Be Excellent To Each Other

And, you know, party on. Dude.

All times are UTC [ DST ]




Reply to topic  [ 20 posts ] 
Author Message
 Post subject: Time to change passwords
PostPosted: Wed Apr 09, 2014 9:24 
User avatar

Joined: 31st Mar, 2008
Posts: 1883
http://arstechnica.com/security/2014/04 ... sdropping/

Ars wrote:
Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.

The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Wed Apr 09, 2014 9:27 
8-Bit Champion
User avatar
Two heads are better than one

Joined: 16th Apr, 2008
Posts: 14518
There is obviously a lot more to it than whats posted on there - however the basis is that vulnerable webpages can be made to give out whatever the server happens to have in memory (in small 64kb chunks) - there is a lot of work involved in taking what you get back and working out what it is but since its just the raw memory from the server it *could* be just about anything.

Rotating passwords for sites its a good idea anyway but this is not quite the same as a 'company X has been compromised so reset your passwords if you used them' and the 2/3 rds of 'all websites' claim seems a bit high to me (you need to be running the one specific version with this vulnerability)


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Wed Apr 09, 2014 9:34 
SupaMod
User avatar
Est. 1978

Joined: 27th Mar, 2008
Posts: 69720
Location: Your Mum
But not yet, of course.

[edit]Huh, Zaphod snuck a reply in.

_________________
Grim... wrote:
I wish Craster had left some girls for the rest of us.


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Wed Apr 09, 2014 11:57 
SupaMod
User avatar
Est. 1978

Joined: 27th Mar, 2008
Posts: 69720
Location: Your Mum
Folks that run servers can get all the info they need from this page:
http://www.howtoforge.com/find_out_if_s ... how_to_fix

_________________
Grim... wrote:
I wish Craster had left some girls for the rest of us.


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Wed Apr 09, 2014 13:42 
SupaMod
User avatar
Est. 1978

Joined: 27th Mar, 2008
Posts: 69720
Location: Your Mum
This is a good resource to check if your upgrade went through: http://filippo.io/Heartbleed/

_________________
Grim... wrote:
I wish Craster had left some girls for the rest of us.


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Wed Apr 09, 2014 13:54 
8-Bit Champion
User avatar
Two heads are better than one

Joined: 16th Apr, 2008
Posts: 14518
Grim... wrote:
This is a good resource to check if your upgrade went through: http://filippo.io/Heartbleed/


Its probably the best one out there at the moment a lot of the 'check' sites are just probing to see what version is being reported back from your server and say your at risk if your running an exploitable one and your safe if your not then your at risk however that one does actually attempt the exploit so if it comes up and says that your at risk then it will have managed to perform the exploit on the URL you gave it.

Other things to consider is although this has just been 'announced' the actual bug was in place for almost 2 years so in theory if someone knew about it they could have been gathering data for ages and at least one big site (Yahoo) was 'late' in getting their fix live so if you use them you may want to reset your password on their now (they have the patch in place)

http://grahamcluley.com/2014/04/heartbl ... o-password


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Wed Apr 09, 2014 13:59 
User avatar
Decapodian

Joined: 15th Oct, 2010
Posts: 5403
It's a strange day when the security risk isn't with IIS. It's not just traditional web servers with the issue - quite a bit of networking kit is vulnerable too.


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Wed Apr 09, 2014 14:06 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
Oh god yeah, point to point application servers too. OpenSSL is everywhere.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Wed Apr 09, 2014 14:06 
SupaMod
User avatar
Est. 1978

Joined: 27th Mar, 2008
Posts: 69720
Location: Your Mum
This is also likely to open up a raft of phishing attempts, so check your emails carefully if they suggest you change your password.

_________________
Grim... wrote:
I wish Craster had left some girls for the rest of us.


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Wed Apr 09, 2014 15:03 
User avatar
Decapodian

Joined: 15th Oct, 2010
Posts: 5403
Cras wrote:
Oh god yeah, point to point application servers too. OpenSSL is everywhere.


Aruba Wireless kit is one that we've come across that is vulnerable.
Fortunately Cisco ASAs aren't.


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Thu Apr 10, 2014 10:51 
User avatar
MR EXCELLENT FACE

Joined: 30th Mar, 2008
Posts: 2568
Just make sure the website you're changing your passwords on, and the email servers you use, are already fixed before getting new passwords, or else it's all for naught.

Also: if you're really scared, avoid logging into them until you know they're fixed.

_________________
This man is bound by law to clear the snow away


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Thu Apr 10, 2014 10:53 
User avatar

Joined: 30th Mar, 2008
Posts: 16639
This exploit has been available for some time hasn't it? And leaves no fingerprints. What a mess.


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Thu Apr 10, 2014 11:05 
8-Bit Champion
User avatar
Two heads are better than one

Joined: 16th Apr, 2008
Posts: 14518
markg wrote:
This exploit has been available for some time hasn't it? And leaves no fingerprints. What a mess.


