lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3263338.JWVYmVP9h8@weltall>
Date: Wed, 09 Apr 2014 18:32:07 -0400
From: Craig Holmes <craig@...eaunetworks.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

On April 8, 2014 10:21:34 AM Matthew Musingo wrote:
> Even if your systems were patched  an attacker could have already attained
> the secrets.
> 
> Certs and other sensitive information need to be reconsidered for
> replacement or changed
How realistic is it that an attacker would be able to glean passwords through 
this vulnerability? Programatically searching through 64k memory dumps for 
certificates seems plausible, but looking for passwords does not. A password is 
of no pre-determined length or format. So unless you know what strings are 
wrapped around it (and those strings are reliably presented), isn't the loss 
of some types of sensitive information.... unlikely?

Cheers.
Craig


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