LISTSERV - HP3000-L Archives

HP3000-L Archives

April 2014, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L April 2014, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OT OpenSSL-1.0.1 Heartbeat exploit named heartbleed
From:	"Bahrs, Art" <[log in to unmask]>
Reply To:	Bahrs, Art
Date:	Thu, 10 Apr 2014 14:41:50 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (64 lines)

Hi All :)
   Ok... some things to think about concerning the HeartBleed vulnerability....

   - Change your passwords
      - This is a 'DOH'... as we all should be changing our passwords every 45-90 days as a minimum... You do change yours regularly don't you?
   - This is not a new vulnerability!
      - it's been around for a couple years...
      - we must assume that the exploitation of it has been around for some time... just not in the news
   - Remember this hasn't been remediated yet by a WHOLE LOT of sites!
      - this means that we need to keep changing our passwords regularly with a very high frequency until patching is complete
   - Use good passwords...
      - I used 'good' rather than 'strong' for the simple reason of dictionaries and/or Rainbow Tables
      - At least 10+ characters long
      - Use Mixed Case
      - Use Special Characters (@, !, ^, $)
      - SPELL THINGS WRONG intentionally!
           - e.g. EyeR3edB0ok$ instead of IReadBooks

Art "They are out to get us!!! " Bahrs, {insert lots of letters of security credentials for those who care about those things hehehe}


Art Bahrs, CISSP
Security Engineer (Oregon Region)
(971) 282-0927


-----Original Message-----
From: HP-3000 Systems Discussion [mailto:[log in to unmask]] On Behalf Of James B. Byrne
Sent: Thursday, April 10, 2014 6:12 AM
To: [log in to unmask]
Subject: Re: OT OpenSSL-1.0.1 Heartbeat exploit named heartbleed

On Thu, April 10, 2014 08:45, Mark Ranft wrote:
> Might this vulnerability be a concern for MPE posix OpenSSL users?
>
> The product, HP WebWise MPE/iX Secure Web Server, contained Openssl
> 0.9.7d cryptographic/SSL library
>
> And there are those that downloaded OpenSLL for sftp.  The version I
> have is openssl-0.9.6a-mpe.tar.
>

No, any version of OpenSSL prior to 1.0.1 is not affected by this vulnerability as the heartbeat protocol was not introduced before 2012 and
v.1.0.1 was the first release to include it.

--
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:[log in to unmask]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *


________________________________

This message is intended for the sole use of the addressee, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the addressee you are hereby notified that you may not use, copy, disclose, or distribute to anyone the message or any information contained in the message. If you have received this message in error, please immediately advise the sender by reply email and delete this message.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU