Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Old 04-10-2014, 07:04 PM   #21
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,884
Here's another take...paraphrased as "we really don't know"

Quote:
So what does it mean for you? Ordinary Web users really have no way of finding out how relatively safe or unsafe the websites they use are, or to know what, if anything, to do at this point. Yes, you can visit this site to see if a website you use is still unpatched now (if so, donít change your password yet). Or this one to see if it was vulnerable during a scan done Tuesday. If it had a problem and was fixed, you should change your password.

But was a website vulnerable at some earlier point, but then quietly fixed? Thereís no easy way to answer that. Did anyone actually walk through open front doors and take anything? Nobody knows.
What Should You do About Heartbleed? Excellent Question. | MIT Technology Review
__________________

__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 04-10-2014, 07:10 PM   #22
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,457
Many of my sites recognize my computer, and you have to go through additional levels of security from a new computer, plus you get signaled on your cellphone of changes, etc., etc.
__________________

__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 04-10-2014, 07:18 PM   #23
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,884
I guess this Heartbleed bug is a good test to see how well the different levels end up working.

In the back of my mind, I've always wondered if those challenge questions are safer or more dangerous to have.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 04-10-2014, 08:40 PM   #24
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,884
Quote:
Originally Posted by audreyh1 View Post
Many of my sites recognize my computer, and you have to go through additional levels of security from a new computer, plus you get signaled on your cellphone of changes, etc., etc.
Good idea. I added some alerts to a couple of credit cards.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 04-10-2014, 08:54 PM   #25
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
haha's Avatar
 
Join Date: Apr 2003
Location: Hooverville
Posts: 22,380
Quote:
Originally Posted by MRG View Post
It just means the certificate is older than the fix. It means very little.

BTW - had lunch with a couple of guys that always get pulled into S-storms. Neither had been put on alert.
MRG
Thanks MRG
__________________
"As a general rule, the more dangerous or inappropriate a conversation, the more interesting it is."-Scott Adams
haha is online now   Reply With Quote
Old 04-10-2014, 08:54 PM   #26
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 21,084
Quote:
Originally Posted by audreyh1 View Post
Many of my sites recognize my computer, and you have to go through additional levels of security from a new computer, plus you get signaled on your cellphone of changes, etc., etc.
I also like those options. I even set up double authentication on my Gmail account a couple of years ago. Problem is when I eventually come to change my cell number I will have to go through those accounts to change the number, if I can remember which accounts have double authentication
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is online now   Reply With Quote
Old 04-11-2014, 12:11 AM   #27
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,884
I went ahead and did the test for Heartbleed bug on the majority of the sites that I visit. Looks like the ones I use all are OK for me to change the password. I also changed the challenge questions for my emails to be safe.

One site that seemed still questionalbe (unless I tested incorrectly ) is HSA Bank when I used LastPass Heartbleed checker.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 04-11-2014, 08:12 AM   #28
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
kcowan's Avatar
 
Join Date: Jul 2006
Location: Pacific latitude 20/49
Posts: 5,711
Send a message via Skype™ to kcowan
Quote:
Originally Posted by audreyh1 View Post
Many of my sites recognize my computer, and you have to go through additional levels of security from a new computer, plus you get signaled on your cellphone of changes, etc., etc.
For all my financial sites, they ask my secret questions whenever I log in for a different IP address. So I think I am safe because any "would be" hacker is not going to know my IP address.
__________________
For the fun of it...Keith
kcowan is online now   Reply With Quote
Old 04-11-2014, 08:36 AM   #29
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 21,084
Quote:
Originally Posted by kcowan View Post
For all my financial sites, they ask my secret questions whenever I log in for a different IP address. So I think I am safe because any "would be" hacker is not going to know my IP address.
..but I think the heart bleed bug may also allow the hacker to access your secret questions and answers as well

My only financial institution that I am really sure of is my UK bank as I have a physical token that I have to carry around and use to log online with.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is online now   Reply With Quote
Old 04-11-2014, 10:22 AM   #30
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,562
Why would questions/answers be in a 'web servers' memory? This issue applies to web servers when they convert data to SSL for secure communication.
Maybe I'm very confused.
MRG
__________________
MRG is online now   Reply With Quote
Old 04-11-2014, 10:34 AM   #31
Thinks s/he gets paid by the post
mpeirce's Avatar
 
Join Date: Feb 2012
Location: Columbus area
Posts: 1,589
Quote:
Originally Posted by MRG View Post
Why would questions/answers be in a 'web servers' memory? This issue applies to web servers when they convert data to SSL for secure communication.
Maybe I'm very confused.
MRG
Today's XKCD does a really good job of explaining just what's happening:

xkcd: Heartbleed Explanation

Who knows what detritus is sitting around in the server's buffers.
__________________
mpeirce is online now   Reply With Quote
Old 04-11-2014, 10:53 AM   #32
Thinks s/he gets paid by the post
 
Join Date: Jul 2012
Location: Mississippi
Posts: 1,878
Quote:
Originally Posted by kcowan View Post
For all my financial sites, they ask my secret questions whenever I log in for a different IP address. So I think I am safe because any "would be" hacker is not going to know my IP address.
It's not by IP address, first time you connect it save a cookie to your browser to remember the PC. If you connect from the same PC using a different browser it will do the security prompt again. You can see this also if you flush/delete cookies you will have do the security thing again. Most home users are on DHCP with your ISP so your WAN IP will change preriodically. and being behind a firewall your PC IP is not exposed to the internet.
__________________
rbmrtn is online now   Reply With Quote
Old 04-11-2014, 11:02 AM   #33
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 21,084
Quote:
Originally Posted by mpeirce View Post
Today's XKCD does a really good job of explaining just what's happening:

xkcd: Heartbleed Explanation

Who knows what detritus is sitting around in the server's buffers.
That's a pretty neat cartoon explanation, thanks.

