Heartbleed bug

[walkinwood]

A serious flaw was discovered in the OpenSSL software that could expose security credentials, encryption keys and passwords.

'Heartbleed' bug undoes Web encryption, reveals Yahoo passwords - CNET

Since OpenSSL is widely used, this is a widespread issue.

Last Pass is not affected, but has put up a site to check other websites.

https://lastpass.com/heartbleed/

I've sent a message to Vanguard, but haven't heard anything yet. Please update if you know about the status of the major financial institutions.

[walkinwood]

From: finance.yahoo.com

Quote:

Amazon has said that its systems aren't vulnerable to Heartbleed. Google and Yahoo have said that they have remedied the bug on their key services

[meierlde]

Note this statement that no Microsoft technology uses open SSL which is where the bug lies : Is Microsoft NPS affected by an equivalent of the heartbleed bug that affects free radius

If on a mac check for updates.
If one Linux get the update (I had it installed automatically yesterday on opensuse)

[MRG]

Quote:

Originally Posted by meierlde Note this statement that no Microsoft technology uses open SSL which is where the bug lies : Is Microsoft NPS affected by an equivalent of the heartbleed bug that affects free radius If on a mac check for updates. If one Linux get the update (I had it installed automatically yesterday on opensuse)

Right, but this is mainly a server side exposure. Not many financial institutions allow Microsoft IIS exposure to the Internet, they may have IIS, behind the DMZ. The attached also states if you have IIS behind a spayer (common for Internet apps), you may have an exposure.

I used the lastpass site, pointed it at both Vanguard and Fidelity, both times it said (based on date of the sites key) there could be an exposure. I'm sure every financial institution is validating their exposure and implementing the fix to openssl.
MRG

[dvalley]

Lots of devices are affected including Cisco/Checkpoint etc. We're busy patching things up.

https://isc.sans.edu/forums/diary/He...ications/17929

[walkinwood]

Here's what I got back from Vanguard. No issue there

Quote:

Vanguard has taken proactive measures to protect client information. We can confirm that Heart Bleed issue does not affect Vanguard's systems or websites. Clients can logon, access their accounts, perform transactions, and make changes 24 hours a day on vanguard.com. Vanguard uses several methods and technologies to protect client accounts. These include security certificates, multi-step logon authentication, and communication with you when changes are made to your account. We cannot discuss specifics of the measures we take to protect client accounts, mainly to secure those measures that Vanguard uses. Protecting client accounts and personal information is a priority at Vanguard. One precaution that clients can take is to ensure that you don't use the same password at Vanguard that you use at other websites. This and other steps that clients can take to stay safe online can be found at Vanguard - Security Center.

[nwsteve]

I had a preschedule time with my Fido Advisor today and asked her about status Fidelity's web access. She had just gotten a internal missive to advise Fidelity does not use OpenSSL for their encryption.
I also found Fidelity on a list WaPo posted as not being vulnerable
Nwsteve.

[easysurfer]

I've read various differing suggestion on how to act in the near term. From changing all your passwords immediately, to don't change your passwords now, to stay off the internet for a few days, to wait and see for awhile.

[rbmrtn]

Quote:

Originally Posted by easysurfer I've read various differing suggestion on how to act in the near term. From changing all your passwords immediately, to don't change your passwords now, to stay off the internet for a few days, to wait and see for awhile.

The problem is on the server side, so changing your passwords without having them fix the problem on their end doesn't do anything. Just another bump of living on the www. The only real security is to not use it.

Here's a site tester

Test your server for Heartbleed (CVE-2014-0160)

[audreyh1]

List of major sites and status.
The Heartbleed Hit List: The Passwords You Need to Change Right Now

[easysurfer]

Quote:

Originally Posted by audreyh1 List of major sites and status. The Heartbleed Hit List: The Passwords You Need to Change Right Now

Thanks for the Hit List. Very helpful!

