04-11-2014, 10:31 AM
|
#21
|
Franchise Player
Join Date: Jul 2005
Location: in your blind spot.
|
Cloudflare has now come out saying that after extensive testing they haven't been able to uncover a servers keys, so it is either super difficult or impossible. That is because, like the comic above showed, the key would need to be included in the 64K of data returned, and that 64K comes from memory buffers, so it would only happen if the key happened to be in the buffer when the fraudulent request was made. So it may not be as bad as initially feared (but tests are ongoing).
http://www.theverge.com/2014/4/11/56...keys-after-all
As for how was the news of the bug initially released, that is a pretty big story on its own.
http://www.theverge.com/2014/4/10/56...-web-in-secret
__________________
"The problem with any ideology is that it gives the answer before you look at the evidence."
—Bill Clinton
"The greatest obstacle to discovery is not ignorance--it is the illusion of knowledge."
—Daniel J. Boorstin, historian, former Librarian of Congress
"But the Senator, while insisting he was not intoxicated, could not explain his nudity"
—WKRP in Cincinatti
|
|
|
The Following User Says Thank You to Bobblehead For This Useful Post:
|
|
04-12-2014, 10:17 PM
|
#22
|
Franchise Player
Join Date: Jul 2005
Location: in your blind spot.
|
Cloudflare has said 4 people have successfully extracted the private key, so sites absolutely need to update their keys after patching.
http://arstechnica.com/security/2014...ew-data-shows/
__________________
"The problem with any ideology is that it gives the answer before you look at the evidence."
—Bill Clinton
"The greatest obstacle to discovery is not ignorance--it is the illusion of knowledge."
—Daniel J. Boorstin, historian, former Librarian of Congress
"But the Senator, while insisting he was not intoxicated, could not explain his nudity"
—WKRP in Cincinatti
|
|
|
04-14-2014, 01:10 PM
|
#23
|
#1 Goaltender
|
well here we are, first confirmed Heartbleed theft that I've seen. I'm actually surprised they caught it.
http://www.theglobeandmail.com/techn...ticle17956353/
Quote:
About 900 social insurance numbers were stolen from the computers of the Canada Revenue Agency, the revenue department has confirmed, following a shutdown of its public online services caused by the Heartbleed Internet bug.
“Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability,” the CRA communiqué said. “We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”
|
tax filings have some of the most confidential information on you that is available, so if this happened to me I'd be pretty freaked. credit cards are one thing, but stuff like SIN and income are a whole new ballgame.
|
|
|
04-14-2014, 01:51 PM
|
#24
|
Franchise Player
Join Date: Apr 2003
Location: Not sure
|
/\/\
Yep, that's pretty freaky stuff right there. I heard they would be sending registered mail to the people they think are affected. No phone calls or email, 100% registered mail.
Bound to be a number of phishing scams pop up over this.
|
|
|
04-14-2014, 02:24 PM
|
#25
|
Franchise Player
Join Date: Nov 2006
Location: Supporting Urban Sprawl
|
Quote:
Originally Posted by Inglewood Jack
well here we are, first confirmed Heartbleed theft that I've seen. I'm actually surprised they caught it.
http://www.theglobeandmail.com/techn...ticle17956353/
tax filings have some of the most confidential information on you that is available, so if this happened to me I'd be pretty freaked. credit cards are one thing, but stuff like SIN and income are a whole new ballgame.
|
So the question is, if you can't figure out if you have been impacted by Heartbleed, how do they know that these SIN were compromised because of Heartbleed?
Sounds a little fishy to me.
__________________
"Wake up, Luigi! The only time plumbers sleep on the job is when we're working by the hour."
|
|
|
04-14-2014, 02:35 PM
|
#26
|
Franchise Player
Join Date: Jul 2005
Location: in your blind spot.
|
Quote:
Originally Posted by Rathji
So the question is, if you can't figure out if you have been impacted by Heartbleed, how do they know that these SIN were compromised because of Heartbleed?
Sounds a little fishy to me.
|
Actually, there have been methods to retroactively determine if there was an exploit attempted. Not perfect but not impossible either.
http://www.riverbed.com/blogs/Retroa...xpression.html
__________________
"The problem with any ideology is that it gives the answer before you look at the evidence."
—Bill Clinton
"The greatest obstacle to discovery is not ignorance--it is the illusion of knowledge."
—Daniel J. Boorstin, historian, former Librarian of Congress
"But the Senator, while insisting he was not intoxicated, could not explain his nudity"
—WKRP in Cincinatti
|
|
|
04-14-2014, 02:36 PM
|
#27
|
Scoring Winger
|
You can't figure it out just from, say, web server logs, but if you were capturing every packet entering/leaving your network, you would be able to identify it. Most IPS/IDS vendors had signatures that could detect heartbleed out within days.
|
|
|
The Following User Says Thank You to ZedMan For This Useful Post:
|
|
04-14-2014, 02:43 PM
|
#28
|
Franchise Player
|
Quote:
Originally Posted by Inglewood Jack
tax filings have some of the most confidential information on you that is available, so if this happened to me I'd be pretty freaked.
|
Meh, student loans already gave away my info.
|
|
|
04-14-2014, 03:28 PM
|
#29
|
Franchise Player
Join Date: Jul 2005
Location: SW Ontario
|
Quote:
Originally Posted by photon
It's pretty significant for sure, everyone I know is more in get it patched mode rather than trying to assess if anything was actually compromised.
Not that we use SSL, but CP's software is too old and doesn't have the vulnerability to begin with
|
Didn't CP get hacked bad way back in the day? I thought I remember something like that...
|
|
|
04-14-2014, 05:39 PM
|
#30
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
Quote:
Originally Posted by dissentowner
Didn't CP get hacked bad way back in the day? I thought I remember something like that...
|
Yeah it got hacked one time, someone managed to do some kind of exploit to reset the Admin password. Fortunately they didn't do a huge amount of damage.
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -6. The time now is 06:35 PM.
|
|