Go Back   DreamTeamDownloads1, FTP Help, Movies, Bollywood, Applications, etc. & Mature Sex Forum, Rapidshare, Filefactory, Freakshare, Rapidgator, Turbobit, & More MULTI Filehosts > Computer/MAC Help/Info. & New Technology > General Computer/Android Help, News & Info + New Technology

General Computer/Android Help, News & Info + New Technology Find All The Latest Reports/Reviews in Here. Start a New Thread in Here if You Need Help

IMPORTANT ANNOUNCEMENT
Hallo to All Members. As you can see we regularly Upgrade our Servers, (Sorry for any Downtime during this). We also have added more Forums to help you with many things and for you to enjoy. We now need you to help us to keep this site up and running. This site works at a loss every month and we appeal to you to donate what you can. If you would like to help us, then please just send a message to any Member of Staff for info on how to do this,,,, & Thank You for Being Members of this site.
Post New ThreadReply
 
LinkBack Thread Tools Display Modes
Old 05-04-14, 14:40   #1
 
Ladybbird's Avatar
 
Join Date: Feb 2011
Posts: 34,751
Thanks: 23,478
Thanked 12,726 Times in 8,564 Posts
Ladybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond repute

Awards Showcase
Best Admin Best Admin Gold Medal Gold Medal 
Total Awards: 6

Default WARNING-Heartbleed BugVPNs Affected+Passwords=How to Stay Safe

Using the Same Password for ALL Sites is Dangerous

Now vBulletin Forum Has Been Hacked - AGAIN
The Hacker came from China-
IP= 183.216.190.239

Quote:
IP Location: China Beijing China Mobile Communications Corporation
ASN: China AS9808 CMNET-GD Guangdong Mobile Communication Co.Ltd.,CN (registered Jan 10, 2000)
IP Address: 183.216.190.239


Trust me, the Chinese are very good at hacking.
Note they have used a mobile device to hack vBulletin

A couple of years ago they even hacked Skype and used/stole all members log in details and money on their accounts. I had a heck of a fight trying to get my money back from Skype - Never happened, cos Skype simply wouldn't admit they had been hacked!

Even Google, Facebook etc have been hacked in the past. That's why I Rarely use any social media site

A little tip: NEVER use the same password on all or multi sites. Use your notepads and record your DIFFERENT log-in details for every site your use.....

I thanked the staff at vBulletin, for their prompt action on this matter...They responded very quickly to advise all their members and Blocked ALL Accounts until their members responded to the emails they sent out.

UPDATE
This latest Hacking Action is related to the
Heartbleed Bug

continued.....
__________________
Nil Carborundum Illegitemi My Advice is Free My Friendship is Priceless

FREEBIES Continue to be a BURDEN on Our Increasing Server/Privacy Costs. Please DONATE Something to HELP...PM an Admin for Further Info.



& Thanks to Those That Have Taken The Time to Register & Become a Member of ... 1...
Ladybbird is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiTweet this Post!
Reply With Quote
Old 09-04-14, 19:16   #2
 
Ladybbird's Avatar
 
Join Date: Feb 2011
Posts: 34,751
Thanks: 23,478
Thanked 12,726 Times in 8,564 Posts
Ladybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond repute

Awards Showcase
Best Admin Best Admin Gold Medal Gold Medal 
Total Awards: 6

Default WARNING-Heartbleed Bug-Passwords-& How to Stay Safe

HTG Explains: What the Heartbleed Bug Is and Why You Need to Change Your Passwords NOW




The last time we alerted you to a major security breach was when Adobe’s password database was compromised, putting millions of users (especially those with weak and frequently reused passwords) at risk.

Today we’re warning you about a much bigger security problem, the Heartbleed Bug, that has potentially compromised a staggering 2/3rds of the secure websites on the internet.

You need to change your passwords, and you need to start doing it NOW

Important note: DREAMTEAMDOWNLOADS1 is NOT affected by this bug.


What Is Heartbleed and Why Is It So Dangerous?

In your typical security breach, a single company’s user records/passwords are exposed. That’s awful when it happens, but it’s an isolated affair. Company X has a security breach, they issue a warning to their users, and the people like us remind everyone it’s time to start practicing good security hygiene and update their passwords. Those, unfortunately, typical breaches are bad enough as it is. The Heartbleed Bug is something much, much, worse.

The Heartbleed Bug undermines the very encryption scheme that protects us while we email, bank, and otherwise interact with websites we believe to be secure.

Here is a plain-English description of the vulnerability from Codenomicon, the security group that discovered and alerted the public to the bug:


Quote:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users
That sounds pretty bad, yes? It sounds even worse when you realize roughly two-thirds of all websites using SSL are using this vulnerable version of OpenSSL. We’re not talking small time sites like hot rod forums or collectible card game swap sites, we’re talking banks, credit card companies, major e-retailers and e-mail providers.

Worse yet, this vulnerability has been in the wild for around two years.

That’s two years someone with the appropriate knowledge and skills could have been tapping into the login credentials and private communications of a service you use (and, according to the testing conducted by Codenomicon, doing it without a trace).

Although no group has come forward to flaunt all the credentials and information they siphoned up with the exploit, at this point in the game you have to assume that the login credentials for the web sites you frequent have been compromised.


What to Do Post Heartbleed Bug

Any majority security breach (and this certainly qualifies on a grand scale) requires you to assess your password management practices. Given the wide reach of the Heartbleed Bug this is a perfect opportunity to review an already smooth-running password management system or, if you’ve been dragging your feet, to set one up.


Before you dive into immediately changing your passwords, be aware that the vulnerability is only patched if the company has upgraded to the new version of OpenSSL. The story broke on Monday, and if you rushed out to immediately change your passwords on every site, most of them would still have been running the vulnerable version of OpenSSL.


Now, mid-week, most sites have begun the process of updating and by the weekend it’s reasonable to assume the majority of high-profile web sites will have switched over.
You can use the Heartbleed Bug checker here to see if the vulnerability is open still or, even if the site isn’t responding to requests from the aforementioned checker, you can use LastPass’s SSL date checker to see if the server in question has updated their SSL certificate recently (if they updated it after 4/7/2014 it’s a good indicator that they’ve patched the vulnerability.)

Note: if you run dreamteamdownloads1.com through the bug checker it will return an error because we don’t use SSL encryption in the first place, and we have also verified that our servers are not running any affected software


That said, it looks like this weekend is shaping up to be a good weekend to get serious about updating your passwords. First, you need a password management system. Check out our guide to getting started with LastPass to set up one of the most secure and flexible password management options around. You don’t have to use LastPass, but you do need some sort of system in place that will allow you to track and manage a unique and strong password for every website you visit.