The bug has been present for almost 2 years - and yes there is no indication / real way of tracking if it was exploited at some point in the past

And totally anti-every other bug the best way to be safe on this was to either not update your server or use a Microsoft OS to run your website (IIS was not affected)


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Thu Apr 10, 2014 11:11 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
zaphod79 wrote:
use a Microsoft OS to run your website (IIS was not affected)


A Microsoft Web Server rather than Microsoft OS. Running WAMP you're just as likely to be affected as LAMP.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Thu Apr 10, 2014 11:22 
8-Bit Champion
User avatar
Two heads are better than one

Joined: 16th Apr, 2008
Posts: 14518
Cras wrote:
zaphod79 wrote:
use a Microsoft OS to run your website (IIS was not affected)


A Microsoft Web Server rather than Microsoft OS. Running WAMP you're just as likely to be affected as LAMP.


Agreed


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Thu Apr 10, 2014 11:38 
User avatar
Excellently Membered

Joined: 30th Mar, 2008
Posts: 1268
Location: Behind you!
However it might be pointless (so I've read) changing passwords. Because it's also likely they* have the SSL Certificate keys too, using this exploit. Which means the certificate is no longer secure against the website until that website renew their certificates. So even fixing the bug still leaves the people with the keys to decrypt your data, if they can get any of it, and opens everyone up for really clever fishing attacks as you can't tell if the website your logging into is legit or not.

* baddies

At least thats if I understand the issuing of keys/certificates correctly.


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Thu Apr 10, 2014 11:52 
8-Bit Champion
User avatar
Two heads are better than one

Joined: 16th Apr, 2008
Posts: 14518
itsallwater wrote:
However it might be pointless (so I've read) changing passwords. Because it's also likely they* have the SSL Certificate keys too, using this exploit.


No , its *possible* , when you perform the exploit you get a random block of memory - its possible for someone to spend hours / days / weeks hitting a vulnerable server and never getting anything useful and its also possible for someone to hit a vulnerable server once and get passwords / keys / credit card information.

The information collected cannot be targeted in any way you just get a random chunk of data from the machine and thats what you get - if you run it again you get another random chunk

Anyone who is running a server thats affected by this should also bin their SSL certificates and create new ones to be 'safe' and I expect any large companies to do this

Here is one of the (many) emails I have from one company on how they handled it

Quote:
How we fixed the Heartbleed bug

How we fixed the Heartbleed bug

As you opened up Wunderlist today, you would have noticed that you had been logged out. We did this to protect your data against an internet-wide security vulnerability called ‘Heartbleed’. Heartbleed affects the OpenSSL framework which is used by many websites to privately send data to and from an internet server.

For you, this now means you’ll have to simply log back into Wunderlist. We also strongly recommend that you reset your password for Wunderlist.

We want you to know, that we’ve made Wunderlist’s Sync Service completely safe from Heartbleed, and this is how we’ve kept your data safe and sound:

As soon as we were made aware of Heartbleed, we protected your data by preemptively turning off our Sync Service, eliminating any potential security breaches by stopping all communication to our servers.
We deployed the updated OpenSSL libraries.
We then renewed all of our SSL certificates.
We logged out all users to ensure that everyone would create new, secure connections.

Want to know more?
If you have any questions or want to learn more, please take a read of our in-depth article at the Wunderlist Support Center. Also, one of our engineers, Duncan Davidson, has written a personal account of what happened in more technical detail.


Links :

http://support.wunderlist.com/customer/ ... april-2014
https://medium.com/p/804cdf4b48c1


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Thu Sep 25, 2014 10:40 
8-Bit Champion
User avatar
Two heads are better than one

Joined: 16th Apr, 2008
Posts: 14518
New bug discovered - has been around "forever" and may be exploitable -

Cnet: http://www.cnet.com/news/bigger-than-he ... llshocked/
Guardian : http://www.theguardian.com/technology/2 ... heartbleed
CNN : http://money.cnn.com/2014/09/24/technol ... /bash-bug/

The Redhat notice about the bug and the patches available : https://securityblog.redhat.com/2014/09 ... on-attack/

There is not that much info about it yet but if its as widespread as its being suggested then expect problems


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Thu Sep 25, 2014 12:10 
User avatar
sneering elitist

Joined: 25th May, 2014
Posts: 4083
Location: Broseley
Some interesting info on it in the Hacker News thread too >
https://news.ycombinator.com/item?id=8365158

_________________
i make websites


Top
 Profile  
 
 Post subject: Re: Time to change passwords
PostPosted: Mon Jan 11, 2016 15:03 
User avatar
Prince of Fops

Joined: 14th May, 2009
Posts: 4357
Does anyone have any experience of Sticky Password?

There's an offer on the lifetime sub at the moment ($25, bargain fans). Am tempted as I feel like I'm resetting at least a couple of passwords a month these days, as my brain struggles to keep up with all the services I have a selection of passwords for.


Top
 Profile  
 
Display posts from previous:  Sort by  
Reply to topic  [ 20 posts ] 

All times are UTC [ DST ]


Who is online

Users browsing this forum: The Greys and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search within this thread:
You are using the 'Ted' forum. Bill doesn't really exist any more. Bogus!
Want to help out with the hosting / advertising costs? That's very nice of you.
Are you on a mobile phone? Try http://beex.co.uk/m/
RIP, Owen. RIP, MrC. RIP, Dimmers.

Powered by a very Grim... version of phpBB © 2000, 2002, 2005, 2007 phpBB Group.