Quote:SAN FRANCISCO — The discovery of a significant flaw in software that was supposed to provide extra protection for thousands of websites has thrown the tech world into chaos as experts scrambled to understand the scope of the vulnerability.
On Tuesday, Tumblr, which is owned by Yahoo, became the largest website to disclose that it had been hit by the "Heartbleed Bug" and urged users to change not just the password for its site but for all others as well.
But signaling just how much uncertainty and confusion surrounds the glitch, security experts warned that such a gesture might actually be useless because if a site has not fixed the problem hackers could just as easily steal the new password.
Although security analysts wouldn't go as far as telling users to stay off the Internet completely, they said users should avoid doing anything sensitive like online banking. If it's necessary to go online, check to see whether a service has said whether they are affected or whether they have fixed the problem.
"The scope of this is immense," said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, a Salt Lake City cybersecurity company. "And the consequences are still scary. I've talked about this like a 'Mad Max' moment. It's a bit of anarchy right now. Because we don't know right now who has the keys and certificates on the Internet right now."
http://www.latimes.com/business/la-fi-web-vulnerability-20140409,0,3935723.story#ixzz2yM6eZlwI
To fix the error go to www.openssl.org the front page has the link to the fixit.
Good Luck Jim
Quote: 98ClubsNot mild at all, Linux users should check their openssl file (use SEARCH with term 'openssl'), and know what version is installed. Any 101 version needs replacement with 101g. Supposedly all the 100 versions are immune. The real problem is of course at the other end, the website taking payments, storing e-mail, clouding, etc. Password-delta is in order.
To fix the error go to www.openssl.org the front page has the link to the fixit.
Good Luck Jim
The ubuntu updater just updated me from 1.0.1c to 1.0.0. I guess they are not ready with 1.0.1g.
There's a few sites that can help validate if a site you're connecting to is vulnerable - yahoo was vulnerable for most of yesterday.
http://filippo.io/Heartbleed/
http://possible.lv/tools/hb/
Monday night I was frantically patching my 400 server environment. ridiculous that this big of a bug was around for over 2 years.
As of last night - via fillippo.io - openssl.org itself was vulnerable.
http://openssl.org IS VULNERABLE.
Here is some data we pulled from the server memory:
(we put YELLOW SUBMARINE there, and it should not have come back)
([]uint8) {
00000000 02 00 79 68 65 61 72 74 62 6c 65 65 64 2e 66 69 |..http://yheartbleed.fi|
00000010 6c 69 70 70 6f 2e 69 6f 59 45 4c 4c 4f 57 20 53 |lippo.ioYELLOW S|
00000020 55 42 4d 41 52 49 4e 45 14 69 bd d4 e8 09 23 8c |UBMARINE.i....#.|
00000030 0c d1 dd 67 9d 71 31 bb e4 d9 f0 2c 12 33 2e 00 |...g.q1....,.3..|
00000040 05 00 05 01 00 00 00 00 00 0a 00 08 00 06 00 17 |................|
00000050 00 18 00 19 00 0b 00 02 01 00 00 0d 00 0a 00 08 |................|
00000060 04 01 04 03 02 01 02 03 ff 01 00 01 00 c0 0c c0 |................|
00000070 02 00 05 00 04 00 15 00 12 00 09 00 0e f2 b8 47 |...............G|
00000080 fe a5 ae 72 46 9b 81 31 ef 65 60 b3 |...rF..1.e`.|
}
and here is a tweet with a screen capture of what happens when they point the exploit at yahoo -
https://twitter.com/markloman/status/453502888447586304/photo/1
Insane stuff.
The flaw apparently has been around for ever and known about for some time but no one knows how often its been used.
Seems strange that these things exist and that there is not one central trusted source TestMyMachineDotCom.
Quote: chickenmanThat's pretty surprising as one would think these things would get extensively stress tested over all possible conditions.
Except for safety critical systems that exist to do a very limited set of tasks, most software systems are not tested over all possible conditions... it's just not feasible to do so. OpenSSL is a open source project, that no-one pays for, and developed by the community at large. This gives many benefits for security (as open source makes it easier for third parties to check, find and publish flaws). On the flip side, it gets used lot, in many places, so any flaws have wide ranging repercussions.
Use a password manager. Use two-step verification where offered, especially with the password manager.
This Heartbleed thing is a mess, much bigger than the public has grasped (yet).
Quote: TerribleTomYeah, change your passwords. Then consider changing the e-mail that's associated with your financials (bank, CC, etc.) and then changing the password again.
Use a password manager. Use two-step verification where offered, especially with the password manager.
This Heartbleed thing is a mess, much bigger than the public has grasped (yet).
As I'm a little concerned here, what you are suggesting is to open a new email address, change the email address as well as the password, then change the password again after, let's say a day or so?
I know my way around a computer but I am by no means a techno-savant.
Thanks for any info guys
Thanks very much for the test link.
**EDIT** It appears that most important websites involving buiness/bill-pay have simply DISABLED TLS extension 15 (the heartbeat).
Hope this helps
https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
LastPass was compromised, but they use two-way encryption and perfect forward secrecy.
Quote: TomspurAs I'm a little concerned here, what you are suggesting is to open a new email address, change the email address as well as the password, then change the password again after, let's say a day or so?
I know my way around a computer but I am by no means a techno-savant.
Thanks for any info guys
That's the hyper paranoia talking.
