[Cialug] CentOS SSL

Crouse crouse at usalug.net
Wed Apr 9 23:50:48 CDT 2014


https://www.ssllabs.com/ssltest/index.html  It's been hammered pretty hard,
but it gives back good info.


On Wed, Apr 9, 2014 at 8:53 PM, Josh More <jmore at starmind.org> wrote:

> There's some concern in the security community that some of the new SSL
> check sites that have appeared are collecting data for less than honourable
> purposes.
>
> No proof that I know of, but a lot of suspicion.
>
> -Josh
>
>
> On Wed, Apr 9, 2014 at 8:50 PM, Brett Neese <brett at brettneese.com> wrote:
>
> > i like this website better: http://privatekeycheck.com/
> >
> > Brett Neese
> > 563-210-3459
> >
> >
> >
> > On Thu, Apr 10, 2014 at 9:47 AM, Brian Broughton
> > <brian-broughton at mchsi.com>wrote:
> >
> > > Found this ruby script to test your devices or servers for this issue
> > >
> > > Https://get hub.com/emboss/heartbeat
> > >
> > > What do you all think, this produce valid results?
> > >
> > > Sent from my HTC One on the Verizon Wireless 4G LTE network
> > >
> > > ----- Reply message -----
> > > From: "Josh More" <jmore at starmind.org>
> > > To: "Central Iowa Linux Users Group" <cialug at cialug.org>
> > > Subject: [Cialug] CentOS SSL
> > > Date: Wed, Apr 9, 2014 8:36 PM
> > >
> > > Yep.
> > >
> > > Should be here by 3pm tomorrow:
> > > https://www.sans.org/webcasts/archive/2014
> > >
> > > Also, there's a test PCAP here if you want to play:
> http://bit.ly/0FErmw
> > >
> > > And a test Python script here: http://bit.ly/1ksnuLe
> > >
> > > -Josh
> > >
> > >
> > >
> > > On Wed, Apr 9, 2014 at 8:31 PM, Brian Broughton
> > > <brian-broughton at mchsi.com>wrote:
> > >
> > > > For those who sat in on this presentation, I was interrupted several
> > > times
> > > > during the presentation, anybody get the address where the webinar is
> > > going
> > > > to be shared from?
> > > >
> > > > -----Original Message-----
> > > > From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org]
> On
> > > > Behalf
> > > > Of Daniel A. Ramaley
> > > > Sent: Wednesday, April 09, 2014 5:57 PM
> > > > To: Josh More
> > > > Cc: Central Iowa Linux Users Group
> > > > Subject: Re: [Cialug] CentOS SSL
> > > >
> > > > That's probably enough of a starting point for what i need to argue.
> > > > Thank you!
> > > >
> > > > On 2014-04-09 at 17:53:02 Josh More wrote:
> > > > > I don't have anything public, though some might be released at
> > > > > tonight's SANS webcast.  (
> > > > >
> https://www.sans.org/webcasts/openssl-heartbleed-vulnerability-98105)
> > > > >
> > > > > There has been a lot of discussion on several private security
> lists.
> > > > > Signatures are being written for the common IDS systems (Tipping
> > Point
> > > > > and SourceFire are mostly what are being discussed) and people have
> > > > > been going through their saved packet captures.  Many are reporting
> > > > > tons of hits starting on Monday.  A smaller number are reporting
> hits
> > > > > stretching back through the last year or two.
> > > > >
> > > > > The problem is that you can't easily tell a legit heartbeat hit
> from
> > a
> > > > > malicious one. However, evidence strongly suggests that it's been
> > > > > actively abused since Monday and likely abused prior to that.
> > > > >
> > > > > If you have old packet captures to analyze, this might be the
> > evidence
> > > > > you need.  If not, it's your call as to whether it's worth the
> > hassle.
> > > > > If you are responsible for protecting a lot of people's sensitive
> > > > > information or a few people's critical information, I'd say it
> > > > > probably is.  If not, probably not.
> > > > >
> > > > > -Josh
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Apr 9, 2014 at 5:28 PM, Daniel A. Ramaley
> > > > >
> > > > > <daniel.ramaley at drake.edu>wrote:
> > > > > > Do you have any links that back up the "growing evidence" that
> the
> > > > > > bug has been exploited? Yesterday we had a fun night at work
> > > > > > patching everything. But i'd like to make the argument to
> > management
> > > > > > that we really ought to rotate our certificates as well.
> > > > > > Since we *just* did that due to expiration, i'm going to need
> some
> > > > > > evidence to corroborate the need for it.
> > > > > >
> > > > > > On 2014-04-09 at 10:05:42 Josh More wrote:
> > > > > > > Yep, the update for CentOS came out really early yesterday
> > > > > > > morning.
> > > > > > >
> > > > > > > Remember, after you update, restart Apache (and OpenVPN if
> you're
> > > > > > > using it).  Then regen your keys and have new certs issued.
> > > > > > >
> > > > > > > There is growing evidence that people have been collecting data
> > > > > > > using this bug, and this bug is two years old.  There's no way
> to
> > > > > > > be sure your data was compromised, so you're best off just
