Two fun facts about IT

choof · 04-8-2014, 02:33 PM

Today is April 8th. For those who may not be up to date in the world of computers, today officially marks the end of Windows XP support. It's probably safe to assume that in the upcoming months, all forms of attacks on the operating system will increase exponentially. If you have XP for personal use, I recommend you either switch to Linux and use XP when not connected to the internet, or upgrade to Win 7. If you work at a place that still uses XP, may god have mercy on your soul.

And secondly!
http://arstechnica.com/security/2014...eavesdropping/

Quote:

The bug, which is officially referenced as CVE-2014-0160, makes it possible for attackers to recover up to 64 kilobytes of memory from the server or client computer running a vulnerable OpenSSL version.

While this may not largely affect most of you, if you're currently studying network or systems security (Halogen and litodude come to mind), you should be aware of this bug. The specifics have been leaked into the public as well, so you can find documentation and find out a way to combat it.

**Charu** · 04-8-2014, 02:40 PM

My work station uses Windows XP.

Good thing I never use for anything serious, lmao.

**Pseudo Enigma** · 04-8-2014, 03:05 PM

ugh looks like it's time to go get a job and finally grab a computer that doesn't turn into a pile of shit when it has Win7.

dAnceguy117 · 04-8-2014, 03:08 PM

Quote:

Originally Posted by Pseudo Enigma

ugh looks like it's time to go get a job and finally grab a computer that doesn't turn into a pile of shit when it has Win7.

maybe switch to a lightweight linux distro for now?

**reuben_tate** · 04-8-2014, 03:19 PM

Quote:

Originally Posted by choof

If you work at a place that still uses XP, may god have mercy on your soul.

For anyone that does use XP at the workplace it would probably be best for them to alert their supervisor or superiors; perhaps they are unaware of the situation or the implications of XP no longer getting support.

**igotrhythm** · 04-8-2014, 04:09 PM

Quote:

Originally Posted by reuben_tate

For anyone that does use XP at the workplace it would probably be best for them to alert their supervisor or superiors; perhaps they are unaware of the situation or the implications of XP no longer getting support.

Yeah, and since when have managers of cubicle dwellers worried at all about the problems their workers face? Any Dilbert comic will tell you that the answer is "never."

More info about the so-called Heartbleed bug, which is still making stuff vulnerable after the patch: http://arstechnica.com/security/2014...oulette-style/

**Bluearrowll** · 04-8-2014, 04:21 PM

I work in a test data centre at a bank and a significant chunk of machines are XP run. The UK Government forked out 12 million pounds to Microsoft to continue support for a year. 64KB is a large enough amount of memory that could cause passwords / emails / private keys to be compromised. The timing of the reveal of this bug is very unfortunate.

Useful links on Heartbleed:
http://blog.existentialize.com/diagn...bleed-bug.html

Check to see if a server you care about is affected:
http://filippo.io/Heartbleed

Spenner · 04-8-2014, 04:22 PM

Got XP on all the store computers where I work too, though it's not used for much. But still... having a POS system become vulnerable, yikes.

dAnceguy117 · 04-8-2014, 05:53 PM

(from the OpenSSL bug article)

Quote:

"Bugs in single software or library come and go and are fixed by new versions," the researchers who discovered the vulnerability wrote in a blog post published Monday. "However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously."

yep, gotcha. so how long has it been?

Quote:

Fully recovering from the two-year-long vulnerability may also require revoking any exposed keys, reissuing new keys, and invalidating all session keys and session cookies.

TWO YEARS

WHAT

**Pseudo Enigma** · 04-8-2014, 06:03 PM

Quote:

Originally Posted by Bluearrowll

Check to see if a server you care about is affected:
http://filippo.io/Heartbleed

rip

MrGiggles · 04-8-2014, 06:12 PM

The heartbleed bug is almost as cool as that CryptoLocker thing that came out a while back

almost

**Bluearrowll** · 04-8-2014, 06:13 PM

Quote:

Originally Posted by Pseudo Enigma

rip

This bug attacks HTTPS port 443 - flashflashrevolution is using port 80 and as such would not show up as an infected website. seagateshare where my network drive is hosted on however...

dAnceguy117 · 04-8-2014, 06:20 PM

Quote:

Originally Posted by Pseudo Enigma

rip

the "uh-oh" message doesn't mean the server is vulnerable, it means something else happened during the test.

http://filippo.io/Heartbleed/faq.html#wentwrong

**arcnmx** · 04-8-2014, 06:27 PM

Yeap heartbleed is quite the bug. Stupid simple mistake of passing memcpy the wrong length, huge consequences.

Quote:

Originally Posted by Bluearrowll

64KB is a large enough amount of memory that could cause passwords / emails / private keys to be compromised. The timing of the reveal of this bug is very unfortunate.

Note that you can just repeat the attack over and over to get a new random set of memory from the server each time, so you can obtain a lot more than just 64KB of data with this attack.

And yeah, FFR isn't vulnerable because lolnohttps. Ironically any sites that use no encryption are potentially safer than those that do - at least an attacker needs to be in a privileged position to sniff sensitive data from HTTP.

**Reincarnate** · 04-8-2014, 06:36 PM

I don't know shit about encryption so can someone ELI5 for me -- how does this bug get fixed? What should the average person do to protect him/herself in the meantime?

**igotrhythm** · 04-8-2014, 06:38 PM

Quote:

Originally Posted by Reincarnate

I don't know shit about encryption so can someone ELI5 for me -- how does this bug get fixed? What should the average person do to protect him/herself in the meantime?