Second, You need to start changing your passwords. The crisis-management outline in our guide, How to Recover After Your Email Password Is Compromised, is a great way to ensure you don’t miss any passwords; it also highlights the basics of good password hygiene, quoted here:
Quote:
  • Passwords should always be longer than the minimum the service allows for. If the service in question allows for 6-20 character passwords go for the longest password you can remember.
  • Do not use dictionary words as part of your password. Your password should neverbe so simple that a cursory scan with a dictionary file would reveal it. Never include your name, part of the login or email, or other easily identifiable items like your company name or street name. Also avoid using common keyboard combinations like “qwerty” or “asdf” as part of your password.
  • Use passphrases instead of passwords. If you’re not using a password manager to remember really random passwords (yes, we realize we’re really harping on the idea of using a password manager) then you can remember stronger passwords by turning them into passphrases. For your Amazon account, for example, you could create the easily remember passphrase “I love to read books” and then crunch that into a password like “!luv2ReadBkz”. It’s easy to remember and it’s fairly strong.
Third, whenever possible you want to enable two-factor authentication.

You can read more about two-factor authentication here, but in short it allows you to add an additional layer of identification to your login.

With Gmail, for example, two-factor authentication requires you to have not just your login and password but access to the cellphone registered to your Gmail account so you can accept a text message code to input when you log in from a new computer.
With two-factor authentication enabled it makes it very difficult for someone who has gained access to your login and password (like they could with the Heartbleed Bug) to actually access your account.

Security vulnerabilities, especially ones with such far reaching implications, are never fun but they do offer an opportunity for us to tighten our password practices and ensure that unique and strong passwords keep the damage, when it occurs, contained.
__________________
Nil Carborundum Illegitemi My Advice is Free My Friendship is Priceless

FREEBIES Continue to be a BURDEN on Our Increasing Server/Privacy Costs. Please DONATE Something to HELP...PM an Admin for Further Info.



& Thanks to Those That Have Taken The Time to Register & Become a Member of ... 1...
Ladybbird is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiTweet this Post!
Reply With Quote
Old 13-04-14, 21:14   #3
 
Ladybbird's Avatar
 
Join Date: Feb 2011
Posts: 34,751
Thanks: 23,478
Thanked 12,726 Times in 8,564 Posts
Ladybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond repute

Awards Showcase
Best Admin Best Admin Gold Medal Gold Medal 
Total Awards: 6

Default NSA Knew About Heartbleed Bug- & Did NOTHING!

More People Were Paid To Exploit Heartbleed For The NSA Than To Fix It

Posted: 13 Apr 2014





Infrastructure – Zacqary Adam Green:

Unsurprisingly, it turns out that the NSA knew about the Heartbleed bug since shortly after it was added to OpenSSL.

While thousands of salaried NSA personnel search for bugs like these to exploit, OpenSSL has only four part-time volunteers maintaining it. Of course this was going to happen.

The idea behind open source software is that “given enough eyeballs, all bugs are shallow.” This only works if there actually are enough eyeballs. Code audits can only happen if there are people with the will, expertise, and time to do so. Rusty Foster pointed out the problem with OpenSSL:

The project’s code is more than fifteen years old, and it has a reputation for being dense, as well as difficult to maintain and to improve. Since the bug was revealed, other programmers have had harsh criticisms for what they regard as a mistake that could easily have been avoided.…

Unlike a rusting highway bridge, digital infrastructure does not betray the effects of age. And, unlike roads and bridges, large portions of the software infrastructure of the Internet are built and maintained by volunteers, who get little reward when their code works well but are blamed, and sometimes savagely derided, when it fails. To some degree, this is beginning to change: venture-capital firms have made substantial investments in code-infrastructure projects, like GitHub and the Node Package Manager. But money and support still tend to flow to the newest and sexiest projects, while boring but essential elements like OpenSSL limp along as volunteer efforts.

This point is only compounded by the NSA news. As it turns out, a great deal of funding was going towards meticulously auditing OpenSSL. The problem is that the NSA keeps the results of these audits to themselves. No bugs are fixed. No patches are committed. Critical flaws are kept under wraps so that they can be used to siphon more data and break into more computers.

Never mind the fact that the NSA’s priority is supposed to be the defense of the United States, when critical infrastructure in the US was potentially affected by this bug. If they wanted to call this defense, then the NSA must have been really confident that the classic go-to bogeymen of China, Russia, Iran, or Al Qaeda hadn’t also discovered Heartbleed. Which, of course, they couldn’t be, because Neel Mehta at Google eventually reported it, so it’s not like it was impossible to find without NSA super-wizardry.

But back to the issue at hand: the NSA has, potentially, a small army of security researchers doing all of the code audits that tech companies and the open source community should be doing, and hoarding the benefits for themselves. The Is TrueCrypt Audited Yet? project might as well change its website header from “Not Yet” to “Who Knows?” This is awful. Economically, it’s also unsurprising.

The NSA has an entire budget devoted to doing just this: “$1.6 billion a year on data processing and exploitation, more than a thousand times the annual budget of the OpenSSL project” reports The Verge. Their prime directive is to find bugs, keep them quiet, and exploit them for their own gain (sorry, “national security”). OpenSSL’s volunteers, on the other hand, need jobs to feed their families. As much as they might want to, they don’t have the time to devote the effort needed to make sure their code is rock-solid. And apparently, neither do its users. It took a Google employee two years to discover Heartbleed, despite the fact that they’re a multi-billion dollar corporation that depends on the integrity of things like OpenSSL. Evidently, though, it’s still not cost-effective to have dedicated teams keeping an eye on the code.

My instinct is to just say that this is another infopolicy case for a universal basic income, to free up volunteers who are willing and able to perform these audits from the pressure of having to work another job. While that would certainly help, I admit it’s a bit reductionist. Code audits can be boring, tedious work, and while with 7 billion people in the world I’m sure some of them would be jumping out of the woodwork to proofread thousands of lines of code, I can’t say how many. But the NSA has apparently figured out how to efficiently spot glaring security flaws, so it’s high time the white hats did too.
Rick Falkvinge - Founder of The Pirate Party
__________________
Nil Carborundum Illegitemi My Advice is Free My Friendship is Priceless

FREEBIES Continue to be a BURDEN on Our Increasing Server/Privacy Costs. Please DONATE Something to HELP...PM an Admin for Further Info.



& Thanks to Those That Have Taken The Time to Register & Become a Member of ... 1...
Ladybbird is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiTweet this Post!
Reply With Quote
Old 14-04-14, 12:10   #4
Official Site Uploader & TECH ADVISOR
 
Join Date: Aug 2013
Location: Australia
Posts: 7,361
Thanks: 214
Thanked 2,685 Times in 2,032 Posts
jenkins4 has a reputation beyond reputejenkins4 has a reputation beyond reputejenkins4 has a reputation beyond reputejenkins4 has a reputation beyond reputejenkins4 has a reputation beyond reputejenkins4 has a reputation beyond reputejenkins4 has a reputation beyond reputejenkins4 has a reputation beyond reputejenkins4 has a reputation beyond reputejenkins4 has a reputation beyond reputejenkins4 has a reputation beyond repute

Awards Showcase
Bronze Medal Gold Medal Gold Medal Gold Medal 
Total Awards: 4

Default WARNING-Heartbleed Bug-Passwords-& How to Stay Safe

What is Heartbleed Bug and How to Protect yourself and Stay Safe?

