Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: heartbleed OpenSSL bug CVE-2014-0160

From: Pål Nilsen <paal.nilsen () gmail com>
Date: Thu, 10 Apr 2014 13:09:20 +0200
This is pretty nice: https://lastpass.com/heartbleed/
They seem to even have historic data for some sites' certificates.


On 10 April 2014 11:02, Reindl Harald <h.reindl () thelounge net> wrote:




Am 10.04.2014 00:32, schrieb Craig Holmes:

On April 8, 2014 10:21:34 AM Matthew Musingo wrote:

Even if your systems were patched  an attacker could have already

attained

the secrets.

Certs and other sensitive information need to be reconsidered for
replacement or changed

How realistic is it that an attacker would be able to glean passwords

through

this vulnerability? Programatically searching through 64k memory dumps

for

certificates seems plausible, but looking for passwords does not. A

password is

of no pre-determined length or format. So unless you know what strings

are

wrapped around it (and those strings are reliably presented), isn't the

loss

of some types of sensitive information.... unlikely?


it is very realistic and already happened

Anonymous Austria yesterday posted about online banking transactions
with screenshots auf the data-dumps, webmail-accounts and so on
over many hours and for a short tiemframe there where even folder
with thousands of such dumps online



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: