04-09-2014, 01:07 PM
|
#1
|
|
#1 Goaltender
|
Heartbleed Bug
so apparently this is the thing that has busted the Internet this week.
http://www.theglobeandmail.com/techn...ticle17892756/
the freaky part is nobody seems to be able to put a finger on exactly how much damage might have been already done. I've read everything ranging from "go change all your passwords and lock yourself in your panic room until further notice" to "wait and see until companies have completed evaluating their systems before taking action".
we apparently can't even do online tax returns cause CRA shut it down. is this the biggest bad thing to happen to cyberspace ever?
|
|
|
|
04-09-2014, 01:18 PM
|
#2
|
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
It's pretty significant for sure, everyone I know is more in get it patched mode rather than trying to assess if anything was actually compromised.
Not that we use SSL, but CP's software is too old and doesn't have the vulnerability to begin with 
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
|
|
The Following User Says Thank You to photon For This Useful Post:
|
|
|
04-09-2014, 01:42 PM
|
#4
|
|
#1 Goaltender
|
if you can't even trust RedTube, then who in this world can you trust??
CalgaryPuck of course, which is the Gypsy Danger that cannot be brought down by EMP blasts because it's too geriatric. so no SSL here? not even on the login page?
|
|
|
|
|
The Following User Says Thank You to Inglewood Jack For This Useful Post:
|
|
|
04-09-2014, 01:49 PM
|
#5
|
|
Franchise Player
Join Date: Jul 2005
Location: in your blind spot.
|
Quote:
Originally Posted by psyang
|
Just so people know - that is not a comprehensive list.
That is just taken from a list of websites with the most traffic.
Even then that list is far from correct, it is just the best one to date. For instance "Testing tumblr.com... not vulnerable."
Yet Tumblr sent out a message advising users to change their passwords:
Quote:
|
Following the discovery of a major bug known as "Heartbleed," Tumblr has sent out a note encouraging users to change the passwords for all of their online accounts immediately.
|
http://www.latimes.com/business/tech...#axzz2yQ7b7TRp
Not surprising since Yahoo took over Tumblr and all Yahoo sites are affected by this.
__________________
"The problem with any ideology is that it gives the answer before you look at the evidence."
—Bill Clinton
"The greatest obstacle to discovery is not ignorance--it is the illusion of knowledge."
—Daniel J. Boorstin, historian, former Librarian of Congress
"But the Senator, while insisting he was not intoxicated, could not explain his nudity"
—WKRP in Cincinatti
|
|
|
|
|
04-09-2014, 02:14 PM
|
#6
|
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
Quote:
Originally Posted by Inglewood Jack
CalgaryPuck of course, which is the Gypsy Danger that cannot be brought down by EMP blasts because it's too geriatric. so no SSL here? not even on the login page?
|
I'd never even thought about it but nope, if someone REALLY wants your password they can sniff your packets and get it.
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
|
|
04-09-2014, 02:16 PM
|
#7
|
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
|
|
The Following 3 Users Say Thank You to photon For This Useful Post:
|
|
|
04-09-2014, 03:07 PM
|
#8
|
|
Franchise Player
Join Date: Aug 2008
Location: California
|
That is just a brilliant exploit. So simple and yet comprimises the entire SSL.
How long have people been using this exploit. Has it existed undetected for years with a small group using it or is this publicity its getting causing more people to know about it who will use it before it get fixed?
|
|
|
|
|
04-09-2014, 03:15 PM
|
#9
|
|
Franchise Player
Join Date: Jul 2005
Location: in your blind spot.
|
Quote:
Originally Posted by GGG
That is just a brilliant exploit. So simple and yet comprimises the entire SSL.
How long have people been using this exploit. Has it existed undetected for years with a small group using it or is this publicity its getting causing more people to know about it who will use it before it get fixed?
|
Probably both.
But while the exploit is easy, getting something that you can use isn't easy.
It returns the data that was stored next to the byte that was sent for the heartbeat. Who knows what that data is, it could be anything.
But we all know how fast computers are and how fond of repetition, so they just keep trying until they do get a string that they can use. And that is the private key which will then allow them to decrypt everything.
One of the biggest bugaboos about this is there is not logging or tracking, so everyone with this vulnerability will need to assume that they are compromised.
Which means they all need to patch, get a new set of keys, and (hopefully) advise the users to change their passwords.
__________________
"The problem with any ideology is that it gives the answer before you look at the evidence."
—Bill Clinton
"The greatest obstacle to discovery is not ignorance--it is the illusion of knowledge."
—Daniel J. Boorstin, historian, former Librarian of Congress
"But the Senator, while insisting he was not intoxicated, could not explain his nudity"
—WKRP in Cincinatti
|
|
|
|
|
04-09-2014, 04:01 PM
|
#10
|
|
Powerplay Quarterback
|
Yeah I have 4 passwords I rotate and I feel like I should probably change them all.
__________________
Long time listener, first time caller.
|
|
|
|
|
04-09-2014, 04:47 PM
|
#11
|
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
Doesn't hurt to do that anyway, and you could take the chance to make a few different tiers of passwords (if you don't want to use distinct passwords for all sites and a password manager).
Make sure your email one is completely unique and very difficult (i.e. long), and enable two factor authentication if possible for it. Other stuff like banking or really important sites should get their own unique password.
Secondary sites where it wouldn't matter as much if it was compromised can get duplicate passwords, so if someone steals your password for that site they don't get your email access as well, only access to another site that isn't important.
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
|
|
04-09-2014, 05:30 PM
|
#12
|
|
Franchise Player
Join Date: Jul 2003
Location: Sector 7-G
|
Banks are being watched by OSFI...
The Office of the Superintendent of Financial Institutions (OSFI) “has been in contact with the institutions regarding the ‘Heartbleed bug’ to ensure that they are managing any exposures,” a spokesperson for the Office said in an emailed statement on Wednesday.
Canada’s largest bank by assets, Toronto-Dominion Bank, has implemented “defenses to protect customers from this potential threat,” spokeswoman Barbara Timmins said. The bank “is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk,” she said.
Why we don't have greater use of 2 factor authentication by banks for web banking is beyond me.
|
|
|
|
|
04-09-2014, 06:04 PM
|
#13
|
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
Even if I could choose a longer password! BMO would not take more than six characters last time I changed it!
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
|
|
04-09-2014, 06:53 PM
|
#14
|
|
Franchise Player
Join Date: Apr 2008
Location: Calgary
|
Quote:
Originally Posted by photon
I'd never even thought about it but nope, if someone REALLY wants your password they can sniff your packets and get it.
|
Hot
|
|
|
|
|
04-11-2014, 08:54 AM
|
#15
|
|
Franchise Player
Join Date: Jul 2005
Location: in your blind spot.
|
XKCD with a comic to explain HeartBleed.
http://xkcd.com/1354/
__________________
"The problem with any ideology is that it gives the answer before you look at the evidence."
—Bill Clinton
"The greatest obstacle to discovery is not ignorance--it is the illusion of knowledge."
—Daniel J. Boorstin, historian, former Librarian of Congress
"But the Senator, while insisting he was not intoxicated, could not explain his nudity"
—WKRP in Cincinatti
|
|
|
|
|
The Following 7 Users Say Thank You to Bobblehead For This Useful Post:
|
|
|
04-11-2014, 09:08 AM
|
#16
|
|
#1 Goaltender
|
that's about as succinct an explanation as I've seen. is it bad that even though all these major sites are patching and now giving the green light for password change, I'm still feeling too lazy to do it right now?
this whole thing just bugs me with how unknown the true impact is. if the bug has been exploited, how will we be able to tell? the idea is that it's so low level that the process of stealing the info isn't even logged. so if my credit card gets compromised (which seems to happen every 18 months or so), was that because of Heartbleed or just regular good old skimming or database hack?
|
|
|
|
|
04-11-2014, 09:23 AM
|
#17
|
|
First Line Centre
Join Date: Aug 2009
Location: Coquitlam, BC
|
Here's an online tool that will test a url for the heartbleed vulnerability:
http://filippo.io/Heartbleed/
So before logging in to a website and buying those $500 shoes you can test it first.
|
|
|
|
|
04-11-2014, 09:28 AM
|
#18
|
|
First Line Centre
Join Date: Mar 2007
Location: Calgary
|
Quote:
Originally Posted by photon
Even if I could choose a longer password! BMO would not take more than six characters last time I changed it!
|
I've always found bank password requirements a bit bizarre. My bank won't let me include non-alphanumeric characters. You'd think if there's anything you want to go to extra lengths to have secure it would be your bank password.
|
|
|
|
|
04-11-2014, 09:29 AM
|
#19
|
|
Franchise Player
|
this is a very crazy story, especially considering the broadness of the exposure on the www.
Also curious what the protocols are for finding such a vulnerability and releasing it to the media/world before a fix is in place??
|
|
|
|
|
04-11-2014, 09:56 AM
|
#20
|
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
Quote:
Originally Posted by Inglewood Jack
this whole thing just bugs me with how unknown the true impact is. if the bug has been exploited, how will we be able to tell? the idea is that it's so low level that the process of stealing the info isn't even logged. so if my credit card gets compromised (which seems to happen every 18 months or so), was that because of Heartbleed or just regular good old skimming or database hack?
|
Part of the question would be I guess if you knew of this bug, would you use it to just steal someone's password to some random site? Or some random credit card #? Or would you go after much bigger fish?
Given the broadness and the number of possible targets I'm not overly worried about my vulnerability.
Might take a while before we start to hear of real world impacts.
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -6. The time now is 05:07 PM.
|
|
