Unconfigured Ad Widget

Collapse

HeartBleed

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • scootle
    CGN/CGSSA Contributor
    CGN Contributor
    • Oct 2010
    • 2702

    HeartBleed

    Seems Calguns.net might want to consider checking their OpenSSL (if not already) and reissuing their certs?

    Not sure if this affects us at CalGuns, but since I'm here almost every day, I thought I'd check.

    Attached Files
    SCC CCW *326 Days, $1051.29*
    Application: 2/27/2023 ($72.33)
    Original Interview: 12/21@1030|Actual: 4/13@0900
    'Informal" email Background complete: 9/19
    Email to schedule Psych: 10/27@1539 ($150)
    Psych Test: 11/3@0800|Psych Interview: 11/9@0900 (Dr.McKenzie)
    LiveScan: 11/9 (UPS Store $93+$25)|Livescan cleared: CA/FBI 11/9, Firearms 11/20
    LiveScan Email: 11/17@0842
    Training Email: 11/29@1007|Instructor: 1/10/2024 SaberTactics ($399+40)|Docs: 1/12
    Approval: 1/17@1346 ($264+$7.96)|Pickup: 1/19@1030
  • #2
    decepticon6551
    CGN/CGSSA Contributor
    • Apr 2011
    • 1484

    I've never seen that before. I use LastPass on Chrome, IE, and Android.

    Originally posted by Paul_R
    A week ago Congress was asking Tide to change their pod designs so teenagers would stop eating them.

    Now this week the media thinks teenagers should determine gun control laws.

    Comment

    • #3
      lazyworm
      Senior Member
      • Jan 2006
      • 1642

      current cert was issued in 2011, so definitely not addressed.

      Kes, layman explanation is that there is a bug with the encryption library called OpenSSL.
      This bug allows anybody to steal the secret encryption key for your web server. This means whomever has your key can also decrypted the traffic to/from calguns.net.

      If the current servers are using version 1.0.1 or 1.0.2, you're vulnerable.

      Fix is a 2 step process
      1) upgrade OpenSSL to a fixed version 1.0.1g
      2) work with your cert issuer to reissue a cert using a new private key.

      I'm sure there are enough techies around to help. Let me/us know.

      You can read further about this at http://heartbleed.com/

      Comment

      • #4
        scootle
        CGN/CGSSA Contributor
        CGN Contributor
        • Oct 2010
        • 2702

        +1 to lazyworm.

        I'm not sure CalGuns.net ever uses SSL since I've never noticed it going to https even when asking for our credentials, but perhaps now is a good time to swap over.

        Regardless, the SSL certs need to be reissued after the patch/update.

        edit: I should add... any and all users should go ahead and use the free checker at LastPass for any and all sites they log into and/or contain personal information: https://lastpass.com/heartbleed/
        (no, I don't work for LastPass, nor am I subscriber to their service.)
        SCC CCW *326 Days, $1051.29*
        Application: 2/27/2023 ($72.33)
        Original Interview: 12/21@1030|Actual: 4/13@0900
        'Informal" email Background complete: 9/19
        Email to schedule Psych: 10/27@1539 ($150)
        Psych Test: 11/3@0800|Psych Interview: 11/9@0900 (Dr.McKenzie)
        LiveScan: 11/9 (UPS Store $93+$25)|Livescan cleared: CA/FBI 11/9, Firearms 11/20
        LiveScan Email: 11/17@0842
        Training Email: 11/29@1007|Instructor: 1/10/2024 SaberTactics ($399+40)|Docs: 1/12
        Approval: 1/17@1346 ($264+$7.96)|Pickup: 1/19@1030

        Comment

        • #5
          TacticalPlinker
          Veteran Member
          • Apr 2011
          • 2532

          Anyone care to elaborate on this virus? There was an "high priority alert" about it earlier today at work, but I did not get a chance to research it.











          (I also got an e-mail about reminding us company policy does not permit "possession of dangerous weapons, firearms, or explosives while on Company owned or leased property". I'm guessing this "reminder" was their "response" to the "incident" this morning in Pittsburgh. )
          .
          .
          ΜΟΛΩΝ ΛΑΒΕ

          Comment

          • #6
            scootle
            CGN/CGSSA Contributor
            CGN Contributor
            • Oct 2010
            • 2702

            Originally posted by TacticalPlinker
            Anyone care to elaborate on this virus? There was an "high priority alert" about it earlier today at work, but I did not get a chance to research it.

            (I also got an e-mail about reminding us company policy does not permit "possession of dangerous weapons, firearms, or explosives while on Company owned or leased property". I'm guessing this "reminder" was their "response" to the "incident" this morning in Pittsburgh. )
            .
            .
            It's not a virus so much as a huge vulnerability in OpenSSL that was recently found.

            Official info is here: http://heartbleed.com/
            A good layman read about the issue is here on LifeHacker: http://lifehacker.com/what-the-heart...you-1560801201
            ars technica: http://arstechnica.com/security/2014...oulette-style/

            As an end user, there is nothing you can do other than wait until you are sure your affected sites update their OpenSSL (if needed) and then re-issue their security certificates before changing your password(s).
            SCC CCW *326 Days, $1051.29*
            Application: 2/27/2023 ($72.33)
            Original Interview: 12/21@1030|Actual: 4/13@0900
            'Informal" email Background complete: 9/19
            Email to schedule Psych: 10/27@1539 ($150)
            Psych Test: 11/3@0800|Psych Interview: 11/9@0900 (Dr.McKenzie)
            LiveScan: 11/9 (UPS Store $93+$25)|Livescan cleared: CA/FBI 11/9, Firearms 11/20
            LiveScan Email: 11/17@0842
            Training Email: 11/29@1007|Instructor: 1/10/2024 SaberTactics ($399+40)|Docs: 1/12
            Approval: 1/17@1346 ($264+$7.96)|Pickup: 1/19@1030

            Comment

            • #7
              ocabj
              Calguns Addict
              • Oct 2005
              • 7924

              This thread is so full of misleading information.

              Read this:


              That lastpass check is useless. Download and compile one these github repos:
              A checker (site and tool) for CVE-2014-0160. Contribute to FiloSottile/Heartbleed development by creating an account on GitHub.



              It actually performs the TLS handshake and tries to exploit the heartbeat memory bound exploit to confirm if the site is vulnerable.

              Code:
              $ ./Heartbleed calguns.net:443
              2014/04/09 18:10:41 calguns.net:443 - SAFE
              
              $ ./heartbleeder calguns.net
              SECURE - calguns.net:443 does not have the heartbeat extension enabled
              Last edited by ocabj; 04-09-2014, 6:23 PM.

              Distinguished Rifleman #1924
              NRA Certified Instructor (Rifle and Metallic Cartridge Reloading) and RSO
              NRL22 Match Director at WEGC

              https://www.ocabj.net

              Comment

              Working...
              UA-8071174-1