Heartbleed Bug

[Bobblehead]

Cloudflare has now come out saying that after extensive testing they haven't been able to uncover a servers keys, so it is either super difficult or impossible. That is because, like the comic above showed, the key would need to be included in the 64K of data returned, and that 64K comes from memory buffers, so it would only happen if the key happened to be in the buffer when the fraudulent request was made. So it may not be as bad as initially feared (but tests are ongoing).
http://www.theverge.com/2014/4/11/56...keys-after-all

As for how was the news of the bug initially released, that is a pretty big story on its own.
http://www.theverge.com/2014/4/10/56...-web-in-secret

[Bobblehead]

Cloudflare has said 4 people have successfully extracted the private key, so sites absolutely need to update their keys after patching.

http://arstechnica.com/security/2014...ew-data-shows/

[Inglewood Jack]

well here we are, first confirmed Heartbleed theft that I've seen. I'm actually surprised they caught it.

http://www.theglobeandmail.com/techn...ticle17956353/

Quote:

About 900 social insurance numbers were stolen from the computers of the Canada Revenue Agency, the revenue department has confirmed, following a shutdown of its public online services caused by the Heartbleed Internet bug.

“Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability,” the CRA communiqué said. “We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”

tax filings have some of the most confidential information on you that is available, so if this happened to me I'd be pretty freaked. credit cards are one thing, but stuff like SIN and income are a whole new ballgame.

[GoinAllTheWay]

/\/\

Yep, that's pretty freaky stuff right there. I heard they would be sending registered mail to the people they think are affected. No phone calls or email, 100% registered mail.

Bound to be a number of phishing scams pop up over this.

[Rathji]

Quote:

Originally Posted by Inglewood Jack

well here we are, first confirmed Heartbleed theft that I've seen. I'm actually surprised they caught it.

http://www.theglobeandmail.com/techn...ticle17956353/



tax filings have some of the most confidential information on you that is available, so if this happened to me I'd be pretty freaked. credit cards are one thing, but stuff like SIN and income are a whole new ballgame.

So the question is, if you can't figure out if you have been impacted by Heartbleed, how do they know that these SIN were compromised because of Heartbleed?

Sounds a little fishy to me.

[Bobblehead]

Quote:

Originally Posted by Rathji

So the question is, if you can't figure out if you have been impacted by Heartbleed, how do they know that these SIN were compromised because of Heartbleed?

Sounds a little fishy to me.

Actually, there have been methods to retroactively determine if there was an exploit attempted. Not perfect but not impossible either.

http://www.riverbed.com/blogs/Retroa...xpression.html

[ZedMan]

You can't figure it out just from, say, web server logs, but if you were capturing every packet entering/leaving your network, you would be able to identify it. Most IPS/IDS vendors had signatures that could detect heartbleed out within days.

[DownhillGoat]

Quote:

Originally Posted by Inglewood Jack

tax filings have some of the most confidential information on you that is available, so if this happened to me I'd be pretty freaked.

Meh, student loans already gave away my info.

[dissentowner]

Quote:

Originally Posted by photon

It's pretty significant for sure, everyone I know is more in get it patched mode rather than trying to assess if anything was actually compromised.

Not that we use SSL, but CP's software is too old and doesn't have the vulnerability to begin with

Didn't CP get hacked bad way back in the day? I thought I remember something like that...

[photon]

Quote:

Originally Posted by dissentowner

Didn't CP get hacked bad way back in the day? I thought I remember something like that...

Yeah it got hacked one time, someone managed to do some kind of exploit to reset the Admin password. Fortunately they didn't do a huge amount of damage.