Quote: MoscaLastPass was compromised, but they use two-way encryption and perfect forward secrecy.
I was just about to post a question asking if anyone on this forum had used LastPass, and whether they would recommend it. I'm looking for an effective, easy-to-use, (free) password manager, and LastPass has received great reviews.
Quote: paigowerridiculous that this big of a bug was around for over 2 years
This is the part of the story I don't understand. If Heartbleed has been around for 2 years, worrying about it now is a bit like frantically closing the barn door after the horse is long long gone. Yes, the public should change our passwords and yes, the computer engineers should fix the flaw. But if the bad guys have been exploiting this thing for 2 years the damage is already done. If the bad guys just learned about it this week, maybe there's not much to worry about if the big tech firms (and the banks) have thoroughly fixed it.
Quote: TerribleTomThis Heartbleed thing is a mess, much bigger than the public has grasped (yet).
Absolutely - this is going to be felt for quite some time. Also *IMPORTANT* don't change your passwords on services that haven't been patched yet...
If so - you just handed over your new credentials to whoever is out there gathering this info from unsecured boxes.
There was about a week or so between when this was (hopefully first) discovered to when it was first patched.
But really - 2 years of this gaping wide hole... just ugh.
http://www.techvibes.com/blog/heartbleed-bug-explained-video-2014-04-09
However, it being open/undiscovered publicly for two years hardly surprises me. I've seen serious functionality bugs in software hang around for two or three years before anyone comes across them.
Quote: renoI was just about to post a question asking if anyone on this forum had used LastPass, and whether they would recommend it. I'm looking for an effective, easy-to-use, (free) password manager, and LastPass has received great reviews.
I've been using it for about a year, and it is pretty good. To set the master password, I used 3 license plate numbers from my past (I have some weird thing where I remember license plate numbers) for an 18 character long sequence of letters and numbers.
LastPass will generate a random string of numbers and letters both capitalized and regular, then store them. When you relog into a site, you can have it autofill, or you can right click and fill. This is useful if for example borh you and your SO use the same computer to check email with the same provider; there is a dropdown menu prompting you to choose which login you are using.
Regarding Heartbleed, you can go to your password vault and click on "Tools/Security Check" and it will analyze your saved sites and let you know if any have been compromised, and whether to change your password or wait. It will also check to see if any sites have been compromised in any other way; it let me know that my email address had been caught up in the Adobe debacle from last year. (I'd already known that and changed my password, that was what had prompted my using LastPass in the first place, to avoid using a duplicate password everywhere.)
That is the real benefit, IMO. There are so many places where you buy once or twice, so many forums where you register to ask a question and then never return. Just generate a password and forget about it. If you ever return, LastPass has you covered.
For mobile use, you have to download the LastPass browser, it doesn't work as a browser extension like it does in Firefox. Cost is something like $2/mo. For now, I've been opening LastPass in Chrome or Safari and doing a copy/paste. I might spring for the convenience in Android, though.
Edit: It's $1/mo in Android.
Quote: MoscaMashable has made a hitlist of passwords you need to change.
You know you need to grow up when your only vulnerable asset is Minecraft.
Now if you'll excuse me, I've a chest of diamond pickaxes I need to go hide =p
I am a little amazed now I truly understand it... though I haven't seen the raw API code. But if I'm testing something that says "Enter a string and a number that is the length of the string" trust me, I'm testing for those two things to be different.
But it's easy to second guess. I've missed stuff in testing that on reflection was a clear use case.
Whose side are they on?
Quote: renoUSA Today is reporting that our government knew about Heartbleed for 2 years, did nothing to fix Heartbleed, didn't tell the public about Heartbleed, didn't tell the tech industry about Heartbleed, and exploited Heartbleed to spy on people. The fact that nefarious hackers probably also exploited Heartbleed for criminal purposes did not concern our government.
Whose side are they on?
Police forces, unless there are reasonable checks and balances, often concern themselves more with detecting large crimes than stopping smaller ones take place in the first place.
Quote: thecesspitPolice forces, unless there are reasonable checks and balances, often concern themselves more with detecting large crimes than stopping smaller ones take place in the first place.
True. And that was the rationale that the ATF used for it's sloppy Fast & Furious debacle.
If all that was at stake were a few stolen credit card numbers, maybe the NSA's lack of action could be excused. But the NSA took a reckless gamble that spies from other governments (China, Russia, North Korea, Iran) wouldn't exploit Heartbleed to spy on the United States.
Quote: renoUSA Today is reporting that our government knew about Heartbleed for 2 years, did nothing to fix Heartbleed, didn't tell the public about Heartbleed, didn't tell the tech industry about Heartbleed, and exploited Heartbleed to spy on people. The fact that nefarious hackers probably also exploited Heartbleed for criminal purposes did not concern our government.
Whose side are they on?
Their side... who's side are we on? Now, if we got heartbleed into the light, what else is lurking in the dark... Flash, HTML5, Java, C-languages, forced open ports?
Quote: renoUSA Today is reporting that our government knew about Heartbleed for 2 years, did nothing to fix Heartbleed, didn't tell the public about Heartbleed, didn't tell the tech industry about Heartbleed, and exploited Heartbleed to spy on people. The fact that nefarious hackers probably also exploited Heartbleed for criminal purposes did not concern our government.
Whose side are they on?
Late yesterday the NSA issued a denial, so it's all good!