> > > > > > > regenerating everything you need.
> > > > > > >
> > > > > > > -Josh
> > > > > > >
> > > > > > > On Wed, Apr 9, 2014 at 9:47 AM, Daniel Sloan <
> > dan.sloan at drake.edu>
> > > > > >
> > > > > > wrote:
> > > > > > > > Here's a nice reference: http://heartbleed.com/
> > > > > > > >
> > > > > > > > From the site:
> > > > > > > > "What versions of the OpenSSL are affected?
> > > > > > > >
> > > > > > > > Status of different versions:
> > > > > > > >     OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
> > > > > > > >     OpenSSL 1.0.1g is NOT vulnerable
> > > > > > > >     OpenSSL 1.0.0 branch is NOT vulnerable
> > > > > > > >     OpenSSL 0.9.8 branch is NOT vulnerable
> > > > > > > >
> > > > > > > > Bug was introduced to OpenSSL in December 2011 and has been
> out
> > > > > > > > in the wild since OpenSSL release 1.0.1 on 14th of March
> 2012.
> > > > > > > > OpenSSL
> > > > > > > > 1.0.1g released on 7th of April 2014 fixes the bug.....
> > > > > > > >
> > > > > > > >  How about operating systems?
> > > > > > > >
> > > > > > > > Some operating system distributions that have shipped with
> > > > > > > > potentially>
> > > > > > > >
> > > > > > > > vulnerable OpenSSL version:
> > > > > > > >     Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
> > > > > > > >     Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
> > > > > > > >     CentOS 6.5, OpenSSL 1.0.1e-15
> > > > > > > >     Fedora 18, OpenSSL 1.0.1e-4
> > > > > > > >     OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL
> > > > > > > >     1.0.1c
> > > > > > > >     10
> > > > > > > >
> > > > > > > > May 2012)
> > > > > > > >
> > > > > > > >     FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
> > > > > > > >     NetBSD 5.0.2 (OpenSSL 1.0.1e)
> > > > > > > >     OpenSUSE 12.2 (OpenSSL 1.0.1c)
> > > > > > > >
> > > > > > > > Operating system distribution with versions that are not
> > > > vulnerable:
> > > > > > > >     Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
> > > > > > > >     SUSE Linux Enterprise Server
> > > > > > > >     FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
> > > > > > > >     FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
> > > > > > > >     FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014
> > UTC)"
> > > > > > > >
> > > > > > > > Dan Sloan
> > > > > > > > Systems Administrator
> > > > > > > > College of Business and Public Administration Drake
> University
> > > > > > > > Des Moines, IA 50311 Phone # (515)-271-3705 College Webpage:
> > > > > > > > http://www.cbpa.drake.edu
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: cialug-bounces at cialug.org
> > > > > > > > [mailto:cialug-bounces at cialug.org]
> > > > > > > > On
> > > > > > > > Behalf Of L. V. Lammert
> > > > > > > > Sent: Wednesday, April 09, 2014 9:19 AM
> > > > > > > > To: Central Iowa Linux Users Group
> > > > > > > > Subject: [Cialug] CentOS SSL
> > > > > > > >
> > > > > > > > Has anyone seen data on the Heartbleed status for CentOS?
> What
> > > > > > > > versions are affected? Remediation?
> > > > > > > >
> > > > > > > >         Lee
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Cialug mailing list
> > > > > > > > Cialug at cialug.org
> > > > > > > > http://cialug.org/mailman/listinfo/cialug
> > > > > > > > _______________________________________________
> > > > > > > > Cialug mailing list
> > > > > > > > Cialug at cialug.org
> > > > > > > > http://cialug.org/mailman/listinfo/cialug
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Cialug mailing list
> > > > > > > Cialug at cialug.org
> > > > > > > http://cialug.org/mailman/listinfo/cialug
> > > > > >
> > > > > > __
> > > > > > Daniel A. Ramaley
> > > > > > Network Engineer 2
> > > > > >
> > > > > > Dial Center 122, Drake University
> > > > > > 2407 Carpenter Ave / Des Moines IA 50311 USA
> > > > > > Tel: +1 515 271-4540
> > > > > > Fax: +1 515 271-1938
> > > > > > E-mail: daniel.ramaley at drake.edu
> > > > __
> > > > Daniel A. Ramaley
> > > > Network Engineer 2
> > > >
> > > > Dial Center 122, Drake University
> > > > 2407 Carpenter Ave / Des Moines IA 50311 USA
> > > > Tel: +1 515 271-4540
> > > > Fax: +1 515 271-1938
> > > > E-mail: daniel.ramaley at drake.edu
> > > >
> > > > _______________________________________________
> > > > Cialug mailing list
> > > > Cialug at cialug.org
> > > > http://cialug.org/mailman/listinfo/cialug
> > > >
> > > > _______________________________________________
> > > > Cialug mailing list
> > > > Cialug at cialug.org
> > > > http://cialug.org/mailman/listinfo/cialug
> > > >
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > http://cialug.org/mailman/listinfo/cialug
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > http://cialug.org/mailman/listinfo/cialug
> > >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>


More information about the Cialug mailing list