> > > > > evidence to corroborate the need for it.
> > > > >
> > > > > On 2014-04-09 at 10:05:42 Josh More wrote:
> > > > > > Yep, the update for CentOS came out really early yesterday
> > > > > > morning.
> > > > > >
> > > > > > Remember, after you update, restart Apache (and OpenVPN if you're
> > > > > > using it).  Then regen your keys and have new certs issued.
> > > > > >
> > > > > > There is growing evidence that people have been collecting data
> > > > > > using this bug, and this bug is two years old.  There's no way to
> > > > > > be sure your data was compromised, so you're best off just
> > > > > > regenerating everything you need.
> > > > > >
> > > > > > -Josh
> > > > > >
> > > > > > On Wed, Apr 9, 2014 at 9:47 AM, Daniel Sloan <
> dan.sloan at drake.edu>
> > > > >
> > > > > wrote:
> > > > > > > Here's a nice reference: http://heartbleed.com/
> > > > > > >
> > > > > > > From the site:
> > > > > > > "What versions of the OpenSSL are affected?
> > > > > > >
> > > > > > > Status of different versions:
> > > > > > >     OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
> > > > > > >     OpenSSL 1.0.1g is NOT vulnerable
> > > > > > >     OpenSSL 1.0.0 branch is NOT vulnerable
> > > > > > >     OpenSSL 0.9.8 branch is NOT vulnerable
> > > > > > >
> > > > > > > Bug was introduced to OpenSSL in December 2011 and has been out
> > > > > > > in the wild since OpenSSL release 1.0.1 on 14th of March 2012.
> > > > > > > OpenSSL
> > > > > > > 1.0.1g released on 7th of April 2014 fixes the bug.....
> > > > > > >
> > > > > > >  How about operating systems?
> > > > > > >
> > > > > > > Some operating system distributions that have shipped with
> > > > > > > potentially>
> > > > > > >
> > > > > > > vulnerable OpenSSL version:
> > > > > > >     Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
> > > > > > >     Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
> > > > > > >     CentOS 6.5, OpenSSL 1.0.1e-15
> > > > > > >     Fedora 18, OpenSSL 1.0.1e-4
> > > > > > >     OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL
> > > > > > >     1.0.1c
> > > > > > >     10
> > > > > > >
> > > > > > > May 2012)
> > > > > > >
> > > > > > >     FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
> > > > > > >     NetBSD 5.0.2 (OpenSSL 1.0.1e)
> > > > > > >     OpenSUSE 12.2 (OpenSSL 1.0.1c)
> > > > > > >
> > > > > > > Operating system distribution with versions that are not
> > > vulnerable:
> > > > > > >     Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
> > > > > > >     SUSE Linux Enterprise Server
> > > > > > >     FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
> > > > > > >     FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
> > > > > > >     FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014
> UTC)"
> > > > > > >
> > > > > > > Dan Sloan
> > > > > > > Systems Administrator
> > > > > > > College of Business and Public Administration Drake University
> > > > > > > Des Moines, IA 50311 Phone # (515)-271-3705 College Webpage:
> > > > > > > http://www.cbpa.drake.edu
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: cialug-bounces at cialug.org
> > > > > > > [mailto:cialug-bounces at cialug.org]
> > > > > > > On
> > > > > > > Behalf Of L. V. Lammert
> > > > > > > Sent: Wednesday, April 09, 2014 9:19 AM
> > > > > > > To: Central Iowa Linux Users Group
> > > > > > > Subject: [Cialug] CentOS SSL
> > > > > > >
> > > > > > > Has anyone seen data on the Heartbleed status for CentOS? What
> > > > > > > versions are affected? Remediation?
> > > > > > >
> > > > > > >         Lee
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Cialug mailing list
> > > > > > > Cialug at cialug.org
> > > > > > > http://cialug.org/mailman/listinfo/cialug
> > > > > > > _______________________________________________
> > > > > > > Cialug mailing list
> > > > > > > Cialug at cialug.org
> > > > > > > http://cialug.org/mailman/listinfo/cialug
> > > > > >
> > > > > > _______________________________________________
> > > > > > Cialug mailing list
> > > > > > Cialug at cialug.org
> > > > > > http://cialug.org/mailman/listinfo/cialug
> > > > >
> > > > > __
> > > > > Daniel A. Ramaley
> > > > > Network Engineer 2
> > > > >
> > > > > Dial Center 122, Drake University
> > > > > 2407 Carpenter Ave / Des Moines IA 50311 USA
> > > > > Tel: +1 515 271-4540
> > > > > Fax: +1 515 271-1938
> > > > > E-mail: daniel.ramaley at drake.edu
> > > __
> > > Daniel A. Ramaley
> > > Network Engineer 2
> > >
> > > Dial Center 122, Drake University
> > > 2407 Carpenter Ave / Des Moines IA 50311 USA
> > > Tel: +1 515 271-4540
> > > Fax: +1 515 271-1938
> > > E-mail: daniel.ramaley at drake.edu
> > >
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > http://cialug.org/mailman/listinfo/cialug
> > >
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > http://cialug.org/mailman/listinfo/cialug
> > >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>


More information about the Cialug mailing list