The "Heartbleed Bug" --new cyber threat. All you techy types, please weigh in.

Plot Device · Apr 10, 2014

It's described in the article below as "probably the worst bug the Internet has ever seen."

http://money.cnn.com/2014/04/09/technology/security/heartbleed-bug/

Heartbleed bug: What you need to know

Heartbleed: 'Secure' internet wasn't safe

by Jose Pagliery -- April 9, 2014

Security researchers have uncovered a fatal flaw in a key safety feature for surfing the Web -- the one that keeps your email, banking, shopping, passwords and communications private.

What is it?

It's called the Heartbleed bug, and it is essentially an information leak.

It starts with a hole in the software that the vast majority of websites on the Internet use to turn your personal information into strings of random numbers and letters. If you see a padlock image in the address bar, there's a good chance that site is using the encryption software that was impacted by the Heartbleed bug.

"It's probably the worst bug the Internet has ever seen," said Matthew Prince, CEO of website-protecting service CloudFlare. "If a week from now we hear criminals spoofed a massive number of accounts at financial institutions, it won't surprise me...."

robjvargas · Apr 10, 2014

This one's a biggie, although patches are out and being applied very rapidly.

Symantec has a pretty decent rundown of the vulnerability at this link.

You should be hearing from trusted vendors that they've patched this. I am complaining to every one of them I deal with regularly that doesn't announce this.

Here's the briefest explanation I can think of. Web-based encryption is run off a function called SSL, and the most common implementation of it is a program called OpenSSL. OpenSSL uses a "heartbeat" function to keep encrypted sessions from timing out, which would force users to regularly log in otherwise. Part of the communication involves the client side sending a sort of self-portrait saying how large the heartbeat is in bytes/kilobytes. But if the client side is lying, if it's a lot smaller, the OpenSSL pulls data from memory to fill up that white space. That data can be random, but it *could* include user logins, passwords, even the data, unencrypted, that passed from *any* clients to the server. The fix is for the vendor running the server to update to the latest version of OpenSSL, or to turn off that heartbeat function completely.

Here's some good advice at the end of the Symantec article:

Advice for consumers:

You should be aware that your data could have been seen by a third party if you used a vulnerable service provider

Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated customers that they should change their passwo2rds, users should do so

Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain

Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability

Monitor your bank and credit card statements to check for any unusual transactions

I'll add one: When in doubt, ASK. Ask everyone who has a secure site and with whom you do business. It's your identity on the line. Treat it like that. Don't beg that your vendors be safe. Demand it.

stormie · Apr 10, 2014

My question is:

If we change our passwords on each site now, are those new passwords safe or still vulnerable? Or should we wait until each site applies a patch? (Of course still montoring bank statements, etc)

Torgo · Apr 10, 2014

stormie said:
My question is:

If we change our passwords on each site now, are those new passwords safe or still vulnerable? Or should we wait until each site applies a patch? (Of course still montoring bank statements, etc)

Don't change your passwords until the sites are patched.

stormie · Apr 10, 2014

Okay, thanks.

raburrell · Apr 10, 2014

A couple of helpful links:
Vulnerability of top sites:
https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt Also see http://heartbleed.com/

Should you change your password by site:
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

eta: Note the above are subject to change, and quite possibly will do so rapidly.

Xelebes · Apr 10, 2014

CRA website is down for E-filing. yay.

Maggie Maxwell · Apr 10, 2014

Thanks for that mashable link, Raburrell. I got an email from Pinterest as well saying I should change my password and I don't see that listed on the social networking list.

robjvargas · Apr 10, 2014

TAMaxwell said:
Thanks for that mashable link, Raburrell. I got an email from Pinterest as well saying I should change my password and I don't see that listed on the social networking list.

I'd say believe Pinterest if they tell you to change your passwords.

This is a very fluid situation with the major(reputable) vendors all working to patch as rapidly as they can do it. There are quite a few sites trying to track who's patched and who isn't. Like mentioned in the Symantec article I linked, wait until the site tells you to change the password, and then change the password.

Maggie Maxwell · Apr 10, 2014

robjvargas said:
I'd say believe Pinterest if they tell you to change your passwords.

Oh, I do and did. I was just letting everyone else here know since it's not on there. Sorry, could have been clearer.

Strange thing is, I only got the notification on one of my accounts, not both of them.

raburrell · Apr 10, 2014

Yeah, the Mashable link is a pretty short list - there are definitely some biggies it's missing.

As an aside, between the number of credit card breeches we've seen this year, things like Target's 'issue' earlier this year, etc, I would really, really, like the security world to get its collective head together, like... now.

Ambrosia · Apr 10, 2014

Ok, so why aren't users being notified that they need to change their passwords? I have a yahoo mail account. I haven't received anything about this from Yahoo. I know it will take them time to send out emails. But they could put it on their homepage. It is not on their homepage, either. I wouldn't have known about it at all if not for this thread.

Billtrumpet25 · Apr 10, 2014

Mojang told us to change our passwords yesterday (which I did)...don't know much more about it.

robjvargas · Apr 10, 2014

Ambrosia said:
Ok, so why aren't users being notified that they need to change their passwords? I have a yahoo mail account. I haven't received anything about this from Yahoo. I know it will take them time to send out emails. But they could put it on their homepage. It is not on their homepage, either. I wouldn't have known about it at all if not for this thread.

Part of the bug is that it can reveal your information to someone else regardless of your login state. Changing the password before the patches are applied just exposes your new password (potentially).

It's also possible that the site you're thinking of doesn't use OpenSSL. Someone's created a plugin for Google's Chrome browser to detect if you're on a site that's not patched for this.

https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic

I've seen that plugin rotated among security professionals, so it should be safe.

rugcat · Apr 10, 2014

Another link with some useful info:

http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

onesecondglance · Apr 11, 2014

Right now I'm not doing anything until I hear from each site - is that sensible?

regdog · Apr 11, 2014

I got an e-mail from Credit Karma. They recommend password change.