Nearly 70 percent of traffic on the Internet employs OpenSSL to secure the data transfers. That translates into almost all the major servers (read: websites) use OpenSSL to secure your data such as login credentials. However, someone from Google found a bug in OpenSSL – a minor programming mistake but big enough to give away your data to hackers – people willing to use your data for their purposes. This OpenSSL bug is named Heartbleed since it is closely related to some HeartBeat layer of OpenSLL.

What is Heartbleed Bug



Most of the servers accept encrypted data, decode it using the encryption keys and forward it for processing. Since most servers employ FIFO (First in First Out) method to serve end users, often, the data (after decryption) sits in the server memory for a while before the server takes it up for further processing.

The Heartbleed Bug is a case of worry for almost all Internet-based commercial websites and some other types. This programming error enables hackers to check into any server that employs OpenSSL and read/save/use the unencrypted data (decrypted data). Hackers now do not only have the access to your data, they can reproduce the website certificate making the Internet, even more dangerous place. With the copy of the website certificate, the hackers can create mimic sites: sites that look similar to original sites. With that, they can further access your data such as credit card details, personal information etc.

The sounds scary, doesn’t it? It is – indeed – as it can access your information and that information can be used towards any end.

Note: Heartbleed also has a code name CVE-2014-0160. CVE stands for Common Vulnerabilities and Exposures. These codes related to vulnerabilities etc. are given by MITRE, an independent body that keeps tracks of bugs and similar issues.

Should I upgrade my Anti-Virus or something

The Heartbleed bug in OpenSSL does not have anything to do with your antivirus or firewall. This is not a client side issue so you can do little about it. On the other side, servers have to apply a patch to the OpenSSL system they are using. That done, the website can be said to be safer for interacting.


What you can do as a user is to reduce the number of visits to commerce and similar sites. It is not that the bug affects only the commerce sites. It is equal for all types of websites that use OpenSSL. I say avoid commerce sites for a while as they would be the major target for hackers who would want your card details etc. It means that the primary target of hackers would be e-commerce sites using OpenSSL.

Once you get a message/report that the bug is fixed, you can go ahead as you used to do before the bug was discovered. OpenSSL has created a patch and has released it for website owners to secure their users’ data. Until then, try to avoid sites where you have to give in your data in any form – even login credentials. I am sure almost all webmasters must be going in for the patch but there is still a problem. Once you are sure that there are no vulnerabilities or such vulnerabilities have been patched, it might be a good ide to change your passwords.

Meanwhile, use these:
Code: [Check Download Links]
http://www.thewindowsclub.com/browser-extensions-protect-heartbleed
Site Certificates copied via Heartbleed needs to be addressed

There are high chances that website security certificates might have been copied for creating malicious websites. Since the security certificates as general copies, your browsers may not tell the difference. It is you who has to remain cautious. Avoid clicking links and instead, type the URL of website in the address bar so that you are not redirected to some fake site.

This problem can be solved in two ways:

1. The browsers available in the market should be made smart enough to identify copied certificates and alert you.
2. The webmasters change the certificates after applying the patch.

In other words, it will take some time to implement above even though the webmasters apply the patch. I would want to reiterate that do not click links in emails or non-reputed websites. Simply, type the URL into address bar or if have the original site bookmarked, use the bookmark.

The References section at the end of this article contains an incomprehensive list of affected websites. Incomplete because there may be more websites affected than the ones listed there.

References:
Heart Bleed:
Code: [Check Download Links]
http://heartbleed.com/
OpenSSL:
Code: [Check Download Links]
http://www.openssl.org/news/secadv_20140407.txt
Git Hub:
Code: [Check Download Links]
https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
McAfee has released a Heartbleed Checker tool to help consumers easily gauge their susceptibility to the potentially dangerous effects of the Heartbleed bug. You can access the tool at:

Code: [Check Download Links]
http://tif.mcafee.com/heartbleedtest
Also, you may want to check this out;

Code: [Check Download Links]
http://blogs.mcafee.com/consumer/what-is-heartbleed
jenkins4 is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiTweet this Post!
Reply With Quote
The Following User Says Thank You to jenkins4 For This Useful Post:
Ladybbird (18-04-14)
Old 19-04-14, 00:42   #5
 
Ladybbird's Avatar
 
Join Date: Feb 2011
Posts: 34,751
Thanks: 23,478
Thanked 12,726 Times in 8,564 Posts
Ladybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond repute

Awards Showcase
Best Admin Best Admin Gold Medal Gold Medal 
Total Awards: 6

Default re: WARNING-Heartbleed BugVPNs Affected+Passwords=How to Stay Safe

DREAMTEAMDOWNLOADS1 is NOT & has Never Been Affected by this bug....
__________________
Nil Carborundum Illegitemi My Advice is Free My Friendship is Priceless

FREEBIES Continue to be a BURDEN on Our Increasing Server/Privacy Costs. Please DONATE Something to HELP...PM an Admin for Further Info.



& Thanks to Those That Have Taken The Time to Register & Become a Member of ... 1...
Ladybbird is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiTweet this Post!
Reply With Quote
Old 19-04-14, 02:44   #6
Senior Member
 
wildhoney66's Avatar
 
Join Date: Mar 2014
Location: Shangri-La
Posts: 300
Thanks: 27
Thanked 226 Times in 170 Posts
wildhoney66 has a spectacular aura aboutwildhoney66 has a spectacular aura aboutwildhoney66 has a spectacular aura about

Awards Showcase
Bronze Medal 
Total Awards: 1

Default re: WARNING-Heartbleed BugVPNs Affected+Passwords=How to Stay Safe

i haven't done anything about it yet, but than i dunno what i should check either. i don't run any kind of websites either. so i have no idea what i should check? or how i should do it either?
wildhoney66 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiTweet this Post!
Reply With Quote
The Following User Says Thank You to wildhoney66 For This Useful Post:
Ladybbird (19-04-14)
Old 19-04-14, 10:07   #7
 
Ladybbird's Avatar
 
Join Date: Feb 2011
Posts: 34,751
Thanks: 23,478
Thanked 12,726 Times in 8,564 Posts
Ladybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond repute

Awards Showcase
Best Admin Best Admin Gold Medal Gold Medal 
Total Awards: 6

Default re: WARNING-Heartbleed BugVPNs Affected+Passwords=How to Stay Safe

Quote:
Originally Posted by wildhoney66 View Post
i haven't done anything about it yet, but than i dunno what i should check either. i don't run any kind of websites either. so i have no idea what i should check? or how i should do it either?

Well Facebook, Google, Twitter, etc., were never aware about it,,,,even days after I started this thread. They have ...since "Updated" their security..()..


They were "running their sites to include something called "SSL"

(I personally am NOT tech savvy enough to know what that "SSL" is totally all about)

However, when I inquired from our Host/Server,,, Webmaster + our "Tech Admin", they assured, that our Site could NEVER be affected by the 'Heartbleed Bug', nor anything similar.

.(THAT 'Heartbleed Bug" has been around for years, yet dormant)

So PLEASE don't worry about it wildhoney66.. Panic over... but then as Ive said before,,,

No members of this site were EVER, nor could be affected, by that,,,, NOR any similar future "BUG"..


I hope that re-assures you...

Kind Regards..as always ..

LBB
__________________
Nil Carborundum Illegitemi My Advice is Free My Friendship is Priceless

FREEBIES Continue to be a BURDEN on Our Increasing Server/Privacy Costs. Please DONATE Something to HELP...PM an Admin for Further Info.



& Thanks to Those That Have Taken The Time to Register & Become a Member of ... 1...
Ladybbird is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiTweet this Post!
Reply With Quote
Old 19-04-14, 20:00   #8
Senior Member
 
wildhoney66's Avatar
 
Join Date: Mar 2014
Location: Shangri-La
Posts: 300
Thanks: 27
Thanked 226 Times in 170 Posts
wildhoney66 has a spectacular aura aboutwildhoney66 has a spectacular aura aboutwildhoney66 has a spectacular aura about

Awards Showcase
Bronze Medal 
Total Awards: 1

Default re: WARNING-Heartbleed BugVPNs Affected+Passwords=How to Stay Safe

oh i wasn't worried about getting it on here, i just belong to a lot of sites that's all. and not all of them are sites like this. plus whenever i browse the internet just to kill time.

i dunno anything about SSL either. i'm what i call computer stupid or something like that which means that it can go right over my head, computer talk i mean, i'm the same way about cars as well. when someone does try to teach me about them,

or just wants to talk about them. it goes in one ear and out the other. i'm the same way with sports as well. though i don't hate cars or computers, sports i do hate with a passion. now if you want to talk about books and movies to use as an example i'm your guy. that talk can hold my interest.
wildhoney66 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiTweet this Post!
Reply With Quote
The Following User Says Thank You to wildhoney66 For This Useful Post:
Ladybbird (21-04-14)
Old 12-05-14, 01:06   #9
 
Ladybbird's Avatar
 
Join Date: Feb 2011
Posts: 34,751
Thanks: 23,478
Thanked 12,726 Times in 8,564 Posts
Ladybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond reputeLadybbird has a reputation beyond repute

Awards Showcase
Best Admin Best Admin Gold Medal Gold Medal 
Total Awards: 6

Update re: WARNING-Heartbleed BugVPNs Affected+Passwords=How to Stay Safe

How VPN Services Responded to Heartbleed

Posted: 11 May 2014




A month has passed since the Heartbleed security bug was first disclosed. At that time, hundreds of thousands of “secure” webservers were at risk of leaking personal information, including many popular websites.
Heartbleed is a bug in the open-source OpenSSL library that allows outsiders to read and dump encrypted data. When it was first made public it caused widespread panic with many experts describing it as “catastrophic.”

Among the affected services were a great number of VPN providers. At least momentarily, users of those affected services risked having their passwords and usernames intercepted, as well as other data they sent over a secure connection.
Perhaps even more worrying, successful hackers could have gotten their hands on private keys and certificates of VPN servers. For network adminstrators this was nearly undetectable before the bug was disclosed, and with the information the hacker could potentially decrypt users’ traffic.
With the keys and certificates in hand, hackers can still target live sessions of individual VPN users after the OpenSSL vulnerabilities are patched. That is, in cases where OpenVPN is used without ephemeral keys.

While not everyone agrees on the likelihood that these exploits are being used in the wild, they certainly are possible. For this reason, it’s important for VPN providers to take several steps. To the best of our knowledge the most crucial ones are the following:
  • Update all vulnerable software components using OpenSSL (if statically linked) or OpenSSL itself.
  • Replace all SSL certificates for all affected components and properly revoke the old certificates
  • Generate new private keys for all affected components
  • .
All agreed that Heartbleed posed a significant threat but the countermeasures, posted at the bottom of this article, vary from provider to provider.
As for the future, more should be done to prevent these critical bugs from putting millions of Internet users at risk.

Heartbleed has shown that more in-depth peer reviews are needed to ensure that critical infrastructure software such as OpenSSL is built on clean and secure code. In addition, it might not be a bad idea to move away from the OpenSSL monoculture, and look at alternative such as PolarSSL, LibreSSL, or GnuTLS. Of course, these alternatives have to be carefully reviewed as well.


Below is the list of responses we received from various VPN providers, between April 22 and early May. The fact that these answers are posted here is not an endorsement, nor is it an indication that the steps taken were the rights ones. That’s not up to us to judge, we merely strive to get as much information out to the public as possible.

All VPN services answered the following questions.

1. What steps has your company taken in response to Heartbleed?
2. In your opinion, what were the risks users faced before these steps were taken?
3. How did you communicate the above to your users?



1. Heartbleed was an eye opener which helped to make the public more aware of the insecurities that exist in un-audited code. Regardless of being open or closed source, there will always be insecurities in systems. However, the best that companies can do is to strive to achieve 100% security. In our case, when the Heartbleed exploit was announced, we reacted immediately. It was publicly disclosed at or about UTC 19:00:00 on April 7, 2014. We patched our VPN gateways within 4 hours at or about UTC 23:17:15 on April 7, 2014 by upgrading our OpenSSL libraries to version 1.0.1g from 1.0.1f.
Our website was not exploitable given that we use a hardware load balancer that is not using a vulnerable version of OpenSSL.
Immediately after patching our VPN gateways, we then setup a non-production gateway that we attempted to exploit using the Heartbleed exploit POCs (proof of concepts). While it was recently announced that OpenVPN is exploitable, it is our best belief that our private keys were never leaked given that we have systems in place that make the exploitation of our servers very unlikely.
That being said, within 24 hours we are rolling out updates to our clients as well, even though it is highly unlikely that our keys were ever leaked.
2. The likeliness of our gateways being exploited prior to us rolling out these patches are extremely low. However, as stated earlier, at Private Internet Access, we strive to achieve 100% security, so we went through the motions as it is our policy to do so in best practice.
3. We waited to announce anything to our users until we were 100% certain of everything we were stating. That said, we posted on our blog after we performed our patches.
Additionally, we will be sending out a mass e-mail within 24 hours to our clients as certain users (DD-WRT, stock OpenVPN, etc.) will need to manually apply updates in order to connect to our service.


