[VFOSSA] Fwd: Lỗi bảo mật OpenSSL HeartBleed

Vu The Binh binh at netnam.vn
Fri Apr 11 15:13:11 ICT 2014


Chào cả nhà,

Thêm tý thông tin cho vụ hot này ("it's really Bad").

--

It's /really/ bad. Web servers can keep a lot of information in their
active memory, including user names, passwords, and even the content
that user have uploaded to a service. But worse even than that, the flaw
has made it possible for hackers to steal encryption keys, the codes
used to turn gibberish encrypted data into readable information.

With encryption keys, hackers can intercept encrypted data moving to and
from a site's servers and read it without establishing a secure
connection. This means that unless the companies running vulnerable
servers change their keys, even future traffic will be susceptible.

-- 


    Important – Impact of the Heartbleed bug on your ResellerClub Account


It's been a while since there was a computer security bug that we all
had to worry about. Unfortunately, it seems like we may all have been
facing one for two years and not even realized it.

Earlier this week, security researchers announced a security flaw in
OpenSSL, a popular data encryption standard, that gives hackers who know
about it the ability to extract massive amount of data from the services
that we use every day and assume are mostly secure.

This isn't simply a bug in some app that can quickly be updated - the
vulnerability is in on the machines that power services that transmit
secure information, like Facebook and Gmail. Read on to know more about
how this affects you as a ResellerClub Reseller.

In this mail you will find information on:

  * Steps that we are taking
    <mailbox:///Mail-2011/Inbox?number=181125869#oursteps>
  * Steps that you have to take
    <mailbox:///Mail-2011/Inbox?number=181125869#ursteps>
  * Know more about the Heartbleed bug
    <mailbox:///Mail-2011/Inbox?number=181125869#hrtbld>

*_Steps that we are taking_:*

  * We have updated the OpenSSL packages installed on all our shared
    hosting servers
  * At 05:30 hrs (GMT) on 11 Apr, 2014 Orderbox will force-terminate all
    active logged in sessions to prevent abuse by any hackers who may
    have exploited this bug.
  * At this time, Orderbox may experience a disturbance of upto 5
    minutes and no orders on Supersite or API will be processed. You
    will be required you to login again to your Control Panel to
    continue managing your account


*_Steps that you have to take_*:

 1. The Heartbleed bug makes it practically impossible to detect history
    of abuse, but to be on the safer side, we strongly recommend that
    you change your Reseller Account passwords and also announce to your
    customers that they should change their passwords.
 2. Hosting and/or SSL Certificate customers with Resellerclub:
      * If you have purchased both hosting and SSL Certificates for an
        installation from ResellerClub, follow *steps a and c* below
      * If you have purchased hosting from ResellerClub and have SSL
        enabled on it with an SSL Certificate from a 3rd party vendor
        for your installation, follow *steps b and c* below
      * If you have purchased SSL Certificated from ResellerClub but
        host with a 3rd party provider, follow *step a* below and
        reinstall the Certificate according to the instructions of your
        hosting provider
     1. You will need to re-issue the SSL certificate from the Orderbox
        control panel by referring the steps mentioned in the following
        KB article :
        http://manage.resellerclub.com/kb/servlet/KBServlet/faq1094.html
     2. You will need to contact your vendor to re-issue the SSL
        certificate. Once the SSL certificates are re-issued, you need
        to install the new certificates under the hosting packages.
     3. You will need to install the reissued SSL Certificate by
        following the instructions relevant to you from the below options:

        *For cpanel*:
        http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CpanelDocs/ActivateSSLOnYourWebsite


        *For Plesk*:
        http://download1.parallels.com/Plesk/PP11/11.5/Doc/en-US/online/plesk-administrator-guide/index.htm?fileName=70920.htm

 3. In case you use the ResellerClub API, we strongly suggest that you
    regenerate your API key by logging into your Control Panel and
    navigating to Settings >> API and clicking on ‘Regenerate’ icon to
    get your revised API key. Update your API calls to use the new key.
 4. If you have WHM access on the hosting packages that you resell
    through us, you can use the force password reset option in WHM to
    ensure that all your hosting customers change their passwords


*_What is the Heartbleed bug?_*

Heartbleed is a flaw in OpenSSL, the open-source encryption standard
used by the majority of sites on the web that need to transmit data
users want to keep secure. It basically gives you a "secure line" when
you're sending an email or chatting on IM.

Encryption works by making it so that data being sent looks like
nonsense to anyone but the the intended recipient.

