|
|
04-09-2014, 11:36 AM
|
#1
|
Thinks s/he gets paid by the post
Join Date: Jul 2006
Location: Denver
Posts: 3,519
|
Heartbleed bug
A serious flaw was discovered in the OpenSSL software that could expose security credentials, encryption keys and passwords.
'Heartbleed' bug undoes Web encryption, reveals Yahoo passwords - CNET
Since OpenSSL is widely used, this is a widespread issue.
Last Pass is not affected, but has put up a site to check other websites.
https://lastpass.com/heartbleed/
I've sent a message to Vanguard, but haven't heard anything yet. Please update if you know about the status of the major financial institutions.
|
|
|
|
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!
Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!
You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!
|
04-09-2014, 11:40 AM
|
#2
|
Thinks s/he gets paid by the post
Join Date: Jul 2006
Location: Denver
Posts: 3,519
|
From: finance.yahoo.com
Quote:
Amazon has said that its systems aren't vulnerable to Heartbleed. Google and Yahoo have said that they have remedied the bug on their key services
|
|
|
|
04-09-2014, 12:39 PM
|
#4
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Apr 2013
Posts: 11,078
|
Quote:
Originally Posted by meierlde
|
Right, but this is mainly a server side exposure. Not many financial institutions allow Microsoft IIS exposure to the Internet, they may have IIS, behind the DMZ. The attached also states if you have IIS behind a spayer (common for Internet apps), you may have an exposure.
I used the lastpass site, pointed it at both Vanguard and Fidelity, both times it said (based on date of the sites key) there could be an exposure. I'm sure every financial institution is validating their exposure and implementing the fix to openssl.
MRG
|
|
|
04-09-2014, 05:28 PM
|
#6
|
Thinks s/he gets paid by the post
Join Date: Jul 2006
Location: Denver
Posts: 3,519
|
Here's what I got back from Vanguard. No issue there
Quote:
Vanguard has taken proactive measures to protect client information. We can confirm that Heart Bleed issue does not affect Vanguard's systems or websites. Clients can logon, access their accounts, perform transactions, and make changes 24 hours a day on vanguard.com.
Vanguard uses several methods and technologies to protect client accounts. These include security certificates, multi-step logon authentication, and communication with you when changes are made to your account. We cannot discuss specifics of the measures we take to protect client accounts, mainly to secure those measures that Vanguard uses. Protecting client accounts and personal information is a priority at Vanguard.
One precaution that clients can take is to ensure that you don't use the same password at Vanguard that you use at other websites. This and other steps that clients can take to stay safe online can be found at Vanguard - Security Center.
|
|
|
|
04-09-2014, 05:42 PM
|
#7
|
Thinks s/he gets paid by the post
Join Date: Jun 2004
Location: W Wash
Posts: 1,644
|
I had a preschedule time with my Fido Advisor today and asked her about status Fidelity's web access. She had just gotten a internal missive to advise Fidelity does not use OpenSSL for their encryption.
I also found Fidelity on a list WaPo posted as not being vulnerable
Nwsteve.
|
|
|
04-09-2014, 08:54 PM
|
#8
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jun 2008
Posts: 13,150
|
I've read various differing suggestion on how to act in the near term. From changing all your passwords immediately, to don't change your passwords now, to stay off the internet for a few days, to wait and see for awhile.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
|
|
|
04-09-2014, 09:21 PM
|
#9
|
Thinks s/he gets paid by the post
Join Date: Jul 2012
Location: Mississippi
Posts: 1,894
|
Quote:
Originally Posted by easysurfer
I've read various differing suggestion on how to act in the near term. From changing all your passwords immediately, to don't change your passwords now, to stay off the internet for a few days, to wait and see for awhile.
|
The problem is on the server side, so changing your passwords without having them fix the problem on their end doesn't do anything. Just another bump of living on the www. The only real security is to not use it.
Here's a site tester
Test your server for Heartbleed (CVE-2014-0160)
|
|
|
04-09-2014, 09:51 PM
|
#10
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,145
|
__________________
Retired since summer 1999.
|
|
|
04-09-2014, 11:19 PM
|
#11
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jun 2008
Posts: 13,150
|
Quote:
Originally Posted by audreyh1
|
Thanks for the Hit List. Very helpful!
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
|
|
|
04-10-2014, 05:34 AM
|
#12
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Feb 2006
Location: Washington, DC
Posts: 11,331
|
So this vulnerability allows an attacker to download current RAM from the server. Does anyone out there know enough about this exploit and what is stored in RAM to judge how likely this is to provide massive exploitable info? My guess is that user data might stay in RAM for a few seconds, possibly more in a low use server. Is the vulnerability exploitable to the extent that attackers could write a script to continually hit the server and download multiple dumps thus getting data over time? Without being noticed by security software on key sites? If yes, maybe a serious issue. If no, much less likely to affect us. I don't relish replacing all of my passwords and wouldn't know when to start.