1. Upon hearing of the OpenSSL vulnerability our staff took immediate action to preserve the integrity and security of TorGuard services. This included a full audit of our VPN network, software, and websites. All VPN servers have now been updated to a non vulnerable version of OpenSSL and these new connections have been automatically downloaded in all TG VPN clients. TorGuard’s Pro VPN client software has also been updated to the latest patched OpenVPN version and pushed to all users. Our company’s website infrastructure, client area, and email services were not vulnerable even in the months prior when this bug was out in the wild.
2. While the threats posed by the OpenSSL HeartBleed vulnerability are wide reaching and potentially very serious, our team can confidently say this development had no impact on the security of TorGuard’s users. Rest assured, we won’t let your heart bleed.
3. TorGuard posted the findings of the network audit on our blog and immediately emailed all clients a direct link.


1. Once the vulnerability was made public we instantly started to patch all affected systems. This particular bug was present on our IPv6 VPN machines, a subset of the IPv4 VPN servers that were using OpenSSL 1.0.1 and all of our external SSL services like the website, the tor exit node, or jabber server.
After the upgrade to the latest OpenSSL version was finished we decided to replace the private keys from all affected components because the confidentiality of those keys could not be guaranteed anymore. The window of opportunity for an attacker who had this bug as a 0day up his/her/its sleeve was simply too long. Due to the nature of the bug it is very difficult to say retrospectively if it was used to gain access to possibly sensitive memory contents of the affected machines.
Since we had to replace all affected VPN server certificates we decided to deploy a new key management scheme for those machines. Each OpenVPN instance now uses one time private keys, cert and DH keys that are cycled on process restart.
In the same way we have seen the emergence of special purpose hardware for Bitcoin mining we should also assume that the entities that have the means to compromise cryptography also possess special hardware to deal with encryption. As an additional precaution against this scenario we deployed server and DH keys with variable lengths instead of sticking to the “well known” lengths/constants of 2048 and 4096 bit.
We are still working on making sure that all OpenSSL 1.0.1 components support the EC curve 25519 from DJB since any EC constants put forth by the NIST (or NSA) should be considered compromised.
2. Total exposure.
3. Users were informed through the usual channels (Twitter, blog, IRC).


1. We upgraded OpenSSL on all servers and client downloads. We created new keys on all servers. We revoked all old keys. We released a new client program with the revocation list that also creates new client keys. For those not using our client program we published new OpenVPN configuration files with the revocation list and new client keys for all users.
2. It was unknown how vulnerable OpenVPN was in practice so we decided to find out by trying to exploit the bug on a test server. We repeatedly succeeded in extracting the server’s private key. These findings were sent in full detail to the OpenVPN team and published in less harmful form e.g here

The conclusion is that before the fixes above all OpenVPN communication were at risk of decryption by anyone knowing about the bug *at the time*. Due to perfect forward secrecy they can’t be decrypted with a key leaked at a later time. So anyone who did not know about the bug but managed to snatch a key after the bug was published can’t go back and decrypt traffic they may have stored.
3. We put a big red warning banner on our website that is still there and published a news item explaining the situation and urging all users to upgrade.


1. We learned about the vulnerability at 9:17PM CST on April 7th. From that point forward, we did not sleep until the vulnerability was closed and every server was penetration tested against all known forms of the exploit to ensure that the vulnerability was closed.
At the time we found out about the vulnerability, there wasn’t even a CVE entry in the database explaining the nature of the vulnerability or the attack. We knew that because of the integration of OpenSSL into the Windows OpenVPN open-source client, and the default builds of OpenSSL installed into almost all distros of Linux/BSD that this was going to be huge.
As more information unfolded and the OpenSSL updates hit the verified repositories, we began the patching process on our servers. After the main vulnerability was closed and a rolling restart was issued to the server clusters, we went to work with notifying clients of the bug and advising them to update their clients to current.
The servers were patched and confirmed safe by 7:00AM CST on April 8th. This is when we released our transparency post advising our users on the situation, and how they can respond to close the bug client-side. A mass email was sent shortly after advising our clients to read the post, and had instructions on updating their clients.
2. The bug is catastrophic in scale. We avoided disaster by having a very strong security model and not allowing clients to change security settings. During the vulnerable period where the bug was unknown publicly, there was no way for a VPN provider to detect if they were attacked. It is possible that server keys and certs were lost although we have had no evidence of this. Our root CA was not exposed. Our website was unaffected. Our load-balancers were unaffected.
The worst case scenario for our security topology is that keys and certs and the tls-auth server key were lost to a nefarious attacker who was subscribed to the service. (because of TLS-Auth, there was no way to exploit heartbleed from outside of the network, only inside). If this were to occur, an attacker could attempt to impersonate a VPN server. In order for the attack to work they would have to take many specific steps to circumvent various load-balancing and routing steps that place during the connection process. We think that this is highly unlikely to have happened, but is not impossible, so we are disclosing it to be as open and transparent as possible.

Note that a VPN service that claims zero exposure to Heartbleed is almost certainly lying or has so little knowledge about network security that they should not be in the business. Heartbleed hit everyone, it is a matter of how badly.
3. We responded publicly and also also had a Heartbleed article. We also made informational posts to the community at /r/VPN on Reddit and reached out to other VPN services we are close to in order to discuss countermeasures and implementations. We also made an effort to educate the /r/VPN community on proper countermeasures.


1. We revoked all VPN server certificates and generated new 4096 bit certificates within a few hours of the announcement. We’ve also had our websites EV certificate reissued. Most of our client software was not using a vulnerable version of OpenVPN but where necessary we patched the client software as well.
2. A successful attack could reveal the server’s private key which could be used to impersonate the server in a MITM attack or to passively decrypt the session keys during SSL negotiation. Although we implement tls-auth this doesn’t mitigate the risk substantially since the auth keys are visible to all customers. Its important to understand that a successful attack prior to the announcement would likely only be possible from a very sophisticated and well funded adversary targeting a specific individual. Such adversaries almost certainly continue to possess undisclosed vulnerabilities that they can use to exploit targets.
3. We sent out a tweet immediately after installing the new certificates. We then emailed all our customers with information about the vulnerability and instructions on how to update the client software where required. We also made an infographic to help customers understand what passwords to change on other services.



1. Yes, we have updated OpenSSL on both OpenVPN servers and the website. The certificate for the VPN server has been updated as well.
2. Hard to say. Worst case is that information has been leaked when we had the old version of OpenSSL.
3. We posted two updates on our website.