[donheff]

So this vulnerability allows an attacker to download current RAM from the server. Does anyone out there know enough about this exploit and what is stored in RAM to judge how likely this is to provide massive exploitable info? My guess is that user data might stay in RAM for a few seconds, possibly more in a low use server. Is the vulnerability exploitable to the extent that attackers could write a script to continually hit the server and download multiple dumps thus getting data over time? Without being noticed by security software on key sites? If yes, maybe a serious issue. If no, much less likely to affect us. I don't relish replacing all of my passwords and wouldn't know when to start.

[MRG]

Quote:

Originally Posted by donheff So this vulnerability allows an attacker to download current RAM from the server. Does anyone out there know enough about this exploit and what is stored in RAM to judge how likely this is to provide massive exploitable info? My guess is that user data might stay in RAM for a few seconds, possibly more in a low use server. Is the vulnerability exploitable to the extent that attackers could write a script to continually hit the server and download multiple dumps thus getting data over time? Without being noticed by security software on key sites? If yes, maybe a serious issue. If no, much less likely to affect us. I don't relish replacing all of my passwords and wouldn't know when to start.

Think it depends. The error was in a library used for SSL encryption. This is mainly used on web servers or other internet exposed IPs, routers firewalls......
The concern I read about was being able to get the server's private SSL key. Most security conscious providers don't allow for application data to be stored on Internet facing devices, it's burried behind a couple of firewalls and another application server.
That said anything can happen, one application could use it for session data, no telling what's in that.

I messed up didn't follow 'the stay offline advice'. Looking at my brokerage account last night, there's a few extra thousand dollars there, obviously fraud.

Seriously I'm not changing passwords unless a provider sents a secure message telling me to.
MRG

[RunningBum]

I changed my passwords on the affected sites. Seems like cheap insurance in case someone does hack me. Email especially is a good one, since someone can often use that to request a new password from other sites.

It's a pain, for sure, but I have a system for making unique passwords that isn't too hard to remember. I just changed the method a bit to make different unique passwords. If your password is the same on different sites, this is a good opportunity to make them unique. If I was a hacker and I gained access to someone's password on one site, I'd try that same password with the same or slightly different iterations of the userid on many other sites.

[donheff]

Quote:

Originally Posted by RunningBum I changed my passwords on the affected sites. Seems like cheap insurance in case someone does hack me. Email especially is a good one, since someone can often use that to request a new password from other sites.

I tend to agree on email but other "affected" sites could be just about anything. The online DBs that show sites as clear can't tell you whether they were compromised before the patch was applied.

[easysurfer]

Quote:

Originally Posted by RunningBum I changed my passwords on the affected sites. Seems like cheap insurance in case someone does hack me. Email especially is a good one, since someone can often use that to request a new password from other sites...

+1

I'm approaching the changes in a similar fashion. No way do I want to change all my passwords (too many and some seldom used). But the ones on the HIT LIST and stuff like credit card, bank accounts, I'll change for good measure.

I know some credit card sites aren't affected, but changing every so often is suggested good practice anyhow and shouldn't hurt.

[jebmke]

I read somewhere that you also need to change secret questions. Is that true?

[haha]

I did that LastPass test on Pernfed.org and it said likely vulnerable. Anyone have mreo information?

I sure wish I could find a local bank paying reasonable interest on savings and cd-s. By reasonable I only mean not too far from the big mail order banks.

Ha

[MRG]

Quote:

Originally Posted by haha I did that LastPass test on Pernfed.org and it said likely vulnerable. Anyone have mreo information? I sure wish I could find a local bank paying reasonable interest on savings and cd-s. By reasonable I only mean not too far from the big mail order banks. Ha

It just means the certificate is older than the fix. It means very little.

BTW - had lunch with a couple of guys that always get pulled into S-storms. Neither had been put on alert.
MRG

[easysurfer]

Quote:

Originally Posted by jebmke I read somewhere that you also need to change secret questions. Is that true?

I haven't read this, but may very well be true.

I suppose if the hacker clicks on "forgot password" and the site lets the user do a reset right there and not first contact via email, I can see the hacker taking over the ID right there.

Darn..may have to do some changes to secret questions to be safe