[Novalug] The Washington Post: Major bug called 'Heartbleed' exposes Internet data

Dave Paper novalug@ginch.org
Thu Apr 10 10:31:47 EDT 2014


On Apr 10, 2014, at 10:24 AM, Dave K <novalug@soupy.org> wrote:
> On Thu, Apr 10, 2014 at 07:36:13AM -0400, pereira wrote:
>> List,
>> 
>> this is the guidance I received from the powers that be in the Government:
>> 
>> CPARS/ACASS/CCASS/FAPIIS is requiring a mandatory password reset for all Federal
>> and Contractor users in order to promote increased cyber security in light of t
>> he Open SSL Heartbleed vulnerability .  You must reset your password the next ti
>> me that you log in to the application.  In order to reset your password, please
>> follow the instructions below: (snip)
> 
> This is interesting because it seems to imply active compromise.  Is
> there much evidence that personal data has been stolen in the wild?
> 

You’ve hit the crux of problem (at least for myself and my .com).  In verifying an Apache server with the affected SSL lib was vunerable, we didn’t get any log messages indicating that a compromise had taken place. The testing tools on my screen told me that it has.  In lieu of being able to prove (via logs) that the bug hadn’t been exploited, you have to assume that it has, and change passwords/certs along the way.

-dave

--
Dave Paper                          

"The trouble with quotes on the Internet is you never know if they are genuine.” —Abraham Lincoln




More information about the Novalug mailing list