1. We constantly monitor all upstream software providers and keep current with the upgrades they provide. As such, as soon as a fix was made available that would suit our platform as well as our internal security standards, we took all steps necessary to upgrade our systems.
Following a routine audit we’ve concluded that none of our critical systems were affected during the period between the public release of the proof of concept and the date at which the necessary fixes were applied.
2. As our systems are being actively monitored there is no reason to believe that our customers were affected by the Heartbleed attack in any way. Since the exploit seems to work on both server software and client software, there is a slight chance that, if some of our users are also using other providers, they would be affected in case a malicious provider – by choice or having been affected themselves – were to attempt to extract information from them.
The information – from what we’ve seen in the behavioral analysis of the exploit by various security professionals – that they would be able to obtain would be pertinent only to their specific connection to that provider. Also, from a client’s perspective, running a Windows machine the only service potentially affected by this bug would be OpenVPN as the others are key services provided by Microsoft in the core OS and do not share anything in common with the OpenSSL library.
3. We constantly run security audits, monitor our network and improve TigerVPN. Although the incident was hyped on a big scale, we did a lot of upgrades, fixes and improvements throughout the month. If we would inform our customers about every single time we work on our software or hardware, they’d unsubscribe and report us as spam :-). We understand this is in the nature of our responsibility to pro-actively react to events such as Heartbleed. In case we ever noticed any kind of breach, all our customers would get notified immediately as with a single click.


1. Our website was running an unaffected version of OpenSSL (0.9.8g) however we updated OpenSSL there anyway.
Some VPN servers were vulnerable so we updated all servers on April 8th to protect against further attacks.
On April 17 we issued new VPN configs with new 4096 bit certificates. We were working on this after we found out about Heartbleed but as soon as it was proven that the bug can be used against OpenVPN we immediately made the new configs + certificates available to everyone. On the VPN server side all the certificates, keys and DH keys have been replaced.
2. It has been proven that Heartbleed can be used to steal the private key and impersonate a VPN server (if the VPN server was running a vulnerable version of OpenSSL). People connecting to what they thought was their real VPN provider could actually be connecting to a fake VPN server or honeypot – although this would take the resources of a powerful government agency or similar.
3. In order to be as open and transparent as possible we made a blog to warn people of the potential dangers and to update them of the changes we made. We echoed this message on all our social media channels as well as emailing all our current and previous customers (in case a previous customer renewed without being aware that they should update).


1. The website itself was not vulnerable at all, at any time. Our OpenVPN servers though, were changed to a different version of OpenSSL that was vulnerable on 2/27/2014. So, a vulnerability existed on our servers from 2/27/2014 through 4/8/2014, for a total of 39 days. We replaced/regenerated the certs on all clients and servers, since they were potentially exposed, within the day.
2. Small, but of course possible. We use HMAC-based TLS authentication at both ends of the connection, using separate halves of a shared key, as recommended by OpenVPN. This creates a signature of each packet which is attached to the packet. The server drops any packets that are unsigned or incorrectly signed. In the past, this has primarily been used to prevent / slow down a DDoS attack, since the attacker would need to securely hash each packet using the right half of the shared key in the way that the OpenVPN client does.
Even with the suggestion from OpenVPN that TLS auth could form a kind of protection against Heartbleed, it isn’t foolproof, given that we have to distribute the key with each client or no one would be able to connect to our servers. As the researcher who created the OpenVPN penetration test earlier this week noted, it wouldn’t be that difficult for a determined hacker to discover the TLS auth key and modify his attack to use it. It does, however, prevent a drive-by attack where we are hit more or less randomly as a VPN services provider.
The worst case scenario is that someone obtained our older server private key and was able to decrypt live data and create a man-in-the-middle attack against our users during the 39 days we were using OpenVPN 2.3.2. Account credentials could have been compromised, and the private key could have conceivably been as well. Once we replaced OpenVPN to a non-vulnerable version and the server certificate was replaced, that vector was closed.
3. We sent out an email notice to our customers.


When the Heartbleed announcement first broke, on the 7th April, we reviewed our servers and customer portal system and found that they did not utilize the affected OpenSSL versions. When OpenVPN released their patch to fix HeartBleed, we immediately implemented this in our own client and released this on the 10th April 2014. Moving forward, our next client release will use OpenVPN 2.3.3 which we hope to release in the coming week.
We are also in the midst of an entire customer portal revamp to improve security and usability which we hope to release in a month or so and are considering a complete reissue of all keys when this is released. The revamp was initiated many months ago and was not as a result of the HeartBleed bug but is in line in our continuing efforts to improve our system’s security.
Our OpenVPN implementation implements tls-auth with Perfect Forward Secrecy (PFS) would protect past communications from retrospective decryption so the risk is mitigated. In this scenario an attacker can not attack OpenVPN instances without the TLS-auth key. Our customer portal processing system never used the affected OpenSSL versions and remained with the older OpenSSL 0.9.8. Users may request for a manual regeneration of their keys if they wish to be overly cautious by opening a ticket with us.
We sent out an email announcement to all users immediately, as well as a Facebook and Blog on the 8th April 2014 3.22 PM GMT+8. We then pushed an update to our VPN clients on the 10th April with the patched OpenVPN version as well.


1. In a response to Heartbleed, NordVPN has changed private keys for all servers. Also, the main NordVPN’s certificate has been revoked and a new one has been added. Our OpenSSL libraries have been upgraded from version 1.0.1e to a safe 1.0.1g.
2. For users: potential user detail leaks such as user names and passwords, but this is very unlikely as data that malicious people could get was in random locations in a server memory and user details are not kept in the memory for an entire session.
For servers: Private SSL certificate keys are used to encrypt and decrypt data communications between user and a VPN server. If anyone could have received a certificate and perform a man in the middle attack, all data which was sent from a VPN server to the user could have been decrypted.
3. The information was constantly shared to our users via our live chat and e-mails. Also the pop-up, an announcement line and the blog records were used to inform the steps we were taking in a response to Heartbleed.


