cancel
Showing results for 
Search instead for 
Did you mean: 

About Heartbleed and strange things...

Sparky83
Honored Guest
Hello everyone!

I heard about Heartbleed yesterday, a few hours before the Oculus-site went down. (Clever idea by the way, to call this SSL-thing Heartbleed to get all those lazy people to say: "Woah, Heartbleed, this sounds serious! :shock: I better get some information about that one... :? ")

When I was browsing the forums, something strange happened. I show you in this screenshot (translation follows):

"translation" wrote:
When trying to access developer.oculus.com, you actually reached a server called *. Cloudfront.net. This may be due to a misconfiguration, but also more serious causes. Maybe a hacker tries to lure you to a fake and potentially dangerous version of developer.oculus.com. Do not proceed, especially if the alert has never before appeared on this website.

Ok, this is bad!
http://answers.microsoft.com/en-us/windows/forum/windows_7-security/cloudfrontnet/6529b96a-0d08-4597...

So how did this happen?

Another thing is that on twitter, this is shown by Oculus:

So why is there no post about the status, now the site is back online? Are there still issues that need to be fixed? I guess so, because for me, the forums look like this since today:


Please fix this. 🙂
Previously owner of DK1, finally owner of DK2.
54 REPLIES 54

geekmaster
Protege
There was a discussion here that may provide more details, ideas, and speculation:
http://www.mtbs3d.com/phpBB/viewtopic.php?f=140&t=19466

It is good that they are back online so fast. I hope all the important patches and updates have been (or will soon be) applied. I already had to reset my password twice in two weeks from OculusVR security problems. I hope we can avoid that for awhile.

But I am thanking the heroic Oculus techs that this "external storage" part of my shared mind is back online so that *I* can access it again!

nalex66
MVP
MVP
Yeah, I've been curious about what's happened with the whole Heartbleed thing, especially since I wasn't prompted to change my password after the site came back online. I've been waiting for some sort of announcement or official comment all day.

DK2, CV1, Go, Quest, Quest 2, Quest 3.


Try my game: Cyclops Island Demo

ganzuul
Honored Guest
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

https://www.schneier.com/blog/archives/2014/04/heartbleed.html

And it truly, honestly is. One of the cornerstones of the modern internet got annihilated. It won't be and cannot be rebuilt. A replacement has to be made, by people who have absolutely nothing to do with the original.

There are no funds for such a project. Unless the popular press picks this up for the outrage that it is there will probably not be any funds either.

What Heartbleed means is that the little lock icon in the address bar of your browser has since 2011 been an utter lie. If you used some sort of web based system to vote in e.g. municipal elections then voting secrecy has been violated.

ThreeEyes
Explorer
There are a number of site checkers now coming online to see if people's favorite https websites were or are vulnerable to the Heartbleed bug. As an aside, the name comes from heartbeats used to tell if a user is still on a website or not. That was where the vulnerability was in the OpenSSL package.

Anyway, here is a nice checker if people are interested: https://lastpass.com/heartbleed

And here is the output from running developer.oculus.com through it:

Detected server software of nginx/1.4.7
That server is known to use OpenSSL and could have been vulnerable.

The SSL certificate for developer.oculus.com valid 6 months ago at Oct 21 00:00:00 2013 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.


So during the down time on this website, we can probably assume that they updated their OpenSSL package to the latest one but the fact that Oculus has not regenerated their certificates means that https conversations with Oculus aren't really secure yet. If someone used the Heartbleed vulnerability to get their keys and other information (it allowed reading memory on the vulnerable host - see heartbleed.com for more information if curious), they could still use those to decrypt people's communications. I have no idea how likely that is but I don't have anything here of real value and have been watching my credit card closely since the last abrupt website down time came a week or so ago.

Until Oculus updates their certificate (and people's computers will probably tell them it has spotted a new certificate), communications can be eavesdropped. As Oculus was probably vulnerable before, people's passwords may have been compromised. Researchers discovered heartbleed and others are setting up honey pots to see how much it is being used in the wild but now that the cat is out of the bag, it's hard to use the incidences now to know if the vulnerability was being exploited, by who, and against who. You should definitely update your password once Oculus updates their certificate and might want to do it now too.

