(CVE-2014-0224) OpenSSL upgrade, urgent for certain circumstances

This morning a new OpenSSL advisory was announced: https://www.openssl.org/news/secadv_20140605.txt

After analysis, while there are no known exploits at this time, there seem to be some circumstances that lend themselves to such and CTSC urges those with the following circumstances to upgrade ASAP and everyone else to patch to the latest version of OpenSSL as soon as they can during normal business hours.

Circumstances dictating upgrade ASAP:

1. Deployments where both the server and client are using OpenSSL 1.0.1
2. Deployments using Datagram Transport Layer Security (DTLS)

Services that use SSL should be restarted after upgrading in order to load the new libraries.

Since web browsers in general don't use OpenSSL, the first case is most likely with other (e.g. command-line) applications. We expect the second case to be rare in the Grid community.

If your software is impacted, please let CTSC know so we can help communicate your fix.

Credits:

• XSEDE
• Globus: https://support.globus.org/entries/71973746
• Adam Langley: https://www.imperialviolet.org/2014/06/05/earlyccs.html
• ISC: https://isc.sans.edu/forums/diary/Critical+OpenSSL+Patch+Available+Patch+Now+/18211

New CTSC Email Lists for the NSF Cyberinfrastructure Community

Not too long ago, the Heartbleed OpenSSL vulnerability impacted the NSF cyberinfrastructure (CI) community along with many others. CTSC analyzed this vulnerability and published guidance to the community on how CI developers should respond, how users should respond and who was impacted. But we feel we could have done better with better established communication channels to the community.

Based on this experience, CTSC is announcing the creation of three email lists open to the NSF CI community:

• The CTSC Infrastructure Operators Announce List is an announcement-only list for infrastructure providers (e.g. system administrators, devops) who would like to receive updates about security issues that may impact the systems you run or how you provide services.  Traffic to this list is low and sporadic -- we'll only email you when there is something to tell you.
• Subscribe to the CTSC Infrastructure Announcement List

• The CTSC Software Developers Announcement List is an announcement-only list for software developers who would like to receive updates about security issues that may impact the tools or frameworks you use, or how you develop software. Traffic to this list is low and sporadic -- we'll only email you when we really have something to tell you.
• Subscribe to the CTSC Software Announcement List

• The CTSC Security Discussion List is for anyone in the community with questions about security or for discussions about cybersecurity (e.g. CTSC may discuss the severity of a vulnerability on this list before announcing it on the other two lists). Unlike the announcement lists, discussion is encouraged.  Traffic to this list is currently pretty low, but may change based on community interest and needs.
• Subscribe to the CTSC Discussion List
• To email the CTSC Discussion List, please send email to discuss@trustedci.org. (Posting is limited to subscribers to prevent SPAM.)

We hope to see you there!

For the latest information on these lists, please visit http://trustedci.org/ctsc-email-lists/

Which cyberinfrastructure components are impacted by Heartbleed?

This table captures Heartbleed vulnerability information about CI components that we are aware of. If you have information to add, please send email to info@trustedci.org

Direct link to Google Spreadsheet 

Changelog:

• 4/10 11:02am ET: Added GSI-OpenSSH and MyProxy. Clarified Globus includes GridFTP and GRAM.
• 4/10 12:17pm ET: Added specific links for MyProxy and GSI-OpenSSH
• 4/11 7:38am ET: Added HTCondor, changed to Google Spreadsheet
• 4/11 8:08am ET: Added Perfsonar
• 4/15 4:12pm ET: Added XSEDE User Portal (4:58pm replaced text with URL)
• 4/23 3:06pm ET: Added FutureGrid
• 4/25 8:38pm ET: Added HUBzero

Heartbleed: Should I change my password? (And when?)

Yesterday, news of the Heartbleed OpenSSL bug swept the Internet, and lots of web site administrators worked to update software and replace potentially compromised cryptographic keys. Estimates are this vulnerability affected over half a million websites and major sites such as Yahoo Mail were vulnerable.

Today people are starting to wonder what this bug means to them, specifically should they change their passwords? It’s possible as the news spread yesterday, websites could have been compromised before they were fixed. There is also the theory that someone could have exploited this bug secretly for two years.

It’s easy to say “Yes!” and this is always a good safe default, but if you’re like me you have 100s of passwords and changing them all is a major task. This post is meant to give you some guidance as to which passwords to change and which to change first.

First, figure out your most important passwords and start with those. Think about websites (good news for SSH users: SSH isn’t affected by Heartbleed, just OpenSSL) that would cause you real worry if the password was compromised. If you’re like me, it’s online banking and other important websites such as my university login and key projects I’m a part of.

Then, figure out if those websites you use were affected. This list of the top 1000 sites is a good place to start as well as this list from mashable.com. If you don't see a website listed in those places, look to their blog or other sources of support information. Failing that, it’s probably easiest just to assume they are compromised since it would take take more effort to figure out than change your password.

Then, and waiting may be hard, but there isn’t any point in changing your password until a website has fixed their software and changed their cryptographic keys. You can wait to hear from a website or you can test the website yourself. Once they’ve fixed their software and replaced their cryptographic keys, then it makes sense for you to change your password.

And while you’re going around changing all these passwords, take the opportunity to use a password manager and a different password for each site. Using a different password for each site is the most important thing you can do improve your security and obviously you can’t remember that many passwords, so using a password manager is the best way to do that.

Yes, this is no fun for anyone. Unfortunately security on the Internet is a shared responsibility and while websites do their best to minimize impact on us, sometimes things just don’t work out.

(Edited 4/10 to add link to mashable.com list.)

Serious OpenSSL 1.0.1 "Heartbleed" Bug

On Monday, April 7, 2014, the OpenSSL project announced the existence of a serious bug in OpenSSL 1.0.1 through 1.0.1f with the potential of leaking private keys and other sensitive information from affected SSL/TLS clients and servers. The bug is in the implementation of the TLS/DTLS heartbeat extension (RFC 6520) and therefore has been called the "Heartbleed Bug".

Administrators of systems running OpenSSL 1.0.1 through 1.0.1f should promptly install the vendor fix for their operating system (when available). Administrators of impacted HTTPS servers should obtain a new HTTPS certificate using a newly generated private key, after installing the OpenSSL fix, as the existing HTTPS private key is now suspected to be compromised due to this OpenSSL bug.

References:

• https://www.openssl.org/news/secadv_20140407.txt
• http://heartbleed.com/
• http://www.kb.cert.org/vuls/id/720951
• https://lists.incommon.org/sympa/arc/inc-ops-notifications/2014-04/msg00000.html