CAMPAIGN-5: Ideas to improve Cyberspace, Infrastructure, and the Grid

US-CERT ALERT HEARTBLEED BUG: YOUR FAVORITE WEBSITES ARE SAFE

(HEARTBLEED BUG OPERATING SYSTEM, WEBSITE, AND SERVER VULNERABILITY)

PURPOSE:

This is a brief summary of results for a security check I conducted for the presents of the Heartbleed Bug vulnerability (the most popular websites were checked for the Heartbleed Bug ESPECIALLY FEMA=> and the websites important to this community).

-

SCAN RESULTS SUMMARY:

The websites listed below are safe!

-

WHAT WAS DONE:

I independently checked the websites listed below with all tools listed below, and they came back safe.

-

RESOURCES FOR CHECKING WEBSITE VULNERABILITY

(Heartbleed OpenSSL Bug (CVE-2014-0160) test tools):

https://lastpass.com/heartbleed/

http://filippo.io/Heartbleed/

https://www.ssllabs.com/ssltest/

http://heartbleed.criticalwatch.com/

*github cross check Alexa partial list: https://gist.github.com/dberkholz/10169691

-

LIST OF CHECKED WEBSITES:

1. fema.gov/ (is safe, never compromised)

2. fema.ideascale.com/ (is safe, unknown if ever compromised)

3. community.fema.gov/ (is safe, unknown if ever compromised)

4. twitter.com/ (is safe, never compromised)

5. microsoft.com/ (core site and services are safe never compromised)

------bing.com/ (is safe never compromised)

6. google.com/ (is patched and safe)

7. aol.com/ (is safe, never compromised)

8. apple.com/ (is safe, never compromised)

9. facebook.com/ (is patched and safe)

10. yahoo.com/ (is patched and safe)

11. mozilla.org/ (firefox) (is patched and safe)

12. godaddy.com/ (is safe, never compromised)

13. akamai.com/ (is safe, unknown if ever compromised)

14. youtube.com/ (is safe, unknown if ever compromised)

15. comcast.com/ (is safe, never compromised)

-------xfinitytv.comcast.net/ (is patched and safe)

-

WHY THIS WAS DISCUSSED:

Apache server software was used at some of the above listed websites (therefore, there was a potential that they may contain the compromised SSL certificates). The results were they did not at the time of this scan. The Heartbleed Bug is a vulnerability that recently compromised many websites specifics are here:

https://www.us-cert.gov/ncas/alerts/TA14-098A

http://www.kb.cert.org/vuls/id/720951

http://heartbleed.com/

Summary of the data would have compromised if vulnerability was present:

1. Primary key material (secret keys)

2. Secondary key material (user names and passwords used by vulnerable services)

3. Protected content (sensitive data used by vulnerable services)

4. Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

-

BE AWARE THAT THE FOLLOWING OPERATING SYSTEMS MAY CONTAIN THE VULNERABILITY:

Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4

Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11

CentOS 6.5, OpenSSL 1.0.1e-15

Fedora 18, OpenSSL 1.0.1e-4

OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)

FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013

NetBSD 5.0.2 (OpenSSL 1.0.1e)

OpenSUSE 12.2 (OpenSSL 1.0.1c)

-

DISCLAIMER: use this information at your own risk, I am not an expert, I conducted testing of my own websites, and decided to post this information for others. The safety of these websites was determine only by using the “resource / tools” mentioned ABOVE. This list of websites was checked only=> (their associated APP’s for e.g. mail or IM were not checked due to the vast number of 3rd party software providers), therefore, this information is not all inclusive.

-

THIS INFORMATION IS MIRRORED AT FEMA NPC HERE:

http://community.fema.govdelivery.com/connect.ti/readynpm/messageshowthread?threadid=45230

Tags

Voting

4 votes
Active
Idea No. 7