Heart Bleed for Heat Beat

Overview:  The Heartbleed Bug is a serious vulnerability that allows outside attackers to steal sensitive information on an otherwise believed to be secured connections for example: https (ie: http over ssl/tls), secure email and VPN. All done without leaving a trace.
For more details:  http://heartbleed.com/
Visit me at:  http://community.linuxmint.com/tutorial/view/1628

---

Heart Bleed Bug

• What ain't Broken?

• What is Broken?

• What is fixed?

What was Not Broken by Heart Bleed?

• Major Components

• SSL
• SSH
• Heart Beat

• OpenSSL before 1.0.1

• Non OpenSSH/OpenSSL implementations

What is Broken?

• OpenSSH/OpenSSL Heart Beat implementation

• 1.0.1 Branch
• 1.0.2-beta Testing Branch

• Yep, it's an Implementation error

What is fixed?

• OpenSSL v1.0.1g

  OpenSSL v1.0.2-beta2

• Distropatch by each distro

• Built on/after 7apr2014
• These not necessary be 1.0.1g
• 

  How to check?

• openssl version -a
• Look for build date
  

Some more Checking?

• Launch Package Manager

  • Eg: Mint Synatic Package Manger

• Search/Filter for “ssl” installed

  • Eg: libssl1.0.0, openssl

• Select libssl1.0.0 and [Get Changelog]

  • Look for CVE-2014-0160 fix

• CLI - Mint13

  • apt-get changelog openssl
  • apt-get changelog libssl1.0.0 
    

What to look for :?

• CVE-2014-0160  fix

• 1.01-4ubuntu5.12 for Mint13

Anything Else?

• Yes, Google for the rest :)

• This is meant As a Simple Guide

• After Patch, Look for??

• Generate New Certificates
• Revoke Old Certificates
• Get all End users to Change Passwords
• Other Details
  • Check with your Service Provider eg: Online Mail, Ruby Rail etc...

• Remember not all OpenSSH/OpenSSL is affected!

20140421