lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 10 Apr 2014 10:24:01 +0200
From: Pål Nilsen <paal.nilsen@...il.com>
To: Ronny Lauenstein <Lauenstein@...l.mpg.de>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

There's probably an "official" place to get ssltest.py, but I put it here
after some guys on IRC asked for it yesterday:
https://ccdn.tracetracker.com/ssltest.py


On 10 April 2014 08:39, Txalin <txalin@...il.com> wrote:

> > How realistic is it that an attacker would be able to glean passwords
> through
> > this vulnerability?
>
> Checked by myself yesterday in some websites with login/pass form in (sites
> from my company, don't blame me). I took less than 2 minutes to get 3
> user/password combinations, so, easy as hell.
>
> PD: First message in FD, hi all!!!
>
>
> 2014-04-10 0:32 GMT+02:00 Craig Holmes <craig@...eaunetworks.com>:
>
> > On April 8, 2014 10:21:34 AM Matthew Musingo wrote:
> > > Even if your systems were patched  an attacker could have already
> > attained
> > > the secrets.
> > >
> > > Certs and other sensitive information need to be reconsidered for
> > > replacement or changed
> > How realistic is it that an attacker would be able to glean passwords
> > through
> > this vulnerability? Programatically searching through 64k memory dumps
> for
> > certificates seems plausible, but looking for passwords does not. A
> > password is
> > of no pre-determined length or format. So unless you know what strings
> are
> > wrapped around it (and those strings are reliably presented), isn't the
> > loss
> > of some types of sensitive information.... unlikely?
> >
> > Cheers.
> > Craig
> >
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> >
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