| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <53465E39.5070007@thelounge.net>
Date: Thu, 10 Apr 2014 11:02:49 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: fulldisclosure@...lists.org
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
Am 10.04.2014 00:32, schrieb Craig Holmes:
> On April 8, 2014 10:21:34 AM Matthew Musingo wrote:
>> Even if your systems were patched an attacker could have already attained
>> the secrets.
>>
>> Certs and other sensitive information need to be reconsidered for
>> replacement or changed
> How realistic is it that an attacker would be able to glean passwords through
> this vulnerability? Programatically searching through 64k memory dumps for
> certificates seems plausible, but looking for passwords does not. A password is
> of no pre-determined length or format. So unless you know what strings are
> wrapped around it (and those strings are reliably presented), isn't the loss
> of some types of sensitive information.... unlikely?
it is very realistic and already happened
Anonymous Austria yesterday posted about online banking transactions
with screenshots auf the data-dumps, webmail-accounts and so on
over many hours and for a short tiemframe there where even folder
with thousands of such dumps online
Download attachment "signature.asc" of type "application/pgp-signature" (247 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists