Heartbleed: Motorola and Google...damn - GoFuckYourself.com

suesheboy · 04-14-2014, 11:41 AM

Been a huge Motorola fan boy since the early 80's...yeah I paid $495 for a beeper and more than $4,000 for my first suite case cell phone. Like Google too.

MY tablet has an OS vulnerable to the heartbleed exploit and it took until the 5th tech support person to even find someone to know what it was.

They said to install virus software (won't help with how the exploit works)

They have no idea of when or if they will fix the problem and no mechanism in place to alert people if there is a fix or what to do.

For now I am bringing the table back to factory state and waiting. What a fuck up.

I smell a BIG class action suit brewing.

bigluv · 04-14-2014, 12:02 PM

I've found the amount of info is sort of lacking as regards mobile.

I think the mobile threat may be overstated. Really, how many incoming services using SSL are used on mobile where there is an incoming connection from an unknown host? In my experience most mobile networks are NATed anyways, and so is your home WiFi. I haven't seen an indepth explanation of so far, just lists of mobile apps that have been compiled using vulnerable versions.

bigluv · 04-14-2014, 12:10 PM

My experience with guys on the security side of the IT house is usually they have very little ability to measure actual likelihooods or effects. It's all 'the sky is falling' FUD. I've never met a security guy I had any respect for.

Just for fun just quickly checked any UPNP assigned ports on my home router and I've got nothing for my phone or tablet. So as far as I'm aware all persistent connections are established with the mobile device as the source. Which would mean that Heartbleed is irrelevant in that situation.

suesheboy · 04-14-2014, 02:53 PM

From what I understand a malicious (or hacked) web site can get what's in the ram of effected phones and tablets.

Right now my tablet is going to be used for netflix and that's it.It will not be replaced by a Motorola one thats for sure.

slavdogg · 04-14-2014, 03:06 PM

get an iphone and an ipad

bigluv · 04-14-2014, 03:45 PM

You're right suesheboy, I educated myself a little bit further and some sources claim that the heartbeat requests are two-way, so a client once it has connected to a host of its choosing would be vulnerable. The important part there is a host of its choosing - there's no ability to exploit this without the connection being initiated by the client.
This limitation is pretty seriously limiting though in my opinion.

Therefore, you would have to be visiting a website whose server has and continues to be seriously compromised (not just heartbleed vulnerable or previously heartbleed vulnerable) but actually taken over by bad actors. So all the usual caveats about not clicking random crap links sortof applies, and I'm sure chrome and antivirus and google search would have a chance to warn you of malware just like usual as soon as they are up to speed. You can pretty easily self police this as far as browsing goes by thinking twice before you use https.

Beyond that, you already did have to evaluate whats sites your apps were connecting to, and if some of them might be small enough to be compromised and stay compromised for heartbleed, so this little wrinkle just ups the ante in that vein a little more.

I think most people when they hear android 4.1.x is affected think that they are suddenly going to be hit by scanning malware completely foreign to them, but that's not how it works.

suesheboy · 04-14-2014, 05:03 PM

Quote:

Originally Posted by slavdogg

get an iphone and an ipad

Funny thing is I have to buy both in order to build out apps, but I don't see myself using them as much. I almost never use my lap top, I use a tablet constantly.

_Richard_ · 04-14-2014, 05:04 PM

Quote:

Originally Posted by bigluv

It's all 'the sky is falling' FUD. I've never met a security guy I had any respect for.

: thumbsup

suesheboy · 04-14-2014, 05:07 PM

bigluv who ever comes up with the silver bullet can sell it and make a fortune!

PornDiscounts-V · 04-15-2014, 04:32 AM

You have to have something the hacker wants. Nobody in this thread has something they want. So don't worry about getting hacked.

suesheboy · 04-15-2014, 05:00 AM

Quote:

Originally Posted by vvvvv

You have to have something the hacker wants. Nobody in this thread has something they want. So don't worry about getting hacked.

Lets see...webmasters with access to countless web sites backends...yeah we are low value targets....NOT!

bronco67 · 04-15-2014, 08:06 AM

I still don't make credit card transactions on my phone yet...I just don't trust it and don't know if I ever will.

04-14-2014, 11:41 AM	#1
suesheboy Confirmed User Industry Role: Join Date: Nov 2002 Location: FL - TN/NC Posts: 5,211	Heartbleed: Motorola and Google...damn Been a huge Motorola fan boy since the early 80's...yeah I paid $495 for a beeper and more than $4,000 for my first suite case cell phone. Like Google too. MY tablet has an OS vulnerable to the heartbleed exploit and it took until the 5th tech support person to even find someone to know what it was. They said to install virus software (won't help with how the exploit works) They have no idea of when or if they will fix the problem and no mechanism in place to alert people if there is a fix or what to do. For now I am bringing the table back to factory state and waiting. What a fuck up. I smell a BIG class action suit brewing. __________________ Adult Web Site Domain Names For Sale Adult Sex Toy Domain Names For Sale Tantric Delights, Sex Toys Blog, Tantric Sex Toys

04-14-2014, 02:53 PM	#4
suesheboy Confirmed User Industry Role: Join Date: Nov 2002 Location: FL - TN/NC Posts: 5,211	From what I understand a malicious (or hacked) web site can get what's in the ram of effected phones and tablets. Right now my tablet is going to be used for netflix and that's it.It will not be replaced by a Motorola one thats for sure. __________________ Adult Web Site Domain Names For Sale Adult Sex Toy Domain Names For Sale Tantric Delights, Sex Toys Blog, Tantric Sex Toys

04-14-2014, 03:06 PM	#5
slavdogg Confirmed User Join Date: Jan 2001 Posts: 3,570	get an iphone and an ipad __________________ Adult Traffic for Sale

04-14-2014, 05:07 PM	#9
suesheboy Confirmed User Industry Role: Join Date: Nov 2002 Location: FL - TN/NC Posts: 5,211	bigluv who ever comes up with the silver bullet can sell it and make a fortune! __________________ Adult Web Site Domain Names For Sale Adult Sex Toy Domain Names For Sale Tantric Delights, Sex Toys Blog, Tantric Sex Toys

04-15-2014, 04:32 AM	#10
PornDiscounts-V Confirmed User Industry Role: Join Date: Oct 2003 Location: L.A. Posts: 5,740	You have to have something the hacker wants. Nobody in this thread has something they want. So don't worry about getting hacked. __________________ Blog Posts - Contextual Links - Hardlinks on 600+ Blog Network * Handwritten * 180 C Class IPs * Permanent! * Many Niches! * Bulk Discounts! GFYPosts /at/ J2Media.net

04-14-2014, 12:02 PM	#2
bigluv Confirmed User Join Date: Jul 2008 Posts: 850	I've found the amount of info is sort of lacking as regards mobile. I think the mobile threat may be overstated. Really, how many incoming services using SSL are used on mobile where there is an incoming connection from an unknown host? In my experience most mobile networks are NATed anyways, and so is your home WiFi. I haven't seen an indepth explanation of so far, just lists of mobile apps that have been compiled using vulnerable versions.

04-14-2014, 12:10 PM	#3
bigluv Confirmed User Join Date: Jul 2008 Posts: 850	My experience with guys on the security side of the IT house is usually they have very little ability to measure actual likelihooods or effects. It's all 'the sky is falling' FUD. I've never met a security guy I had any respect for. Just for fun just quickly checked any UPNP assigned ports on my home router and I've got nothing for my phone or tablet. So as far as I'm aware all persistent connections are established with the mobile device as the source. Which would mean that Heartbleed is irrelevant in that situation.

04-14-2014, 03:45 PM	#6
bigluv Confirmed User Join Date: Jul 2008 Posts: 850	You're right suesheboy, I educated myself a little bit further and some sources claim that the heartbeat requests are two-way, so a client once it has connected to a host of its choosing would be vulnerable. The important part there is a host of its choosing - there's no ability to exploit this without the connection being initiated by the client. This limitation is pretty seriously limiting though in my opinion. Therefore, you would have to be visiting a website whose server has and continues to be seriously compromised (not just heartbleed vulnerable or previously heartbleed vulnerable) but actually taken over by bad actors. So all the usual caveats about not clicking random crap links sortof applies, and I'm sure chrome and antivirus and google search would have a chance to warn you of malware just like usual as soon as they are up to speed. You can pretty easily self police this as far as browsing goes by thinking twice before you use https. Beyond that, you already did have to evaluate whats sites your apps were connecting to, and if some of them might be small enough to be compromised and stay compromised for heartbleed, so this little wrinkle just ups the ante in that vein a little more. I think most people when they hear android 4.1.x is affected think that they are suddenly going to be hit by scanning malware completely foreign to them, but that's not how it works.

04-15-2014, 08:06 AM	#12
bronco67 Too lazy to set a custom title Join Date: Dec 2006 Posts: 29,035	I still don't make credit card transactions on my phone yet...I just don't trust it and don't know if I ever will. __________________