Heartbleed bug

[Alan]

Many of my sites recognize my computer, and you have to go through additional levels of security from a new computer, plus you get signaled on your cellphone of changes, etc., etc.

I also like those options. I even set up double authentication on my Gmail account a couple of years ago. Problem is when I eventually come to change my cell number I will have to go through those accounts to change the number, if I can remember which accounts have double authentication

 

[easysurfer]

I went ahead and did the test for Heartbleed bug on the majority of the sites that I visit. Looks like the ones I use all are OK for me to change the password. I also changed the challenge questions for my emails to be safe.

One site that seemed still questionalbe (unless I tested incorrectly ) is HSA Bank when I used LastPass Heartbleed checker.

 

[kcowan]

Many of my sites recognize my computer, and you have to go through additional levels of security from a new computer, plus you get signaled on your cellphone of changes, etc., etc.

For all my financial sites, they ask my secret questions whenever I log in for a different IP address. So I think I am safe because any "would be" hacker is not going to know my IP address.

 

[Alan]

For all my financial sites, they ask my secret questions whenever I log in for a different IP address. So I think I am safe because any "would be" hacker is not going to know my IP address.

..but I think the heart bleed bug may also allow the hacker to access your secret questions and answers as well

My only financial institution that I am really sure of is my UK bank as I have a physical token that I have to carry around and use to log online with.

 

[MRG]

Why would questions/answers be in a 'web servers' memory? This issue applies to web servers when they convert data to SSL for secure communication.
Maybe I'm very confused.
MRG

 

[mpeirce]

Why would questions/answers be in a 'web servers' memory? This issue applies to web servers when they convert data to SSL for secure communication.
Maybe I'm very confused.
MRG

Today's XKCD does a really good job of explaining just what's happening:

xkcd: Heartbleed Explanation

Who knows what detritus is sitting around in the server's buffers.

 

[rbmrtn]

For all my financial sites, they ask my secret questions whenever I log in for a different IP address. So I think I am safe because any "would be" hacker is not going to know my IP address.

It's not by IP address, first time you connect it save a cookie to your browser to remember the PC. If you connect from the same PC using a different browser it will do the security prompt again. You can see this also if you flush/delete cookies you will have do the security thing again. Most home users are on DHCP with your ISP so your WAN IP will change preriodically. and being behind a firewall your PC IP is not exposed to the internet.

 

[Alan]

Today's XKCD does a really good job of explaining just what's happening:

xkcd: Heartbleed Explanation

Who knows what detritus is sitting around in the server's buffers.

That's a pretty neat cartoon explanation, thanks.

It does seem unlikely that questions and answers would be scooped up, but if I log on and get asked a security question because I'm using a different browser, I will answer that question and immediately have to enter my password so it is possible that one of my questions, answers and my password are held in the server cache.

 

[MRG]

That's a pretty neat cartoon explanation, thanks.

It does seem unlikely that questions and answers would be scooped up, but if I log on and get asked a security question because I'm using a different browser, I will answer that question and immediately have to enter my password so it is possible that one of my questions, answers and my password are held in the server cache.

You got it. Depending on server workload those buffers are very transient. On fully utilized machines the life of the data in the buffer is milliseconds at most. Technically it wouldn't have to wait for the IP send, as try web server now has the encrypted data if a retransmission is needed.

On a separate note I had lunch yesterday with a couple of developers from a large financial organization. The one guy gets pulled into any major S*** storms.
Asked if the network, Internet teams were struggling? No everything was fixed, day one, no big deal.
MRG

 

[Tadpole]

Someone mentioned PenFed so I emailed them and asked them to post a status on their main page. Instead they sent a personal response and sent my request for consideration. Anyway, PenFed site is OK. Response below:

We received your request, and it was forwarded to the appropriate party for review and consideration.

HeartBleed is a security flaw discovered by a number of security firms. It's found in OpenSSL, which is used to protect sensitive data such as emails, passwords or credit card data.

PenFed systems do not utilize the technologies or configurations which make them vulnerable to the HeartBleed security flaw and we are confident that our systems have not been improperly accessed due to this vulnerability. PenFed will continue to remain vigilant in protecting our member’s sensitive information.

 

[Janet H]

Here's an good article with some updated info about password changes. Note the inclusion of Intuit (turbo Tax) on this list

The Heartbleed Hit List: The Passwords You Need to Change Right Now

 

[haha]

Someone mentioned PenFed so I emailed them and asked them to post a status on their main page. Instead they sent a personal response and sent my request for consideration. Anyway, PenFed site is OK. Response below:

We received your request, and it was forwarded to the appropriate party for review and consideration.

HeartBleed is a security flaw discovered by a number of security firms. It's found in OpenSSL, which is used to protect sensitive data such as emails, passwords or credit card data.

PenFed systems do not utilize the technologies or configurations which make them vulnerable to the HeartBleed security flaw and we are confident that our systems have not been improperly accessed due to this vulnerability. PenFed will continue to remain vigilant in protecting our member’s sensitive information.

Thanks for this.

