FEPlanet Community
Issue Heartbleed, OpenSSL, FEPlanet, FETO and you. - Printable Version

+- FEPlanet Community (http://forums.feplanet.net)
+-- Forum: Site Matters (http://forums.feplanet.net/forum-3.html)
+--- Forum: Announcements and News (http://forums.feplanet.net/forum-4.html)
+--- Thread: Issue Heartbleed, OpenSSL, FEPlanet, FETO and you. (/thread-169.html)

Heartbleed, OpenSSL, FEPlanet, FETO and you. - sirocyl - 04-11-2014

Recently, a huge, unprecedented and serious hole in OpenSSL, a widely-used free/open-source security and encryption suite, was found and disclosed to the public by security researchers.

Dubbed the "heartbleed" bug, due to its (mis)use of the TLS Heartbeat mechanism, it could display a (somewhat) random 64kbytes of memory from the server, without as much as a trace of access, by default.
Repeating the attack, sometimes millions of times, gets enough samples from server memory to include data on the server/being processed, such as:
- Encryption keys and authentication information
- Unencrypted (plaintext) Data being passed through encryption, such as passwords, e-mails and session keys
- Anything on the server's RAM at a given time, such as assets, source code, even an SSH session log.

What it means for FEPlanet:
Our webhost, Surpass, uses an insecure version of OpenSSL currently (OpenSSL 1.0.1e-fips 11 Feb 2013) as of 2014-04-11 5:03pm EST.
They have apparently issued a statement about Heartbleed, but I don't see it on any of their public spaces.

If you use the same password on other sites, make sure they've patched their OpenSSL (if applicable), and change those passwords.
Also, don't use the same password on other sites. It's not a good idea.
If you want to change your password here, feel free to, but expect that you will change your password again once they patch the OpenSSL here.
You should change both the FEPlanet Forums, and FETO/oldforums password.

FEPlanet, FETO and our server do not use any public-facing HTTPS/SSL/TLS services. We planned on setting them up for certain functions (admin/management, and the user login page) but we will wait until Surpass updates their OpenSSL implementation.
This does not mean that FEPlanet and FETO are 100% safe, but we can ensure that we have no secure public services which can be bypassed.

An attacker can make their way into the site from our webhost. Your passwords are securely hashed, but if the database tables are leaked, a brute-force attack could crack one password at a time.

What it means for FETO:
Your FETO account is linked to, but independent from, the oldforums account.
If you suspect any suspicious activity or foul play, contact us, and we can mitigate the game from our side.

Anyone caught hacking the game's code without authorization, cracking/penetrating our server's defenses, or accessing specially-privileged areas on FEPlanet or FETO, is subject to investigation and prosecution under the fullest extent of US law, as per Computer Fraud and Abuse Act.
We take your security very seriously.

No compromise can be confirmed, but it should be assumed that the server is currently INSECURE, and should be treated with skepticism until confirmation from Surpass that they've fixed their implementation of OpenSSL.


RE: Heartbleed, OpenSSL, FEPlanet, FETO and you. - sirocyl - 04-11-2014

Follow-up: Here's a snippet from an e-mail from Surpass.

Quote:Affected clients:
Our abuse & security team has been auditing servers and if you've received this notice then there is a good chance your server has been affected. We will be taking action on our end to patch the vulnerability on all affected servers as explained below, but there may also be action required on your part to be sure that your SSL certificates are not compromised.

Since we have no SSL-based services, and don't use any certificates, it doesn't affect us directly, anymore.

RE: Heartbleed, OpenSSL, FEPlanet, FETO and you. - Falaflame - 04-12-2014

Also, another note.

If your information here links to really sensitive information (ie phone number, mailing address, bank account info, etc), best get it taken care of now. Don't want those hackers snooping around in your personal business.