__________________
Idleness is fatal only to the mediocre -- Albert Camus
|
|
|
04-10-2014, 07:44 AM
|
#13
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Apr 2013
Posts: 11,078
|
Quote:
Originally Posted by donheff
So this vulnerability allows an attacker to download current RAM from the server. Does anyone out there know enough about this exploit and what is stored in RAM to judge how likely this is to provide massive exploitable info? My guess is that user data might stay in RAM for a few seconds, possibly more in a low use server. Is the vulnerability exploitable to the extent that attackers could write a script to continually hit the server and download multiple dumps thus getting data over time? Without being noticed by security software on key sites? If yes, maybe a serious issue. If no, much less likely to affect us. I don't relish replacing all of my passwords and wouldn't know when to start.
|
Think it depends. The error was in a library used for SSL encryption. This is mainly used on web servers or other internet exposed IPs, routers firewalls......
The concern I read about was being able to get the server's private SSL key. Most security conscious providers don't allow for application data to be stored on Internet facing devices, it's burried behind a couple of firewalls and another application server.
That said anything can happen, one application could use it for session data, no telling what's in that.
I messed up didn't follow 'the stay offline advice'. Looking at my brokerage account last night, there's a few extra thousand dollars there, obviously fraud.
Seriously I'm not changing passwords unless a provider sents a secure message telling me to.
MRG
|
|
|
04-10-2014, 08:08 AM
|
#14
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jun 2007
Posts: 13,228
|
I changed my passwords on the affected sites. Seems like cheap insurance in case someone does hack me. Email especially is a good one, since someone can often use that to request a new password from other sites.
It's a pain, for sure, but I have a system for making unique passwords that isn't too hard to remember. I just changed the method a bit to make different unique passwords. If your password is the same on different sites, this is a good opportunity to make them unique. If I was a hacker and I gained access to someone's password on one site, I'd try that same password with the same or slightly different iterations of the userid on many other sites.
|
|
|
04-10-2014, 09:01 AM
|
#15
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Feb 2006
Location: Washington, DC
Posts: 11,331
|
Quote:
Originally Posted by RunningBum
I changed my passwords on the affected sites. Seems like cheap insurance in case someone does hack me. Email especially is a good one, since someone can often use that to request a new password from other sites.
|
I tend to agree on email but other "affected" sites could be just about anything. The online DBs that show sites as clear can't tell you whether they were compromised before the patch was applied.
__________________
Idleness is fatal only to the mediocre -- Albert Camus
|
|
|
04-10-2014, 10:28 AM
|
#16
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jun 2008
Posts: 13,150
|
Quote:
Originally Posted by RunningBum
I changed my passwords on the affected sites. Seems like cheap insurance in case someone does hack me. Email especially is a good one, since someone can often use that to request a new password from other sites...
|
+1
I'm approaching the changes in a similar fashion. No way do I want to change all my passwords (too many and some seldom used). But the ones on the HIT LIST and stuff like credit card, bank accounts, I'll change for good measure.
I know some credit card sites aren't affected, but changing every so often is suggested good practice anyhow and shouldn't hurt.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
|
|
|
04-10-2014, 03:10 PM
|
#17
|
Thinks s/he gets paid by the post
Join Date: Jan 2008
Posts: 1,671
|
I read somewhere that you also need to change secret questions. Is that true?
|
|
|
04-10-2014, 05:28 PM
|
#18
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Apr 2003
Location: Hooverville
Posts: 22,983
|
I did that LastPass test on Pernfed.org and it said likely vulnerable. Anyone have mreo information?
I sure wish I could find a local bank paying reasonable interest on savings and cd-s. By reasonable I only mean not too far from the big mail order banks.
Ha
__________________
"As a general rule, the more dangerous or inappropriate a conversation, the more interesting it is."-Scott Adams
|
|
|
04-10-2014, 05:36 PM
|
#19
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Apr 2013
Posts: 11,078
|
Quote:
Originally Posted by haha
I did that LastPass test on Pernfed.org and it said likely vulnerable. Anyone have mreo information?
I sure wish I could find a local bank paying reasonable interest on savings and cd-s. By reasonable I only mean not too far from the big mail order banks.
Ha
|
It just means the certificate is older than the fix. It means very little.
BTW - had lunch with a couple of guys that always get pulled into S-storms. Neither had been put on alert.
MRG
|
|
|
04-10-2014, 05:56 PM
|
#20
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jun 2008
Posts: 13,150
|
Quote:
Originally Posted by jebmke
I read somewhere that you also need to change secret questions. Is that true?
|
I haven't read this, but may very well be true.
I suppose if the hacker clicks on "forgot password" and the site lets the user do a reset right there and not first contact via email, I can see the hacker taking over the ID right there.
Darn..may have to do some changes to secret questions to be safe
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
» Recent Threads
|
|
|
|
|
|
|
|
|
|
|
|
|
» Quick Links
|
|
|