Ha

 

[Lsbcal]

This finally pushed me into using LastPass. I found it pretty easy to get used to. In changing some passwords, there could be a few sites with quirks.

So my password security is now like:
1) Financial (no changes) -- unique passwords unknown to LastPass
2) Might do some buying or use frequently -- LastPass
3) Minor sites like news -- use my old methodology

 

[meierlde]

Note that there are two proprietary versions of SSL software at least. IBM and Microsoft. Solaris does use open SSL however. This may explain why few banks have been caught being largely IBM shops (since the backends are mainframes and are needed to balance the books). They might be running their web front ends on mainframes under Linux. But it is not suprising that the two big software companies would write their own rather than go for the open version (MS has already said that it did). As lists become more complete it does appear that a large number of big banks have not been caught because they may be running IBM or Microsoft software.

 

[kcowan]

CRA Netfile is back up this morning and the filing deadline has been extended by one week.

 

[savory]

Not sure where to start this effort but this seems like a good place.

"Security professionals have said for a long while that we should all add more layers to our verification systems. Two-factor security adds something you have. Often it’s a token, such as from SecurID, or it could be a one-off code sent to a mobile phone to prove you have your phone. ATM cards require you to have the card, and know the PIN number." On credit cards, outside of the USA, two-factor security is the norm.

I am suggesting that the people who participate on this forum encourage the websites we use, especially financial ones, to institute 2-factor verification methods. Just drop a quick email and tell them as a customer, you are willing to execute this extra log-in step. Ask your friends to participate via FB, Google+ page, etc.

The technology exists and can be done fairly easily but frankly most of us resist it. So, many companies have worked hard to make their sites as safe as possible. But no where as safe as it could be if we as consumers are willing to do more when we log in and force the issue with our providers.

I hope you consider starting this groundswell.

 

[ERD50]

... Two-factor security adds something you have. Often it’s a token, such as from SecurID, or it could be a one-off code sent to a mobile phone to prove you have your phone.

...


I hope you consider starting this groundswell.

JMO, but I really don't want to have to refer to a SecureID type device for every financial/retail site I log onto. I believe that reasonable security can be achieved w/o that level, but it certainly is a more secure way to do it, and may be appropriate in many cases.

But financial companies should do the basics. And Vanguard is terrible in this respect. It's been discussed here before, but I think you motivated me to contact them (though I really don't log on there very often). The problems:

1) You enter username on one page, if valid, you proceed t the next page. If invalid, you get a message.

This is very bad. It isn't hard for a robot to find valid usernames. With that info, it can start testing passwords.​

2) The max password length is pretty short (forget exactly how many char). But I had to use a shorter PW than what I would normally use with my current 'system'.

This makes #1 even worse.​

For me, the real question is just who was affected by this bug? I haven't heard of any actual events. I think they need to take care of basics before going to extremes.

-ERD50

 

[donheff]

I doubt we will see two factor authentication widely used soon. It is to much of a PITA for most of us. I tried it with Gmail for a while but found the hassle to much to take and I am patient with this stuff.

 

[kcowan]

The CRA has announced that 900 SSNs (SINs) have been compromised and they affected parties will be notified by registered letter. This seems to imply that the affected are not active online users.

 

[meierlde]

From the point of view of the companies the issue is the cost of losses using the current system versus the cost of upgrading security. Consider how long it has taken to go to chip and pin for credit card losses. If the losses are less than the costs of change then its just a cost of doing business and you absorb it.
Security measures are evaluated on the risk being mitigated and if the costs benefits don't work out then they are not introduced.

 

[savory]

From the point of view of the companies the issue is the cost of losses using the current system versus the cost of upgrading security. Consider how long it has taken to go to chip and pin for credit card losses. If the losses are less than the costs of change then its just a cost of doing business and you absorb it.
Security measures are evaluated on the risk being mitigated and if the costs benefits don't work out then they are not introduced.

meierlde - You are right that we are mostly protected, at least our credit cards. I expect if our brokerage accounts are emptied, perhaps someone will provide payback. But the cost to add the second level is really not that much. SS is able to do it.

I recommend using a password generator since it makes my life easier. I am using Keepass. It is copy and paste for user name and password. It works on my computer and tablet. Keeps the URL and the date the password was last updated. I like Keepass because it is offline but many people are happy with online generators.

Like any type of theft, it does not happen often. All theft prevention techniques, from locking house/car, using a bank to store your cash, etc. is inconvenient. In my estimation, two level verification is as easy as using a key to open your front door. And, perhaps provides even more protection for as least as much assets.

 

[veremchuka]

2) The max password length is pretty short (forget exactly how many char). But I had to use a shorter PW than what I would normally use with my current 'system'.

Vanguard has increased the password length to 20 characters IIRC. If it isn't 20 it is 16, too lazy to check mine. I think 16 is excellent and 20 even better. Mine is a jumble of all different characters and numbers and I feel safe.

As to 2 factor authentication at Vanguard maybe by 2030! I was after them for at least 3 years (as were many based upon the BH site comments when password threads arise) to increase the length of the password and accept case sensitivity.