Probably change your password--once right away and again when the patch is applied.

**Artic_counter** · 04-8-2014, 06:39 PM

I have heard that AVs will continue to do a good job protecting your computer even though microsoft have closed their support. However, since I know sweet FA about computers, could you please tell me if any of that is true?

**arcnmx** · 04-8-2014, 06:42 PM

Quote:

Originally Posted by Reincarnate

I don't know shit about encryption so can someone ELI5 for me -- how does this bug get fixed? What should the average person do to protect him/herself in the meantime?

For most people the bug goes like this: you login to your email on yahoo (lol), use it normally, etc. Then someone random performs the attack on yahoo: the server might randomly send them your password or the contents of your emails or anything, really.

All you can do to protect yourself is to not use a vulnerable service until they fix it, and change your password once they do. It's easily fixed by updating a system, but that's something someone running a server has to do - not something general users have to worry about.

For server administrators it's also worse than just compromising your user's information, as it could leak private encryption keys as well. Anyone who gets a copy of that suddenly can decrypt and sniff all past and future communications as if the connection were never encrypted at all.

**igotrhythm** · 04-8-2014, 06:43 PM

there is now a Chrome extension to see if a server you're browsing is affected!

https://chrome.google.com/webstore/d...cafdggilajhpic

dAnceguy117 · 04-8-2014, 07:13 PM

in b4 a vulnerability is found in the chrome extension

-----

Quote:

Originally Posted by Artic_counter

I have heard that AVs will continue to do a good job protecting your computer even though microsoft have closed their support. However, since I know sweet FA about computers, could you please tell me if any of that is true?

antivirus software helps deal with malware after it's already on your system. running Windows XP after Microsoft stops providing updates will theoretically make you much more likely to *get* that malware. I'm sure some antivirus software does what it does pretty well, but when you run an OS with widely known and exploited vulnerabilities, you're asking for trouble.

the bigger question imo: why run XP?

------

oh dear I just found something.
http://www.npr.org/2014/04/08/300462...ouble-for-some

Quote:

Mike Eldridge, 39, of Spring Lake, Mich., says that since his computer is currently on its last legs, he's going to cross his fingers and hope for the best until it finally dies.

"I am worried about security threats, but I'd rather have my identity stolen than put up with Windows 8," he says.

...................................

04-8-2014, 03:05 PM	#3
Pseudo Enigma ごめんなさい　(/ω＼) Join Date: Aug 2012 Age: 28 Posts: 2,290	Re: Two fun facts about IT ugh looks like it's time to go get a job and finally grab a computer that doesn't turn into a pile of shit when it has Win7.

04-8-2014, 04:21 PM	#7
Bluearrowll ⊙▃⊙ Join Date: Nov 2007 Location: I live in the last place where you Look. Age: 31 Posts: 7,376	Re: Two fun facts about IT I work in a test data centre at a bank and a significant chunk of machines are XP run. The UK Government forked out 12 million pounds to Microsoft to continue support for a year. 64KB is a large enough amount of memory that could cause passwords / emails / private keys to be compromised. The timing of the reveal of this bug is very unfortunate. Useful links on Heartbleed: http://blog.existentialize.com/diagn...bleed-bug.html Check to see if a server you care about is affected: http://filippo.io/Heartbleed __________________ 1st in Kommisar's 2009 SM Tournament 1st in I Love You`s 2009 New Year`s Tournament 3rd in EnR's Mashfest '08 tournament 5th in Phynx's Unofficial FFR Tournament 9th in D3 of the 2008-2009 4th Official FFR Tournament 10th in D5 of the 2010 5th Official FFR Tournament 10th in D6 of the 2011-2012 6th Official FFR Tournament FMO AAA Count: 71 FGO AAA Count: 10 Bluearrowll = The Canadian player who can not detect awkward patterns. If it's awkward for most people, it's normal for Terry. If the file is difficult but super straight forward, he has issues. If he's AAAing a FGO but then heard that his favorite Hockey team was losing by a point, Hockey > FFR PS: Cool AAA's Terry - I Love You An Alarm Clock's Haiku beep beep beep beep beep beep beep beep beep beep beep beep beep beep beep beep beep - ieatyourlvllol

04-8-2014, 04:22 PM	#8
Spenner Forum User Join Date: Nov 2006 Location: Canada Age: 31 Posts: 2,396	Re: Two fun facts about IT Got XP on all the store computers where I work too, though it's not used for much. But still... having a POS system become vulnerable, yikes. __________________

04-8-2014, 06:12 PM	#11
MrGiggles Senior Member Join Date: Aug 2005 Location: Skaia Age: 21 Posts: 2,846	Re: Two fun facts about IT The heartbleed bug is almost as cool as that CryptoLocker thing that came out a while back almost __________________

04-8-2014, 06:36 PM	#15
Reincarnate x'); DROP TABLE FFR;-- Join Date: Nov 2010 Posts: 6,332	Re: Two fun facts about IT I don't know shit about encryption so can someone ELI5 for me -- how does this bug get fixed? What should the average person do to protect him/herself in the meantime?

04-8-2014, 06:39 PM	#17
Artic_counter FFR Veteran Join Date: Jan 2007 Location: In your anus. Right corner Age: 30 Posts: 1,002	Re: Two fun facts about IT I have heard that AVs will continue to do a good job protecting your computer even though microsoft have closed their support. However, since I know sweet FA about computers, could you please tell me if any of that is true? __________________

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)