2NITE(Wed): HeartBleed Exposed. ="Reverse Heartbleed" possible on JellyBean
6 views
Skip to first unread message
gary meyer
May 14, 2014, 3:03:18 PM5/14/14
to stl-mob...@googlegroups.com
There is a presentation on HeartBleed tonite. In reference to
that, we had just stumbled on "Reverse HeartBleed" that is used
against a JellyBean client device. Just thought I would mention
it here altho I doubt we will get into the specifics of "Reverse
..." tonite
-------- Original Message --------
-------- Original Message --------
| Subject: | Re: [DISCUSS] 2NITE(Wed): HeartBleed Exposed. =Reverse Heartbleed |
|---|---|
| Date: | Wed, 14 May 2014 13:36:50 -0500 |
| From: | gary meyer <ga...@sluug.org> |
| Reply-To: | SLUUG general discussion <dis...@sluug.org> |
| To: | dis...@sluug.org |
Altho we keep talking about what can be stolen from /*the server*/
in a memory OverRead, the same can be done on /*the client*/ as well by
doing "Reverse HeartBleed". Android 4.1.1 is an older version but
there are still many devices that utilize it. (Apple says iOS has never
included the bad versions of OpenSSL.)
From
http://www.ibtimes.co.uk/reverse-heartbleed-leaves-least-55-million-android-smartphones-tablets-risk-1445043:
> While the primary attack vector for those exploiting the heartbleed
> bug was to snoop on traffic coming to and from vulnerable websites,
> the reverse heartbleed bug used the same flawed code let criminals
> target specific devices - such as Android smartphones and tablets.
>> Google revealed
>> <http://googleonlinesecurity.blogspot.co.uk/2014/04/google-services-updated-to-address.html> that
>> a specific version of its mobile operating system - Android 4.1.1
>> (Jelly Bean) - used the vulnerable version of OpenSSL.
>> Related
>>
>> * Reverse Heartbleed: Individual Users Left Vulnerable to new
>> OpenSSL Attack
>> <http://www.ibtimes.co.uk/reverse-heartbleed-individual-users-left-vulnerable-new-openssl-attack-1444740>
>>
On 5/9/2014 3:40 PM, gary meyer wrote:
>
> At THIS month's general SLUUG mtng @ Graybar (Wednesday 14 May) we
> will learn how to do it!
>
>> Heartbleed Exposed:
>
>> You will learn the secrets behind Heartbleed, the bug in
>> OpenSSL that has left millions of servers vulnerable to attack.
>> We will have a live coding session to demonstrate how you can exploit
>> the vulnerability to read your server's memory. We will conclude
>> with a discussion of how you can protect your own servers and your
>> data on other people's servers.
>
>> The talk and demo will be by Shane Carr, the president of the
>> Washington University ACM (Association of Computing Machinery).
>> https://acm.wustl.edu/officers
>
>> That will be the main presentation @ 7:30 until 9. At 6:30, we
>> will have a basic/tutorial by Bill Odom on some aspect of the
>> ubiquitous VIM editor. There will be announcements, general Q&A,
>> and a few minutes to socialize in between.
>
> _______________________________________________
> Discuss mailing list
> Dis...@sluug.org
> http://www.sluug.org/mailman/listinfo/discuss
_______________________________________________
Discuss mailing list
Dis...@sluug.org
http://www.sluug.org/mailman/listinfo/discuss
Reply all
Reply to author
Forward
0 new messages