Monday, April 14, 2014

HeartBleed Security Issues

From Linden Labs:

Account Safety and the Heartbleed OpenSSL Bug

by Community Manager  on ‎04-10-2014 02:45 PM
Many of you may have read about the Heartbleed SSL vulnerability that is still affecting many Internet sites.

You do not need to take extra action to secure your Second Life password if you have not used the same password on other websites. Your Second Life password was not visible via Heartbleed server memory exposure. 

No site that accepts passwords had the vulnerable SSL heartbeat feature enabled.

If you used the same password for Second Life that you used on a third-party site, and if that third-party site may have been affected by the vulnerability, you should change your password.

Supporting sites such as Second Life profiles are hosted on cloud hosting services. Some of these sites were previously vulnerable to Heartbleed, which may have exposed one of these servers' certificates. As an extra precaution, we are in the process of replacing our SSL certificates across the board. This change will be fully automatic in standard web browsers.

Thank you for your interest in keeping Second Life safe!

From Inara Peyi's Living In a Modem World

at their open meeting, Firestorm developers had this to say about heartbleed:

Heartbleed OpenSSL Vulnerability

0:23:04 JL: How many people have heard of the SSL bug? … well, we looked into what, potentially, in a very worst-case scenario, could happen. And I’ll tell you right now, your [SL] passwords are safe.

0:23:45 JL: So what was the OpenSSL bug? [please also refer to my basic explanation there is also a list of popular social media and commerce sites which may have been affected on mashable]
0:24:18 Arrehn Oberlander (via chat): My favourite explanation, in cartoon form

0:25:05 Techwolf Lupindo (TL): Yeah, with client in this case, I’m referring to the browser, not the viewer at all. When the browser communicates with your secure site, as part of the communications to check each other … so that no-one is sniffing-in on the communications. The bug is that as a part of the communications, you can send a request to get some information back, and if you send for more information than what the server has, there was no balance check, and so the server would serve-up its own memory which you shouldn’t have access to begin with, and because of that, what’s in that memory, all kinds of good stuff [is exposed].
0:26:27 JL: So in order for the person to do this, they either have to be the website you’re visiting, or they have to have access to the website that you’re visiting. So this leads us to what websites in regards to Second life were vulnerable. Linden Lab’s website was not, the Linden viewer was not, our website was not affected.

0:27:03 JL: Our download server was, but we don’t actually use SSL on our download server, so it was not affected.

0:27:11 JL: The Firestorm viewer – this is where we create a panic, oh my gosh! – version 4.5.1 and 4.6.1 do use that OpenSSL, and are affected. But, the likelihood of your viewer being utilised, or a hacker using the Heartbleed bug to get into a viewer … if it happens to you, then immediately go out there and buy lottery tickets, because you’re going to win three times. And even if it does happen, it can’t get your password, because the viewer does not handle the password. The password is sent in a hash, which is sent to the Linden servers, which are not affected.

0:28:10 JL: But if you want to be really paranoid, and I encourage paranoia to a degree, be cautious when you use Media on a Prim, because it can get you through Media on a Prim. Basically, if you connect to a website that’s serving-up Heartbleed and there’s somebody waiting behind it with some client that happens to be vulnerable, it’ll be through Media on a Prim, because you’re serving-up a web page in the viewer or through the viewer’s internal web browser.

0:28:40 JL: So if you want to be paranoid, be strict with your permissions on Media on a Prim, which by the way is OFF by default in Firestorm unless you change that, and when using the internal web browser. So go into Preferences > Network and tell the viewer to use an external browser.

0:29:11 JL: And if you’re really, really paranoid, you can roll-back to version 4.4.2, but I wouldn’t encourage it because then you’re missing out on materials and missing all kinds of fun stuff, fitted mesh, and really, you’re over-reacting if you’re going back to 4.4.2. And if anybody gets hacked through this, I will pay for a new computer for you out of my pocket. That’s how confident I am that you have nothing to worry about.

0:29:40 TL: To exploit the client is a lot more difficult because first you have to trick the user into a clicking a bad URL. that’s why my basic recommendation is to turn Media on a Prim off altogether, use an external browser, and make sure your external browser has been recently updated within the last few days.

0:30:12 JL: I should add to that promise I just made … You’re going to have to prove to me beyond a shadow of a doubt that the viewer was exploited using this exploit! I know I’m going to regret having said that!

0:30:32 JL: So really, you’re going you’re going to win the lottery before your viewer gets hacked. That’s not to say your computer or website or browser or something … it could happen that way.

0:31:14 Ed Merryman (EM): Just for the record, we will be updating our SSL on the next release.

0:31:57 TL: You’re OK with search. Lab Lab’s search page[in the viewer] is perfectly safe because Linden Lab is always checking that they’re OK and everything. for search or marketplace or anything that’s by Linden Lab, you can safely use the internal browser.

0:32:15 JL: So the bottom line is you guys know I’m usually a pretty paranoid person, especially running the project and everything that could possibly go wrong. And really, you’ve got no worries about the viewer. Especially if you take these precautions … The next version of the browser, it will be fixed … If I thought there was a risk, a real tangible risk, we would have a new release out right now.

0:34:03 I’m guessing that no anti-malware, anti-virus, Firewall etc can help against Heartbleed?

0:34:33 TL: That was the biggest issue of this Heartbleed bug; it left nothing in the web server logs and in the firewalls it doesn’t trigger anything because we had no way to detect it … as far as any anti-malware, anti-virus, they can’t detect it.

0:36:48: Heartbleed is limited to 64K chunks at a time too right? and random 64?

0:36:52 TL: It’s limited 64K chunks at a time … you can send more than one 64K chunk at a time. so in other words, you can start at memory point zero and go all the way until the server crashes and you have a complete copy of its memory, which holds all kinds of good stuff, including the SSL keys itself. That’s why it’s such a big deal.

No comments:

Post a Comment

Vendors and Creators