Heartbleed bug

[easysurfer]

Here's another take...paraphrased as "we really don't know"

Quote:

So what does it mean for you? Ordinary Web users really have no way of finding out how relatively safe or unsafe the websites they use are, or to know what, if anything, to do at this point. Yes, you can visit this site to see if a website you use is still unpatched now (if so, don’t change your password yet). Or this one to see if it was vulnerable during a scan done Tuesday. If it had a problem and was fixed, you should change your password. But was a website vulnerable at some earlier point, but then quietly fixed? There’s no easy way to answer that. Did anyone actually walk through open front doors and take anything? Nobody knows.

What Should You do About Heartbleed? Excellent Question. | MIT Technology Review

[audreyh1]

Many of my sites recognize my computer, and you have to go through additional levels of security from a new computer, plus you get signaled on your cellphone of changes, etc., etc.

[easysurfer]

I guess this Heartbleed bug is a good test to see how well the different levels end up working.

In the back of my mind, I've always wondered if those challenge questions are safer or more dangerous to have.

[easysurfer]

Quote:

Originally Posted by audreyh1 Many of my sites recognize my computer, and you have to go through additional levels of security from a new computer, plus you get signaled on your cellphone of changes, etc., etc.

Good idea. I added some alerts to a couple of credit cards.

[haha]

Quote:

Originally Posted by MRG It just means the certificate is older than the fix. It means very little. BTW - had lunch with a couple of guys that always get pulled into S-storms. Neither had been put on alert. MRG

Thanks MRG

[Alan]

Quote:

Originally Posted by audreyh1 Many of my sites recognize my computer, and you have to go through additional levels of security from a new computer, plus you get signaled on your cellphone of changes, etc., etc.

I also like those options. I even set up double authentication on my Gmail account a couple of years ago. Problem is when I eventually come to change my cell number I will have to go through those accounts to change the number, if I can remember which accounts have double authentication

[easysurfer]

I went ahead and did the test for Heartbleed bug on the majority of the sites that I visit. Looks like the ones I use all are OK for me to change the password. I also changed the challenge questions for my emails to be safe.

One site that seemed still questionalbe (unless I tested incorrectly ) is HSA Bank when I used LastPass Heartbleed checker.

[kcowan]

Quote:

Originally Posted by audreyh1 Many of my sites recognize my computer, and you have to go through additional levels of security from a new computer, plus you get signaled on your cellphone of changes, etc., etc.

For all my financial sites, they ask my secret questions whenever I log in for a different IP address. So I think I am safe because any "would be" hacker is not going to know my IP address.

[Alan]

Quote:

Originally Posted by kcowan For all my financial sites, they ask my secret questions whenever I log in for a different IP address. So I think I am safe because any "would be" hacker is not going to know my IP address.

..but I think the heart bleed bug may also allow the hacker to access your secret questions and answers as well

My only financial institution that I am really sure of is my UK bank as I have a physical token that I have to carry around and use to log online with.

[MRG]

Why would questions/answers be in a 'web servers' memory? This issue applies to web servers when they convert data to SSL for secure communication.
Maybe I'm very confused.
MRG

[mpeirce]

Quote:

Originally Posted by MRG Why would questions/answers be in a 'web servers' memory? This issue applies to web servers when they convert data to SSL for secure communication. Maybe I'm very confused. MRG

Today's XKCD does a really good job of explaining just what's happening:

xkcd: Heartbleed Explanation

Who knows what detritus is sitting around in the server's buffers.

[rbmrtn]

Quote:

Originally Posted by kcowan For all my financial sites, they ask my secret questions whenever I log in for a different IP address. So I think I am safe because any "would be" hacker is not going to know my IP address.

It's not by IP address, first time you connect it save a cookie to your browser to remember the PC. If you connect from the same PC using a different browser it will do the security prompt again. You can see this also if you flush/delete cookies you will have do the security thing again. Most home users are on DHCP with your ISP so your WAN IP will change preriodically. and being behind a firewall your PC IP is not exposed to the internet.

[Alan]

Quote:

Originally Posted by mpeirce Today's XKCD does a really good job of explaining just what's happening: xkcd: Heartbleed Explanation Who knows what detritus is sitting around in the server's buffers.

That's a pretty neat cartoon explanation, thanks.

It does seem unlikely that questions and answers would be scooped up, but if I log on and get asked a security question because I'm using a different browser, I will answer that question and immediately have to enter my password so it is possible that one of my questions, answers and my password are held in the server cache.

[MRG]

Quote:

Originally Posted by Alan That's a pretty neat cartoon explanation, thanks. It does seem unlikely that questions and answers would be scooped up, but if I log on and get asked a security question because I'm using a different browser, I will answer that question and immediately have to enter my password so it is possible that one of my questions, answers and my password are held in the server cache.

You got it. Depending on server workload those buffers are very transient. On fully utilized machines the life of the data in the buffer is milliseconds at most. Technically it wouldn't have to wait for the IP send, as try web server now has the encrypted data if a retransmission is needed.

On a separate note I had lunch yesterday with a couple of developers from a large financial organization. The one guy gets pulled into any major S*** storms.
Asked if the network, Internet teams were struggling? No everything was fixed, day one, no big deal.
MRG

[Tadpole]

Someone mentioned PenFed so I emailed them and asked them to post a status on their main page. Instead they sent a personal response and sent my request for consideration. Anyway, PenFed site is OK. Response below:

We received your request, and it was forwarded to the appropriate party for review and consideration.

HeartBleed is a security flaw discovered by a number of security firms. It's found in OpenSSL, which is used to protect sensitive data such as emails, passwords or credit card data.

PenFed systems do not utilize the technologies or configurations which make them vulnerable to the HeartBleed security flaw and we are confident that our systems have not been improperly accessed due to this vulnerability. PenFed will continue to remain vigilant in protecting our member’s sensitive information.

[Janet H]

Here's an good article with some updated info about password changes. Note the inclusion of Intuit (turbo Tax) on this list

The Heartbleed Hit List: The Passwords You Need to Change Right Now

[haha]

Quote:

Originally Posted by Tadpole Someone mentioned PenFed so I emailed them and asked them to post a status on their main page. Instead they sent a personal response and sent my request for consideration. Anyway, PenFed site is OK. Response below: We received your request, and it was forwarded to the appropriate party for review and consideration. HeartBleed is a security flaw discovered by a number of security firms. It's found in OpenSSL, which is used to protect sensitive data such as emails, passwords or credit card data. PenFed systems do not utilize the technologies or configurations which make them vulnerable to the HeartBleed security flaw and we are confident that our systems have not been improperly accessed due to this vulnerability. PenFed will continue to remain vigilant in protecting our member’s sensitive information.

Thanks for this.

Ha

[Lsbcal]

This finally pushed me into using LastPass. I found it pretty easy to get used to. In changing some passwords, there could be a few sites with quirks.

So my password security is now like:
1) Financial (no changes) -- unique passwords unknown to LastPass
2) Might do some buying or use frequently -- LastPass
3) Minor sites like news -- use my old methodology

[meierlde]

Note that there are two proprietary versions of SSL software at least. IBM and Microsoft. Solaris does use open SSL however. This may explain why few banks have been caught being largely IBM shops (since the backends are mainframes and are needed to balance the books). They might be running their web front ends on mainframes under Linux. But it is not suprising that the two big software companies would write their own rather than go for the open version (MS has already said that it did). As lists become more complete it does appear that a large number of big banks have not been caught because they may be running IBM or Microsoft software.

[kcowan]

CRA Netfile is back up this morning and the filing deadline has been extended by one week.