Time to change passwords

lasermink · **Joined:** 31st Mar, 2008 **Posts:** 1883

http://arstechnica.com/security/2014/04 ... sdropping/

Ars wrote:

Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.

The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.

zaphod79 · **Joined:** 16th Apr, 2008 **Posts:** 14518

There is obviously a lot more to it than whats posted on there - however the basis is that vulnerable webpages can be made to give out whatever the server happens to have in memory (in small 64kb chunks) - there is a lot of work involved in taking what you get back and working out what it is but since its just the raw memory from the server it *could* be just about anything.

Rotating passwords for sites its a good idea anyway but this is not quite the same as a 'company X has been compromised so reset your passwords if you used them' and the 2/3 rds of 'all websites' claim seems a bit high to me (you need to be running the one specific version with this vulnerability)

Grim... · **Posted:** Wed Apr 09, 2014 9:34

But not yet, of course.

[edit]Huh, Zaphod snuck a reply in.

Grim... · **Posted:** Wed Apr 09, 2014 11:57

Folks that run servers can get all the info they need from this page:
http://www.howtoforge.com/find_out_if_s ... how_to_fix

Grim... · **Posted:** Wed Apr 09, 2014 13:42

This is a good resource to check if your upgrade went through: http://filippo.io/Heartbleed/

zaphod79 · **Joined:** 16th Apr, 2008 **Posts:** 14518

Grim... wrote:

This is a good resource to check if your upgrade went through: http://filippo.io/Heartbleed/

Its probably the best one out there at the moment a lot of the 'check' sites are just probing to see what version is being reported back from your server and say your at risk if your running an exploitable one and your safe if your not then your at risk however that one does actually attempt the exploit so if it comes up and says that your at risk then it will have managed to perform the exploit on the URL you gave it.

Other things to consider is although this has just been 'announced' the actual bug was in place for almost 2 years so in theory if someone knew about it they could have been gathering data for ages and at least one big site (Yahoo) was 'late' in getting their fix live so if you use them you may want to reset your password on their now (they have the patch in place)

http://grahamcluley.com/2014/04/heartbl ... o-password

Dr Zoidberg · **Joined:** 15th Oct, 2010 **Posts:** 5403

It's a strange day when the security risk isn't with IIS. It's not just traditional web servers with the issue - quite a bit of networking kit is vulnerable too.

Cras · **Joined:** 30th Mar, 2008 **Posts:** 49244

Oh god yeah, point to point application servers too. OpenSSL is everywhere.

Grim... · **Posted:** Wed Apr 09, 2014 14:06

This is also likely to open up a raft of phishing attempts, so check your emails carefully if they suggest you change your password.

Dr Zoidberg · **Joined:** 15th Oct, 2010 **Posts:** 5403

Cras wrote:

Oh god yeah, point to point application servers too. OpenSSL is everywhere.

Aruba Wireless kit is one that we've come across that is vulnerable.
Fortunately Cisco ASAs aren't.

Pod · **Joined:** 30th Mar, 2008 **Posts:** 2568

Just make sure the website you're changing your passwords on, and the email servers you use, are already fixed before getting new passwords, or else it's all for naught.

Also: if you're really scared, avoid logging into them until you know they're fixed.

markg · **Joined:** 30th Mar, 2008 **Posts:** 16639

This exploit has been available for some time hasn't it? And leaves no fingerprints. What a mess.

zaphod79 · **Joined:** 16th Apr, 2008 **Posts:** 14518

markg wrote:

This exploit has been available for some time hasn't it? And leaves no fingerprints. What a mess.

The bug has been present for almost 2 years - and yes there is no indication / real way of tracking if it was exploited at some point in the past

And totally anti-every other bug the best way to be safe on this was to either not update your server or use a Microsoft OS to run your website (IIS was not affected)

Cras · **Joined:** 30th Mar, 2008 **Posts:** 49244

zaphod79 wrote:

use a Microsoft OS to run your website (IIS was not affected)

A Microsoft Web Server rather than Microsoft OS. Running WAMP you're just as likely to be affected as LAMP.

zaphod79 · **Joined:** 16th Apr, 2008 **Posts:** 14518

Cras wrote:

zaphod79 wrote:

use a Microsoft OS to run your website (IIS was not affected)

A Microsoft Web Server rather than Microsoft OS. Running WAMP you're just as likely to be affected as LAMP.

