Cablenut - Broadbandnuts - DSLnuts
News & Announcements => News for Broadbandnuts & DSLnuts => Topic started by: dannjr on April 11, 2014, 11:45:55 am
Lots of info all over the web on the heartbleed bug
I can only say..
Go to any of your websites that are secure.. Change your passwords to something thats at least 14 characters long Letters and Numbers... If for some reason in the Future a website like your bank or Email provider tells you to change your password again DO NOT ignore it.. Just do it..
Allot of Banks still have Certificates that are old and outdated..
The Amount of work that will go into securing everything again will probably take a long time
For instance we have upgraded our Firewall 3 times in 1 week (Not Cisco)
Cisco who makes the majority of Commercial firewalls has verified that the bug is in there firewalls and is working as fast as they can to update..
The Bug is not something we need to point fingers or argue about OpenSSL has been secure for more then 15 or more years.
What you need to do is protect yourself... Make sure your home router firewall is up to date. Check with the Manufacturer to make sure its still a secure peice of hardware. AND Change your passwords
For Asus RT-N66* owners, there is a new firmware out to address this issue and more. This router has gained popularity because it is 1) Open source (meaning you can install DDWRT or Tomato based firmware on it) and 2) It is available everywhere coupled with its features and performance. I personally have had zero issues with this router other than a few resets once in a great while, and a few DHCP issues related to certain IP addresses conflicting with each other (stares at his network printer). Below is the change log. One thing to note is that they update the firmware for this router frequently because of its market position in the arena of being "open source"; it is highly supported so far.
Description ASUS RT-N66R Firmware version 184.108.40.206.374.5517
Security related issues:
1. Fixed remote command execution vulnerability
2. Fixed cross site scripting vulnerability
3. Fixed parameters buffer overflow vulnerability
4. Fixed XSS(Cross Site Scripting) vulnerability
5. Fixed CSRF(Cross Site Request Forgery) vulnerability
6. Added auto logout function. The timeout time can be configured in - Administration--> System
7. Included patches related to network map. Thanks for Merlin's contribution.
8. Fixed password disclosure in source code when administrator logged in.
9. Changed OpenSSL Library from 1.0.0.b to 1.0.0.d. Both OpenSSL versions are not vulnerable to heartbleed bug.
1. Fixed IPTV related issues.
2. Modified the 3G/LTE dongle setting process in quick internet setup wizard.
3. Fixed the Cloud sync problem
4. Fixed Parental control check box UI issues.
5. Modified the FTP/ Samba permission setting UI
6. Modified media server setting UI
7.Samba/ media server/ iTunes server name can be changed.
8. Dual wan fail over now support fail back
9. Fixed wake on lan magic packet sending issue.
10. Fixed false alarm for samba and ftp permission.
11. Fixed IPv6 related issues.
Special thanks for David and Palula’s research
Remote command execution http://seclists.org/fulldisclosure/2014/Apr/58
Reflected XSS: http://seclists.org/fulldisclosure/2014/Apr/59
The Good news is that manufactures and websites have fixed allot of the problems but you still need to be carefull
We upgraded our firewalls twice that week and there are still companies upgrading
Amazon came up clean and never had the issue
banks have either replaced or disabled the heartbeat which is the reason for the bleed
We have noticed that we did have a small bleed here for a short time but it never got to the websites based on the logs
That's not to say a website can't be hacked or Cracked.. It is public.. If you want to be safe unplug from the internet.
The ASUS above is a good option for a home user.. Unfortunately for us we page memory as high as 2.5gig over just one firewall and can peek at 3gig on the mailserver So our options are limited