RogerS
Established Member
http://www.bbc.co.uk/news/technology-26954540
and yes, when you put ukworkshop into the heartbleed test, it is vulnerable.
and yes, when you put ukworkshop into the heartbleed test, it is vulnerable.
Cross-platform security alert
- Thread starter RogerS
- Start date
Help Support UKworkshop.co.uk:
Woodchips2
Established Member
Thanks Roger for the heads up.
I presume we should all now change our UKW passwords but if we didn't would it make our computers vulnerable?
Regards Keith
I presume we should all now change our UKW passwords but if we didn't would it make our computers vulnerable?
Regards Keith
I believe that we should wait until the site has been 'cleaned' - else the new passwords will become available to the malware. Apparently, the site has to be cleaned manually and indications are that this has not yet been done... (I get a warning from Chromebleed (a detector of the SSL bug) on every page!). Sigh...
Liam (who is no expert but tracked down information on the web...)
Liam (who is no expert but tracked down information on the web...)
devonwoody
Established Member
Interested in watching this post
RogerS
Established Member
devonwoody":2n2fkc0m said:
Which one? This one ?
:lol: :lol: :lol: :lol:
Generally, my advice would be 'don't panic'. This particular bug is fairly serious, but you get bugs like this come out every now and again. There was a big Rails bug last year, but that didn't have a custom URL and a nice logo with a simple overview that journos could panic over. The BBC article is scaremongering in my opinion.
In general terms, how could it work? You can send a request to a vulnerable server and get 64kb of memory from the OpenSSL program. There is a chance in that 64kb you could get a password, crypto key etc. Unfortunately this attack isn't logged in the logs of the server, so you don't know if it's happened. However due to the way OpenSSL allocates memory, it's unlikely you'll have your SSL keys exposed, so says the chap who discovered the vulnerability.
Liam - The work isn't necessarily manual. My servers are set to run security updates automatically, so were protected shortly after the updates hit the update servers. Yeah updating your SSL keys is manual, but there we go.
However if you do use the same password across all your sites (and if it's a password shorter than 8 characters) then there's no massive harm in changing it. Also, if you fancy changing your bank passwords, then that's probably not a bad idea either. But there's no need to worry excessively. Honestly, I'd be more worried about a PHP vuln hacking this site and getting your passwords that way. That's much more common. For example there's 261 CVE's against PHPBB at the moment. You could use one of them to hack the site if you wanted...
Quals / experience - MSc in Computer Science (specifically Intrusion Detection Systems) and 8 years of professional IT experience and 15+ years of general computer geekery (started on a 086 in the 90s).
In general terms, how could it work? You can send a request to a vulnerable server and get 64kb of memory from the OpenSSL program. There is a chance in that 64kb you could get a password, crypto key etc. Unfortunately this attack isn't logged in the logs of the server, so you don't know if it's happened. However due to the way OpenSSL allocates memory, it's unlikely you'll have your SSL keys exposed, so says the chap who discovered the vulnerability.
Liam - The work isn't necessarily manual. My servers are set to run security updates automatically, so were protected shortly after the updates hit the update servers. Yeah updating your SSL keys is manual, but there we go.
However if you do use the same password across all your sites (and if it's a password shorter than 8 characters) then there's no massive harm in changing it. Also, if you fancy changing your bank passwords, then that's probably not a bad idea either. But there's no need to worry excessively. Honestly, I'd be more worried about a PHP vuln hacking this site and getting your passwords that way. That's much more common. For example there's 261 CVE's against PHPBB at the moment. You could use one of them to hack the site if you wanted...
Quals / experience - MSc in Computer Science (specifically Intrusion Detection Systems) and 8 years of professional IT experience and 15+ years of general computer geekery (started on a 086 in the 90s).
RogerS
Established Member
morfa":11er9zif said:
A latecomer then :wink: Z80 and 8080 for me ! Oh and the 6800 and 6502.
Good post, by the way.
Myfordman
AKA 9Fingers
intel 4004 and 8008 here!
CHJ
Established Member
CHJ
Established Member
My first exposure was with the National Semiconductors SC/MP (1977-78) when my son started programming beyond the card readers at Bedford college.
Took him down to London to get parts from the Elector Magazine parts shop. The Magazine run a series of articles on how to build your own machine, remember modifying terminal keyboard with interface later on to work with it. (no querty keyboards) and modifying an electric typewriter to work as a printer.
At least it reduced the home 'phone bill for the acoustic couple to the mainframe.
This was the main project in our household until he got hold of one of the very first Sinclair MK14 kits.
Could never get my head round Direct Binary coding but managed to achieve reasonable Basic coding once I got access to an Amstrad 1520 in 1986 (added memory to 1640) and had a couple of articles published in PC Answers magazine relating to early macro coding of Microsoft word for pamphlet printing and the like when such things were allowed.
Son's attempts to drag me into Cobal, Fortran and Pascal and Machine code washed over my head, "There's the Book, just read it" did not work for some reason.
Edit: Those were the days
Took him down to London to get parts from the Elector Magazine parts shop. The Magazine run a series of articles on how to build your own machine, remember modifying terminal keyboard with interface later on to work with it. (no querty keyboards) and modifying an electric typewriter to work as a printer.
At least it reduced the home 'phone bill for the acoustic couple to the mainframe.
This was the main project in our household until he got hold of one of the very first Sinclair MK14 kits.
Could never get my head round Direct Binary coding but managed to achieve reasonable Basic coding once I got access to an Amstrad 1520 in 1986 (added memory to 1640) and had a couple of articles published in PC Answers magazine relating to early macro coding of Microsoft word for pamphlet printing and the like when such things were allowed.
Son's attempts to drag me into Cobal, Fortran and Pascal and Machine code washed over my head, "There's the Book, just read it" did not work for some reason.
Edit: Those were the days
Attachments
Charley
Established Member
Sorry missed this post here. UKW is not vulnerable to Heartbleed. The forums don't actually use an SSL connection so the bug doesn't affect the site.
The server however does run OpenSSL which has already been patched. A couple of the scanner tools that I've been testing it with have been giving the odd false positive.
The server however does run OpenSSL which has already been patched. A couple of the scanner tools that I've been testing it with have been giving the odd false positive.
Hemsby
Established Member
RogerS":191caszu said:devonwoody":191caszu said:
Which one? This one ?
:lol: :lol: :lol: :lol:
No this one
:lol: :lol:
bugbear
Established Member
Dec PDP 10.
BugBear
BugBear
woodfarmer
Established Member
I built my first computer in 1979 from components I imported from USA. Then had to write my own drivers, OS and BIOS for the disk drives Happy days. spent months playing ex unix adventure games (text only via a 300baud display terminal).
Happy days. spent months playing ex unix adventure games (text only via a 300baud display terminal).MMUK
Established Member
doorframe":c5g63sn5 said:
I started by counting Sestertii :wink:
Graham Orm
Established Member
Thanks for the tip Roger