Agreed

itsallwater · **Posted:** Thu Apr 10, 2014 11:38

However it might be pointless (so I've read) changing passwords. Because it's also likely they* have the SSL Certificate keys too, using this exploit. Which means the certificate is no longer secure against the website until that website renew their certificates. So even fixing the bug still leaves the people with the keys to decrypt your data, if they can get any of it, and opens everyone up for really clever fishing attacks as you can't tell if the website your logging into is legit or not.

* baddies

At least thats if I understand the issuing of keys/certificates correctly.

zaphod79 · **Joined:** 16th Apr, 2008 **Posts:** 14518

itsallwater wrote:

However it might be pointless (so I've read) changing passwords. Because it's also likely they* have the SSL Certificate keys too, using this exploit.

No , its *possible* , when you perform the exploit you get a random block of memory - its possible for someone to spend hours / days / weeks hitting a vulnerable server and never getting anything useful and its also possible for someone to hit a vulnerable server once and get passwords / keys / credit card information.

The information collected cannot be targeted in any way you just get a random chunk of data from the machine and thats what you get - if you run it again you get another random chunk

Anyone who is running a server thats affected by this should also bin their SSL certificates and create new ones to be 'safe' and I expect any large companies to do this

Here is one of the (many) emails I have from one company on how they handled it

Quote:

How we fixed the Heartbleed bug

How we fixed the Heartbleed bug

As you opened up Wunderlist today, you would have noticed that you had been logged out. We did this to protect your data against an internet-wide security vulnerability called ‘Heartbleed’. Heartbleed affects the OpenSSL framework which is used by many websites to privately send data to and from an internet server.

For you, this now means you’ll have to simply log back into Wunderlist. We also strongly recommend that you reset your password for Wunderlist.

We want you to know, that we’ve made Wunderlist’s Sync Service completely safe from Heartbleed, and this is how we’ve kept your data safe and sound:

As soon as we were made aware of Heartbleed, we protected your data by preemptively turning off our Sync Service, eliminating any potential security breaches by stopping all communication to our servers.
We deployed the updated OpenSSL libraries.
We then renewed all of our SSL certificates.
We logged out all users to ensure that everyone would create new, secure connections.

Want to know more?
If you have any questions or want to learn more, please take a read of our in-depth article at the Wunderlist Support Center. Also, one of our engineers, Duncan Davidson, has written a personal account of what happened in more technical detail.

Links :

http://support.wunderlist.com/customer/ ... april-2014
https://medium.com/p/804cdf4b48c1

zaphod79 · **Joined:** 16th Apr, 2008 **Posts:** 14518

New bug discovered - has been around "forever" and may be exploitable -

Cnet: http://www.cnet.com/news/bigger-than-he ... llshocked/
Guardian : http://www.theguardian.com/technology/2 ... heartbleed
CNN : http://money.cnn.com/2014/09/24/technol ... /bash-bug/

The Redhat notice about the bug and the patches available : https://securityblog.redhat.com/2014/09 ... on-attack/

There is not that much info about it yet but if its as widespread as its being suggested then expect problems

Jem · **Posted:** Thu Sep 25, 2014 12:10

Some interesting info on it in the Hacker News thread too >
https://news.ycombinator.com/item?id=8365158

Findus Fop · **Joined:** 14th May, 2009 **Posts:** 4357

Does anyone have any experience of Sticky Password?

There's an offer on the lifetime sub at the moment ($25, bargain fans). Am tempted as I feel like I'm resetting at least a couple of passwords a month these days, as my brain struggles to keep up with all the services I have a selection of passwords for.

Be Excellent To Each Other

Time to change passwords
Just about everywhere

Who is online

Be Excellent To Each Other

Time to change passwords Just about everywhere

Who is online

Time to change passwords
Just about everywhere