It does seem unlikely that questions and answers would be scooped up, but if I log on and get asked a security question because I'm using a different browser, I will answer that question and immediately have to enter my password so it is possible that one of my questions, answers and my password are held in the server cache.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is online now   Reply With Quote
Old 04-11-2014, 11:42 AM   #34
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,562
Quote:
Originally Posted by Alan View Post
That's a pretty neat cartoon explanation, thanks.

It does seem unlikely that questions and answers would be scooped up, but if I log on and get asked a security question because I'm using a different browser, I will answer that question and immediately have to enter my password so it is possible that one of my questions, answers and my password are held in the server cache.
You got it. Depending on server workload those buffers are very transient. On fully utilized machines the life of the data in the buffer is milliseconds at most. Technically it wouldn't have to wait for the IP send, as try web server now has the encrypted data if a retransmission is needed.

On a separate note I had lunch yesterday with a couple of developers from a large financial organization. The one guy gets pulled into any major S*** storms.
Asked if the network, Internet teams were struggling? No everything was fixed, day one, no big deal.
MRG
__________________
MRG is online now   Reply With Quote
Old 04-11-2014, 12:12 PM   #35
Thinks s/he gets paid by the post
Tadpole's Avatar
 
Join Date: Jul 2004
Posts: 1,169
Someone mentioned PenFed so I emailed them and asked them to post a status on their main page. Instead they sent a personal response and sent my request for consideration. Anyway, PenFed site is OK. Response below:

We received your request, and it was forwarded to the appropriate party for review and consideration.

HeartBleed is a security flaw discovered by a number of security firms. It's found in OpenSSL, which is used to protect sensitive data such as emails, passwords or credit card data.

PenFed systems do not utilize the technologies or configurations which make them vulnerable to the HeartBleed security flaw and we are confident that our systems have not been improperly accessed due to this vulnerability. PenFed will continue to remain vigilant in protecting our member’s sensitive information.
__________________
Tadpole is offline   Reply With Quote
Old 04-11-2014, 01:25 PM   #36
Administrator
Janet H's Avatar
 
Join Date: Feb 2007
Location: Pacific NW
Posts: 4,954
Here's an good article with some updated info about password changes. Note the inclusion of Intuit (turbo Tax) on this list

The Heartbleed Hit List: The Passwords You Need to Change Right Now
__________________
E-R.org Custom Google Search | You're only given a little spark of madness. You mustn't lose it. (Robin Williams)
Janet H is offline   Reply With Quote
Old 04-11-2014, 03:18 PM   #37
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
haha's Avatar
 
Join Date: Apr 2003
Location: Hooverville
Posts: 22,380
Quote:
Originally Posted by Tadpole View Post
Someone mentioned PenFed so I emailed them and asked them to post a status on their main page. Instead they sent a personal response and sent my request for consideration. Anyway, PenFed site is OK. Response below:

We received your request, and it was forwarded to the appropriate party for review and consideration.

HeartBleed is a security flaw discovered by a number of security firms. It's found in OpenSSL, which is used to protect sensitive data such as emails, passwords or credit card data.

PenFed systems do not utilize the technologies or configurations which make them vulnerable to the HeartBleed security flaw and we are confident that our systems have not been improperly accessed due to this vulnerability. PenFed will continue to remain vigilant in protecting our memberís sensitive information.
Thanks for this.

Ha
__________________
"As a general rule, the more dangerous or inappropriate a conversation, the more interesting it is."-Scott Adams
haha is online now   Reply With Quote
Old 04-11-2014, 07:07 PM   #38
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,676
This finally pushed me into using LastPass. I found it pretty easy to get used to. In changing some passwords, there could be a few sites with quirks.

So my password security is now like:
1) Financial (no changes) -- unique passwords unknown to LastPass
2) Might do some buying or use frequently -- LastPass
3) Minor sites like news -- use my old methodology
__________________
Lsbcal is online now   Reply With Quote
Old 04-13-2014, 04:23 PM   #39
Thinks s/he gets paid by the post
 
Join Date: Mar 2010
Location: Kerrville,Tx
Posts: 2,710
Note that there are two proprietary versions of SSL software at least. IBM and Microsoft. Solaris does use open SSL however. This may explain why few banks have been caught being largely IBM shops (since the backends are mainframes and are needed to balance the books). They might be running their web front ends on mainframes under Linux. But it is not suprising that the two big software companies would write their own rather than go for the open version (MS has already said that it did). As lists become more complete it does appear that a large number of big banks have not been caught because they may be running IBM or Microsoft software.
__________________
meierlde is offline   Reply With Quote
Old 04-14-2014, 07:33 AM   #40
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
kcowan's Avatar
 
Join Date: Jul 2006
Location: Pacific latitude 20/49
Posts: 5,711
Send a message via Skype™ to kcowan
CRA Netfile is back up this morning and the filing deadline has been extended by one week.
__________________

__________________
For the fun of it...Keith
kcowan is online now   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What's with the GOLD bug? charlottebandito Young Dreamers 2 06-21-2005 07:09 PM
Potential Form Bug moguls FIRE and Money 1 11-25-2002 11:36 PM

 

 
All times are GMT -6. The time now is 10:47 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.