1. When the Heartbleed security news broke, our engineering unit immediately scanned all our servers and upgraded to latest version the few servers (about 4% of our infrastructure) that were using vulnerable versions of OpenSSL. Our team then progressively patched absolutely all our servers in an attempt to enjoy other bugfixes (unrelated to security) accompanied with the successive new versions of OpenSSL. Vulnerable servers were patched within less than one hour and the non-vulnerable ones progressively got all upgraded within 24 hours.
We then researched about the implication of this bug and with the security community, we came to the conclusion that it was beyond reasonable doubt, even though most of our servers were non-vulnerable, that a new re-generation of private keys was indeed necessary. Indeed, extraction of private keys on vulnerable servers proved possible.
Since re-generating complete new sets of private and public keys undeniably involves a downtime and reconfiguration on user end, we also took this ‘opportunity’ to completely upgrade our encryption scheme, now leading the industry with CBC mode of AES with 256-bit as cipher, hash algorithm of 512-bit SHA (SHA512) and control channel of 4096-bit RSA through TLSv1/SSLv3 and with 256-bit AES, enforced to all customers by default.
The latest move does not necessarily respond to Heartbleed, but at least it makes it 100% theoretically impossible that the Heartbleed bug has any implication on the current VPN network, as the latter is using not only new private and public keys, but also completely new encryption algorithms.
2. It is very complex to answer with certainty what truly happened. But basically, a hacker who knew about this security hole before it went public (or within the few minutes between the time the news broke and the time we patched vulnerability), could have hacked the 4% of our servers infected with the vulnerable version of OpenSSL. They could have retrieved our private keys, and thus would potentially be able to decrypt the traffic that has been generated by our services before they have been updated with new private keys.
Any service that did not either re-generated new private keys (and offered new certificate files to customers) or upgraded completely its encryption scheme (or optimally having done both), is at risk of being exposed to full decryption because the keys could have been stolen at anytime before the patch was enforced on vulnerable servers, and vulnerability across any network of more than a hundred servers built over the course of several months or years was undeniably present at sporadic levels.
Now, factually, only a very close circle of white hat hackers were aware of this security hole and exploiting it in relation to keys vulnerability took us or anyone with security experience several days to figure out (wisely we applied precautionary principle and upgraded the keys well before). That means it would take at least some hours for most experienced hackers to have been able to exploit Heartbleed, hence the keys have had a thin chance of being compromised since the vulnerable servers were patched few minutes after 0day news.
3. We offered a public blog article within less than 24 hours after OpenSSL released new version and Heartbleed bug came out to public. This article can be found on our site and we explain in it that we successfully updated our OpenSSL software to latest version, even though most of our servers were using non-vulnerable versions of OpenSSL. The upgrade itself started few minutes after the security news broke.
Twenty four hours later, we published another article to warn customers that we will be shutting down the entire network for less than 5 minutes (with downtimes of few seconds for each server) as we will be both re-generating new private and public keys, as well as upgrading our cipher and authentification encryption.
Seventy eight hours later, we published again to explain that the upgrade has now been undertaken and that all users should download again the new configuration and certificate files in order to be able to connect to our network.
All these articles were advertised on our Twitter account. Finally, we sent a mass e-mail (the first time in our history) to all our customers to explain again to them that they should download new configuration and certificate files, as well as preferably change their passwords.


1. We are using Ubuntu on all servers. We have updated all our 12.04 Ubuntu versions next day, we are also using older Ubuntu where we use unaffected OpenSSL version.
2. We think the only risk is that it was possible to steal the username and passwords for the client area. We think that getting these details from the memory would be very complicated.


All of the gateway servers were updated to a non-exploitable version of OpenSSL as soon as we heard about the issue, within hours of the initial public notice. We do not believe any of our key information could have been exploited in such a short amount of time, but we’re still planning to re-issue keys with the next client version, which should be updated by this weekend. We are also issuing new .ovpn files on our website. Once the updated client has been issued, we will be creating a blog post informing our clients about the changes.


1. What steps has your company taken in response to Heartbleed (website, servers etc)?
1. In summary, our website was running on an older server with OpenSSL libraries that pre-dated the introduction of the Heartbleed bug into OpenSSL, so we feel our customer confidential information was not at risk due to Heartbleed. Among our VPN network gateways, many were on a vulnerable version of OpenSSL or a vulnerable build of OpenVPN server. Those that were vulnerable were updated and restarted within hours of the public announcement. Due to the short time between public announcement and our updates, we feel the risk of key disclosure was very small, but as a precaution the next release of Octane OpenVPN client will update the client keys.
In addition, this vulnerability in a key internet platform spurred us to consider a number of other scenarios which has resulted in us adding some cool new features and options in our OctaneVPN client which will be released soon.
2. Straight up, this was a serious bug in a major internet platform. The risk and vulnerability is same for all websites and services that relied on OpenSSL for encryption. In general, based on research others have posted, it appears the worst case would be that a private encryption key could be obtained by an untrusted third party. In addition, it appears this would leave no traces.
Assuming others were not exploiting the Heartbleed vulnerability before its public announcement, we feel the risk of a private key release was very small due to the short time window between public announcement and us applying patches to our gateway servers. There is no evidence or unusual patterns that would lead us to suspect our gateways were targeted. Our website was not vulnerable to Heartbleed since it was running an older OpenSSL version prior to when the Heartbleed bug first entered the OpenSSL code.
Remember, most sensitive web traffic is already encrypted by the end website/browser via SSL before it is encrypted again by a VPN network, so an attacker would need both a VPN private key and also the end website’s private key (say Amazon.com keys) to even start to have a chance. The possibility of obtaining one key through Heartbleed is remote, but doing it for two keys and the correct two keys for a given data packet before those sites were patched or new keys issued is that much harder.
3. How we communicated the above to our users.
a) We developed a web page
b) We have worked with individual customers through our support channel to answer specific questions
c) Our OctaneVPN client will notify customers automatically as new releases are available
d) A comprehensive email will be pushed to customers once the new client features are placed in production


1. The Heartbleed bug potentially exposed data being passed over the OpenSSL encryption protocol using TLS extension 15. IPVanish did not and continues not to support the TLS extension 15, meaning all IPVanish users were and are safe from this bug.
2. In addition to our point above, our entire Network Operations team conducted a deep dive to verify and confirm that no steps were needed in response to Heartbleed. We also continue to monitor the situation and will take the necessary steps if and when necessary.
3. We proactively communicated to our users via our blog, social media handles (including Twitter, Facebook and Google+), and affiliate network, that all IPVanish users have been and continue to be safe from Heartbleed. We additionally notified users that even though IPVanish itself never had a breach of security, we recommend they update their passwords if they use the same credentials across different services.


1. The first step was taken almost immediately. Our intrusion prevention system was updated with the Heartbleed signature within 2 hours of the announcement. We performed an audit and identified the vulnerable systems. The last vulnerable VPN node was patched at 9:00 AM on 4/7/2014.
The affected servers had new keys created from an unaffected CA. We used to use two CA’s. 1 for our shared only server clusters and the 2nd one for our shared, dynamic and modulating server clusters. Our Shared IP CA had their certificates revoked and is no longer used anywhere.
We already had a plan in progress to do an overhaul of our OpenVPN configurations that will include a standardized configuration across the three different VPN server builds we use. It includes an update to our network security, lowers our key re-negotiation time from 60 minutes to 30 minutes or less and uses a dedicated offline server purchased recently to serve as our air-gapped CA. When this rolls out we will issue new certificates across the network for the final time.
Our webserver was patched later that morning. We requested a new SSL certificate on 4/8/2014 and it was applied on 4/9/2014. We use Viscosity by Sparklabs as our VPN client. As soon as they released their OpenSSL patch it was pushed out to the clients.
2. This was a major vulnerability. No matter how much some providers downplayed it. For LiquidVPN an attacker could have signed up to our service and got their hands on our shared TLS-Auth key. With that in hand they could decipher portions of user VPN session data but every 60 minutes keys are re-negotiated so their access would be limited.
Website usernames and passwords could be compromised. Users were susceptible to man in the middle attacks. VPN usernames/passwords could be stolen.
3. We wanted to take a very proactive and transparent approach to this problem. However we had to secure users session data first. So we issued several updates beginning on April 7th. There is a handful of twitter posts they can be found @liquidvpn.
Our basic announcements (there were several) can be found on announcements. Finally after everything was secured and our updates were complete