Occasionally, one computer might want to check that there's still a
computer at the end of its secure connection, so it will send out what's
known as a "heartbeat," a small packet of data that asks for a response.

Due to a programming error in the implementation of OpenSSL, the
researchers found that it was possible to send a well-disguised packet
of data that looked like one of these heartbeats to trick the computer
at the other end of a connection into sending over data stored in its
memory.

*_How bad is that?_*

It's /really/ bad. Web servers can keep a lot of information in their
active memory, including user names, passwords, and even the content
that user have uploaded to a service. But worse even than that, the flaw
has made it possible for hackers to steal encryption keys, the codes
used to turn gibberish encrypted data into readable information.

With encryption keys, hackers can intercept encrypted data moving to and
from a site's servers and read it without establishing a secure
connection. This means that unless the companies running vulnerable
servers change their keys, even future traffic will be susceptible.

*_Additional details can be checked at:_*

http://forums.myorderbox.com/index.php?/topic/4952-massive-security-flaw-thats-taken-over-the-internet/
and www.heartbleed.com <http://heartbleed.com>

Should you require any further information about this email, please feel
free to get in touch with us.

Regards,
Team ResellerClub


On 4/11/14 11:01 AM, Truong Anh. Tuan wrote:
> ----- Original Message -----
>> From: "Thế Hùng Nguyễn" <thehung at vinades.vn>
>> To: "VFOSSA Members" <members at lists.vfossa.vn>
>> Sent: Friday, April 11, 2014 10:44:28 AM
>> Subject: Re: [VFOSSA]	Fwd: Lỗi bảo mật OpenSSL HeartBleed
>>
>> Các ngân hàng báo đã fix xong hết rùi.
> Cái này còn phải xét!
> Anh nghĩ mấy bố admin NH chỉ làm cho có lấy thành tích thôi.
>
> Bản chất của lỗi này là bị leak mất private key. Nên 2 năm qua, nếu có
> attacker nào đã chén private key rồi thì coi như nó đã nắm khóa trong tay.
> Các bé có nâng cấp bán vá thì cũng chỉ là để không bị mất key nữa, còn nếu
> không thay khóa thì chúng vẫn dùng khóa cũ mở nhà mình bình thường :D
> Clear??
>
> Check thử phát cho vui, thấy ngay ACB Online [1] vẫn dùng key cũ, issue
> ngày 04/08/2013 bởi VeriSign (loại Class 3 EV [2], bảo mật "cực cao" :D)
> Dự là ACB sắp kiện VeriSign được đòi tiền bảo hiểm 1.5tr USD vì có SSL rồi
> mà vẫn bị phá khóa :). Trừ khi VeriSign vớ vẩn thế nào lại đã đi gửi thông
> báo cho từng khách hàng về việc phải re-issue lại key mới (mà việc này thì
> mình không tin là một hãng như VeriSign lại không làm - vì iWay còn làm :)
>
> Kind regards,
> Tuan
>
> [1] https://www.acbonline.com.vn/
> [2] http://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid=ssl-certificates
> _______________________________________________
> POST RULES: http://wiki.vfossa.vn/guidelines:mailinglist
> _______________________________________________
> Members mailing list: Members at lists.vfossa.vn
> http://lists.vfossa.vn/mailman/listinfo/members
> VFOSSA website: http://vfossa.vn/

-- 
Binh Signature

-- 

Vu The Binh (Mr.) | CEO

NETNAM CORPORATION

18 Hoang Quoc Viet, Cau Giay, Hanoi, Vietnam

(T)+84-4-37 564 907, (F)+84-4-37 561 888, (M)+84-(0)-9 0343 4477

(E) binh.vt at netnam.vn ; binh at netnam.vn (W) www.netnam.vn

--

NetNam - one of the best ISPs and Solution Providers in Vietnam,

specialized in Corporate networks, Managed ICT services & security
solutions.

--

Your Net, We Care!

<http://vn.linkedin.com/in/vuthebinh><http://vn.linkedin.com/in/vuthebinh>
<http://netnamonline.com/marketing/index.html>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vfossa.vn/pipermail/members/attachments/20140411/8f975ff3/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graphics2
Type: image/png
Size: 1899 bytes
Desc: not available
Url : http://lists.vfossa.vn/pipermail/members/attachments/20140411/8f975ff3/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graphics1
Type: image/png
Size: 102688 bytes
Desc: not available
Url : http://lists.vfossa.vn/pipermail/members/attachments/20140411/8f975ff3/attachment-0003.png 


More information about the Members mailing list