Torgo · Apr 11, 2014

Hey, just to say:

This is also a golden opportunity for phishing, so when you get emails telling you to change your password, DO CHECK that they're legit. You don't want to follow a link to something that only looks like your online banking site, and hand over all your credentials.

nighttimer · Apr 11, 2014

Depending on whom you listen to either nothing can be done to protect yourself from the Heartbleed Bug or there is one immediate step you can take.

Install a password manager. Like right now. :e2salute:

The strangest thing about Heartbleed is that changing your password on a particular site only gives you more protection if that site has already applied to the Heartbleed patch and resolved its vulnerability. If it hasn’t, changing your password in advance could theoretically put you at greater risk.

Heartbleed is a vulnerability in a server's memory (RAM), not its data storage, so a hacker has access to things that are being called up by the server not everything that's stored on it. That means that the hacker could ascertain your new password, too.

Lists, which are being frequently updated, can tell you which websites are vulnerable and which have been patched. Once a site is no longer vulnerable, it's time to change your password. You're going to have to do this on a lot of sites, so this is the perfect time to start using a password manager.

A password manager helps you generate random, strong passwords so you don't have to think of them yourself. Then it stores your login information for every site you use, autofilling a password whenever you need one. You don't need to know or remember your passwords, because they're all stored and protected behind one master password that you make extremely strong and unguessable. I use 1Password, and my master password is a fairly long sentence (without spaces) that includes alternate spellings, numbers in place of certain letters, and punctuation.

I’ll admit it. I kind of hate using a password manager. Setting it up is tedious, and it’s a little unsettling to never know any of your passwords. It doesn't matter so much when you're on your personal computer and have 1Password (or your password manager of choice) running, but when you're using someone else's computer, you have to use a an app to check your password for any site/service you want to log into.

Password managers aren't about fun, though. They're about proactively protecting yourself from much more annoying, and potentially detrimental, problems down the line if your personal information gets hijacked. And they do offer a lot of useful features like super secure notes and a password generator. Many even incorporate two-factor authentication, and in our leaky digital world, it's reassuring to use a service whose only priority is security.

I use Last Pass after my tech-savvy brother nagged me to install it. It's not hard to get used to having a program that automatically fills in my login and password (like on Absolute Write), but I do have to go back and run an audit for the sites where I got lazy and used my own self-created passwords instead of the tougher ones Last Pass provides.

Ounce of prevention, and all that.

Friendly Frog · Apr 11, 2014

Ambrosia said:
Ok, so why aren't users being notified that they need to change their passwords? I have a yahoo mail account. I haven't received anything about this from Yahoo. I know it will take them time to send out emails. But they could put it on their homepage. It is not on their homepage, either. I wouldn't have known about it at all if not for this thread.

Same here. None of them have given as much as a peep I ought to change my password. Not even the ones listed as affected and patched. I am just a tad miffed about that. I know it's still largely theorethical that actual passwords were leaked but with other security-breaches sites have tended to err on the side of caution and asked to change passwords just in case. (And I had just cycled a good deal of my passwords before this news broke darn it.)

Cathy C · Apr 11, 2014

My hubby is a techie guy, and found a handy website for checking out other websites where you keep private data. You just enter in the website you visit in the box and it'll give you a grade report on its vulnerability. It does have to be a SSL site for it to work.

Alessandra Kelley · Apr 11, 2014

xkcd explains the bug.

Cathy C · Apr 11, 2014

Alessandra Kelley said:
xkcd explains the bug.

Wow... That's a devastating error.

robjvargas · Apr 11, 2014

nighttimer said:
Install a password manager. Like right now.

I use Keepass. It has a version that runs entirely on a USB flash drive, if you wish one you can take with you.

But this is wrong:

Heartbleed is a vulnerability in a server's memory (RAM), not its data storage, so a hacker has access to things that are being called up by the server not everything that's stored on it. That means that the hacker could ascertain your new password, too.

The vulnerability is with a software application called OpenSSL, with functions that it runs within RAM. The RAM itself, the physical memory, and the server, is fine. Or, at least, not the malfunction here.

And I still say don't request this information from vendors. Demand it.

William Haskins · Apr 11, 2014

Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately

The German software developer who introduced a security flaw into an encryption protocol used by millions of websites globally says he did not insert it deliberately as some have suggested.

In what appears to be his first comments to the media since the bug was uncovered, Robin Seggelmann said how the bug made its way into live code could "be explained pretty easily".

...snip...

Dr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was "unfortunately" missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he said.

"In one of the new features, unfortunately, I missed validating a variable containing a length."

After he submitted the code, a reviewer "apparently also didn’t notice the missing validation", Dr Seggelmann said, "so the error made its way from the development branch into the released version." Logs show that reviewer was Dr Stephen Henson.

http://www.smh.com.au/it-pro/securi...-inserted-it-deliberately-20140410-zqta1.html

The "Heartbleed Bug" --new cyber threat. All you techy types, please weigh in.

A woman said to write like a man.

storm central

Formerly Phantom of Krankor.

storm central

Treguna Makoidees Trecorum SadisDee

Delerium ex Ennui

Making Einstein cry since 1994

Making Einstein cry since 1994

Treguna Makoidees Trecorum SadisDee

Grand Duchess

Lost in the Fog

pretending to be awake

The Scavengers

Formerly Phantom of Krankor.

No Gods No Masters

Snarkenfaugister

Ooo! Shiny new cover!

Sophipygian

Ooo! Shiny new cover!

poet