As soon as the vulnerability became known to us, between late night of April the 7th and early morning of April the 8th in Italy, we immediately started to get documentation. We began to work on the system minutes after we fully understood the problem and how the buffer over-read could be provoked and exploited.
Luckily our setup which involves Perfect Forward Secrecy both with OpenVPN and on the web server and the fact that our VPN servers do not keep any database or other data pertaining to users made the vulnerability not very risky for our VPN users.
Most of our VPN servers already were running non-vulnerable OpenSSL branches, as well as the various backend servers (a vital part of our infrastructure). On top of that VPN servers, web server and clients never contact directly backend servers, so we found ourselves in a very favorable situation. Our frontend web servers on the contrary were vulnerable.
We proceeded to make sure that OpenSSL version on the VPN servers was not vulnerable, patch OpenSSL in our web sites and revoke the SSL certificate, reboot all the web servers to make sure that no vulnerable in-memory OpenSSL was still loaded, install new key and new SSL certificate on every frontend web server, change internal use keys and certificates, change every administrative password on every server, patch OpenSSL on the couple of VPN servers which ran OpenSSL 1.0.1f and reboot them.
We performed attacks against all of our own servers to make sure that the vulnerability was not there. For this we must thank very much external, trusted reviewers who with dedication and passion continuously search for vulnerabilities in our servers and report to us the results – you know who you are, thanks again! All of the above was completed between 11.00 AM and 11.00 PM April the 8th CEST.
However, we soon realized that we had to keep into account that the vulnerability is client-side too, so the fact that our servers were “secured” could not be considered sufficient. Therefore we had to face the non-trivial problem to reach and inform our users, which was solved with a “dramatic” decision about a radical upgrade to the system which would have been performed after only a few days.
The upgrade would have forced users to get informed because from a certain point in time they could not connect anymore to VPN servers until they upgraded. Under a marketing point of view it appeared as an extremely risky decision, but now that two weeks have passed by we can say that this decision was wise, and anyway it was the right thing to do regardless of any marketing consideration. And it was also a good chance to switch to bigger keys and perform some radical optimizations that we could not perform without disconnecting users for several minutes.
About information to the public, we started with an announcement on April the 8th, as soon as we had clear ideas on what users needed to do. This was linked also through Twitter and Facebook. The post was updated in real time while we were working on the system.
The final steps were to renew the users keys. We needed first to find an effective way to “encourage” users to upgrade their systems. We decided to switch to 4096 bit RSA and DH keys, with new certificates, in a precise moment in the future (after just few days), to maximize the probability that when a user was forced to regenerate configurations, keys and certificates, he/she would have been brought more easily to upgrade any possible vulnerable part of his/her system.

And we sent via PM and e-mail (to those users who entered a valid e-mail address in their account data) a link to the announcement. At the same time we powered up the customer service for any clarification and to face any possible, massive wave of support requests. Since we do not outsource the customer service we did not need to impart lessons to customer care personnel in order to make them understand the problem, saving us many hours and allowing us to be confident that customers were correctly supported in case of need. Additionally we could count on our competent, supporting and very active community in our forums.


1. We have scanned all services and devices, our web servers and OpenVPN server installations do not use the vulnerable version of OpenSSL affected by Heartbleed.
Manual checks were done on all other equipment such as Cisco routers. We have opened a internal review on the possibility of switching our SSL solution to PolarSSL.
2. Risk is only associated with users sharing passwords between VPNsecure accounts on services that were affected. We have advised users to change the password on the account which automatically regenerates the openvpn keys.
3. Facebook notifications were sent out, along with emails.


1. We’ve been very quick addressing the issue, and we started patching everything immediately after the public vulnerability disclosure
- First we added a firewall rule to temporarily block and log all Heartbleed probes against our servers, allowing us to run the upgrades and issue new encryption keys while not being exposed
- Website’s SSL certificate has been changed and we asked the issuer of the old certificate to revoke it; it was revoked one day later
- The upgrade process of all affected servers running the vulnerable OpenSSL libraries was completed and all services restarted in the next few hours
- After finishing the updates, we generated new encryption keys for our OpenVPN service and pushed them on all servers
- Our Client Software has been updated on April 8 to include the non-vulnerable OpenVPN binaries
2. We don’t believe that the risks our users faced were of high importance until then, but once the vulnerability became public – taking all necessary measures to mitigate the risks and protect our infrastructure was obviously the best thing a responsible company would do.
3. We announced on Twitter minutes after the vulnerability public disclosure that we’re already updating the servers. Once everything was secure on April 8, we issued a report on our site and it was sent by email to all our customers.


1. Our servers operate under versions of Linux that were not affected by this. Our OpenVPN servers use a custom build of OpenVPN that use non affected versions of OpenSSL. We use TLS which also minimizes the risk
2. The risks were minimal, since on the server side nothing was vulnerable.
3. Other than advising customers to upgrade their OpenVPN there was nothing else to be done.


1. Our experts evaluated possible risks, & replaced the certificate
2. Fortunately we are not severely affected. Possible men-in-the-middle attacks,

***the same as all other websites on the web***
.

VPN services are not affected and we could not expose any private user information. More details are in the blog post.
3. We published a blog post, notified all our followers in Facebook and Twitter, asking to change password for other affected services. There is no need to change passwords for Seed4.Me accounts.
END

This statement above is incorrect:

***the same as all other websites on the web***.

As we previously reported,
Dreamteamdownloads1 was NOT affected in any way by this Heartbleed bug!!, although almost every site on the internet was...

This site is secure, its' members info is kept hidden and can never be traced, as NOTHING is stored on our server and we do NOT run
OpenSSL......

So we are very fortunate indeed that we have the BEST Webmaster, Admins, Staff and Host Server on the net ..
__________________
Nil Carborundum Illegitemi My Advice is Free My Friendship is Priceless

FREEBIES Continue to be a BURDEN on Our Increasing Server/Privacy Costs. Please DONATE Something to HELP...PM an Admin for Further Info.



& Thanks to Those That Have Taken The Time to Register & Become a Member of ... 1...
Ladybbird is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiTweet this Post!
Reply With Quote
Post New ThreadReply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.
SEO by vBSEO 3.5.2
Designed by: vBSkinworks