Community First Credit Union's Heart Bleeds

[inkrypto]

Yep Educational Community Credit Union or Community First or whatever they call it this week, fucking sucks. so don't log in from starbucks

[Jordan Wiens]

It doesn't matter whether you login from starbucks or not. No matter where /you/ login, anyone else on the internet can steal your info if you're logged in at all and your session information/credentials happen to be in memory at the time they dump it. 

Only fix is for them to patch in the fix, recompile without heartbeats, or upgrade the packages that do that for them. 

It's a bad (fun) bug. 

On Wed, Apr 9, 2014 at 10:55 AM, inkrypto <inkr...@gmail.com> wrote:

Yep Educational Community Credit Union or Community First or whatever they call it this week, fucking sucks. so don't log in from starbucks

--
You received this message because you are subscribed to the Google Groups "Jacksonville CTF" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jaxctf+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[inkrypto]

holy shit!

[Ben Finke]

Yeah, heartbleed stinks (if you're a blue teamer).  I wonder how many private keys have been compromised today alone?

-Ben

[Ralph Figueroa]

This is no surprise. However, the attention this is getting from the media means to me that we may have had a whole lot of breaches happen at once.

[Alex Stanford]

AND reissue the cert because the priv key may have already been compromised. Patching alone is not enough.

[Alex Stanford]

Also, be sure that the cert is revoked. Don't buy a new cert and forget to have the old one added to the CRL.

[Gene Cronk]

XKCD....excellent as always

http://xkcd.com/1354/

[Ben Finke]

Agreed, excellent as always!!