I bet the certificate houses are snowed right now, though, and it might be a while before all https websites get completely cleaned up.

As another aside, this vulnerability was in place for two full years before it was discovered. Https communications have been vulnerable everywhere that uses OpenSSL once they updated to the first vulnerable release.

An interesting quote from heartbleed.com:

What leaks in practice?

We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.


People might want to look around at other https websites they may use and see if they might have been vulnerable as well. This one was big and it left a lot of valuable stuff wide open to further compromise.
But... but... but... I just NEED to know about the Baba! The Baba has me hypmotized! :shock:

nalex66
MVP
MVP
I've been checking sites that I have log-in info with using this tester: https://www.ssllabs.com/ssltest/index.html. Online banking sites, etc. have all come back clean. The only compromised sites I've used seem to be Oculus VR and Yahoo.

Oculus now tests as "not vulnerable to Heartbleed", but I read a story about Heartbleed earlier that specifically mentions Oculus VR as a compromised site.

DK2, CV1, Go, Quest, Quest 2, Quest 3.


Try my game: Cyclops Island Demo

ThreeEyes
Explorer
"nalex66" wrote:
I've been checking sites that I have log-in info with using this tester: https://www.ssllabs.com/ssltest/index.html. Online banking sites, etc. have all come back clean. The only compromised sites I've used seem to be Oculus VR and Yahoo.

Oculus now tests as "not vulnerable to Heartbleed", but I read a story about Heartbleed earlier that specifically mentions Oculus VR as a compromised site.


Since the attack is apparently totally quiet, I don't know how someone could say they were a compromised site unless they acknowledged this to someone else or someone has copies of data from here to prove they were able to work the compromise. I think all that can really be said otherwise is that Oculus was vulnerable.

If the website is itself no longer vulnerable, their https communications still are, however, if someone stole a copy of their certificate. This situation will be true until they regenerate their certificate and cancel the old one so nobody can impersonate their website or listen in on https communications (including web orders).
But... but... but... I just NEED to know about the Baba! The Baba has me hypmotized! :shock:

nalex66
MVP
MVP
Sorry, I guess I should have said "vulnerable site", not "compromised". The implication was just that they were using OpenSSL, not that there was a known breach.

Here's the story where Oculus was mentioned: https://www.yahoo.com/tech/heres-what-you-need-to-know-about-the-heartbleed-bug-82120054478.html.

DK2, CV1, Go, Quest, Quest 2, Quest 3.


Try my game: Cyclops Island Demo

ThreeEyes
Explorer
No problem.

The big issue with Heartbleed is since it is quiet, admins don't know if their sites were actually compromised or not unless someone holds up the goods and says look what I did.

But if they do anything of value (like accepting credit card information over the web) they end up having to do everything just as if they had been compromised. Or at least they should.

Since it allows stealing logins and passwords, it also opens the door to admin accounts depending on how those are done. If an attacker gets that kind of information they can install all sorts of fun things.

But the issue was discovered by researchers and it seems nobody was known to have been compromised by anyone attacking this vulnerability but who really knows? Two years is a big window.

Also, as to monitoring and decrypting encrypted communications, someone needs access to the data stream to do that which makes real monitoring of someone's data unlikely unless it's the government or someone at your ISP, etc, doing the monitoring and decrypting.

The possibilities of Heartbleed are huge but for whatever it's worth, my take is that once a site removes the vulnerability things are "probably" OK for most people. I'd still change my passwords though.
But... but... but... I just NEED to know about the Baba! The Baba has me hypmotized! :shock:

ThreeEyes
Explorer
And rebuilds. I think if they have admin accounts and passwords that can be accessed from the outside, then they have to understand that they could have backdoor utilities on board and they have to rebuild to get rid of those. Or something that can guarantee that there are no lurking compromises.
But... but... but... I just NEED to know about the Baba! The Baba has me hypmotized! :shock: