Warning: Heartbleed Bug And Impact On Video Surveillance

A serious bug has been found in an implementation of SSL, called Heartbleed, used in OpenSSL. It is estimated to impact a vast array of computers (here's a list of 1000 sites vulnerable as of earlier today - Apr 8th). Most sites using open source software are likely impacted. We were and have immediately fixed it (see our passing test on heartbleed's site).

For more information, high level, see the NY Times article, technical level, see the HN discussion.

Because it impacts so many sites, we recommend changing all your passwords.

It could also impact VMS systems and IP cameras if they use OpenSSL. I am not sure which do or do not, but it's certainly worth checking.

A little more on Heatbleed from the official site:

  • "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software."
  • "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
  • "This bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously."

If anyone has any feedback on video surveillance impact of this, please share.

Login to read this IPVM discussion.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

******, ** ******** ****? * ************ ******** **** ***** *** nothing?

**, ***'* ******** **** ** ***** **** **** *********** *************....

*** * ***** ******* ******** ... "****** **** *********" : is **** ********* ** *** ***** ** *** **** ** all ********* *** ********* **** ** *** ********* *** ***********??

****** *** **** ********* ** ******** **** **** ***. **'* hard ** **** **** ***** **** ** **** *** ******** and **'* * **** *** **** **** ** *** *** sites ** *** ******** **** ******** ******* ******* ** ** broadly ****.

****** **** ********* ** *** ***** **** **** *******... ** you ******* **** ****** **** **** ******* ****** **** *****...

*******. ** **** ****** **** ** ****** ********* ** ***** that *** ***** **********.

**** ** * **** ** **** *** ******** *** ******* vulnerability ******:

********** *****

***: ********** **** ********.

*******, **** ***** "***** ** ** ********** **** **** ************* *** ********* **************.***" *** **** ** *** ***** ***** ** *** **'* such * ********* ***. ** ********** / ******, ***** ***** be ** ****** ** *** ******* ****, ****** ** ******** bragged ***** **.

** *** *****, * ** **** ***** *** ***** ************ systems ********, ********** ***** ****.

*****'* * ****** * ** ********* ** *** *****, *** day **** ***** ****** ****** ****** *** ** ** ***** them, *** *** ***. * **** ***** ********** **********. * dont **** *** *******, ********** ** **** ** * ******** QNAP ****** ** ** ********.

***** *** ********* **** ***** ******** ****** *** ***** ************ products *** ******** ** **********. ******** ******** ********.

*****, * ** **** ***** *** ****, **** ****** ******** within ***** ************.

**** ****** ** ********* ***** *** *********** *** **** -- what *** *** **** ********* *** ********* ********** **** *** internal ******* *** ******** *******? **** *** **** ** *** trusted ******** ********** ********?

******* ** **** **** ******** ** ******* ********* **** ** user ****** ********** *** *** *** ****.

******** **** ******* ******* ******* (**** ********) *** *** *** *********** *** ** ********* ******** ** use*-**** ************ *** ****-**. ******** ****** **** ******* *** *** *-**** ************. *** we **** ******** ********* **** ** *** ******* ******* **** network ***** ** ******* ******* ** ********* ****-** *********** ** insecure ******* *** ****. *** ***** *** ** ****** **** secure **** **** ************ ** *** *** *****.

******, ******. ** ******** ***** *-**** ************? ** **, ** it *********? *** *** *** ***** **,**** ******, ** ******* * **** ** ***'* ***** ****** ** file?

* ********* *** *** ********. * **** ****** *** **** users ***** ****** ** ****** ** ** ****.

***, ** *** **** *** ****** ********** *** ** ******* in **** *** **** ******** ** *** ******? ** ** Cookie ***** **?

***, ******** **** *-**** ************ *** ** ** *** ********* that *** *** ** (** ********* ** *** *** ** personally). ** ******** *** ******'* ************** ****** ********* ** **** customers ** *** **** ** ****** *** ******* ******** *** password *** *** *** ******* ** ******'* ********. ****** *** can ******* ** ***, * ****** ** *** ****** ************* which ********* *** **** ******* ** **** ***** (****** **** receive ***). ***'** ******** **** **** **** ** **** ** the **** ********/******, ** ** ****** *****'* **** **** * big ****** - ********** ** ********** ** *** ******** *********. Google **** ****** *** ******, *** * ***'* ******* *** the ***** ********** **** *** ** ***** **** ****-*** (*** their ********** ** **** ***** ** *** ** *** **** for *** ****)

*.*.******** ****** ************* ****

* ***'* ***** ******* ******* ******* *****. ***, ** ** attacker *********** **** ******* ******* *** **** ***'* *** * session *** *** * ***** ***. **** *** *** *** point. *** ***** *** **** *** ****** *** ** *** certificate (******** ** *** *** ****) ***** ** ******. *** the ********* *** **** *** ****** ********. *** ***** ** affect **** - ***'* **** ** ****** ***** ** **** session. *** ** * **** ***** *** ** ******'* **** memory ***** **** ********* **** **** *** ***** ** ****** (like ********* *** ****** ******.)

(***, ****'* **** ********* ** ******* ******* *'* ******* ***** crypto. ***** ***** ****.)

**** ****** * ***** ******* ****** ******* ******* *** *** *** ********. **********, **** ***** **** *** ** ***** ******* ** OpenSSL.

***** ******** ******** * ********* ****** **** *** **** *** 8000 ****** ********* (******* *.*.*) *** ******** ** *** ********** bug *** **** *** ********** * ***** ** *** ******** (releasing */**).

****'* ******* ******* ****** * **** *** ** *** ** the ***** ** ********** ******* ********. **** **** ** ***** cameras/etc. *** *** ****.***. ******* **** ******** ******** **** *** so ****** ** ********* ***** ***, *** *** **** (****, that ***** ** *********.) ** ****** ******* ****** ****. **** for ******* **** ***, **********. ***** ******* ** ***. *** should *** **** ******* ** ***** ********* ** **********. ***' that *** *** **'* *** **** **********. ** *** *** those ******** ** ************ ** ****** ***** ******** *****, ** they *** *** *** ******** (***** **** ****** **.) *** your ******* **** ****** ** ******* *.*. **** ******* ******** in ***** ** **** ******* ****** (*** ******* ** *******.) If *** **** ** ** **-******* ******* **** **** ** about ** ** ******* ** ****** ** ***** **** **** call ** *** **** *** ***'** **********. **, ***, ****** too.

*** ** ****: ******** *** ****, ** ****** ******* **** recommended, **** *** ******* *** *************** *** *** ****. ******* new ****, **** ** *********** *** ******** ** ******* *** cyber *********** ********* **** **** ********* **** ***** ** *** past ****** ;-)

***, **** ** ********* ** *** ********** *** ********* *** **********. ****** **** ** ***** * ***** ****** ** *** publicly ********* *** *** ****** ** ****** *** **** **** on ********* **** ****** ** *** ********** *********** (*** **** does *** ****** ** ********** ******** ***** *** ***, ***.). This ***** *** **** **** ******* ********* **** ** ***** number ** ******** *** ****. ** *** *** ****, ********* video ************ ******* ** ******** * **** ******** ********. ** the *****, ***** ** **** ************ **** ********, ** ***** one ** *** **** ******** *** *** ***** ** *********.

** **** ***** ** *** *********, ******** ******** *** ******** ** **** **** ***** ******** ** Heartbleed. ****'* ****** *** *** *** **** *** **** ***** surveillance ************* *** ******** *** **** **** **** *******.

***** *** ** ************ *********** **** ***** ********.

******* *** ****** ********** ********* **** ************ *** *******.