Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Heartbleed bug
Old 04-09-2014, 12:36 PM   #1
Thinks s/he gets paid by the post
walkinwood's Avatar
 
Join Date: Jul 2006
Location: Denver
Posts: 2,676
Heartbleed bug

A serious flaw was discovered in the OpenSSL software that could expose security credentials, encryption keys and passwords.

'Heartbleed' bug undoes Web encryption, reveals Yahoo passwords - CNET

Since OpenSSL is widely used, this is a widespread issue.

Last Pass is not affected, but has put up a site to check other websites.

https://lastpass.com/heartbleed/

I've sent a message to Vanguard, but haven't heard anything yet. Please update if you know about the status of the major financial institutions.
__________________

__________________
walkinwood is online now   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 04-09-2014, 12:40 PM   #2
Thinks s/he gets paid by the post
walkinwood's Avatar
 
Join Date: Jul 2006
Location: Denver
Posts: 2,676
From: finance.yahoo.com
Quote:
Amazon has said that its systems aren't vulnerable to Heartbleed. Google and Yahoo have said that they have remedied the bug on their key services
__________________

__________________
walkinwood is online now   Reply With Quote
Old 04-09-2014, 12:58 PM   #3
Thinks s/he gets paid by the post
 
Join Date: Mar 2010
Location: Kerrville,Tx
Posts: 2,714
Note this statement that no Microsoft technology uses open SSL which is where the bug lies : Is Microsoft NPS affected by an equivalent of the heartbleed bug that affects free radius

If on a mac check for updates.
If one Linux get the update (I had it installed automatically yesterday on opensuse)
__________________
meierlde is online now   Reply With Quote
Old 04-09-2014, 01:39 PM   #4
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,570
Quote:
Originally Posted by meierlde View Post
Note this statement that no Microsoft technology uses open SSL which is where the bug lies : Is Microsoft NPS affected by an equivalent of the heartbleed bug that affects free radius

If on a mac check for updates.
If one Linux get the update (I had it installed automatically yesterday on opensuse)
Right, but this is mainly a server side exposure. Not many financial institutions allow Microsoft IIS exposure to the Internet, they may have IIS, behind the DMZ. The attached also states if you have IIS behind a spayer (common for Internet apps), you may have an exposure.

I used the lastpass site, pointed it at both Vanguard and Fidelity, both times it said (based on date of the sites key) there could be an exposure. I'm sure every financial institution is validating their exposure and implementing the fix to openssl.
MRG
__________________
MRG is offline   Reply With Quote
Old 04-09-2014, 01:42 PM   #5
Full time employment: Posting here.
 
Join Date: Jul 2013
Posts: 567
Lots of devices are affected including Cisco/Checkpoint etc. We're busy patching things up.

https://isc.sans.edu/forums/diary/He...ications/17929
__________________
Target FI age /year: 50/2025
dvalley is offline   Reply With Quote
Old 04-09-2014, 06:28 PM   #6
Thinks s/he gets paid by the post
walkinwood's Avatar
 
Join Date: Jul 2006
Location: Denver
Posts: 2,676
Here's what I got back from Vanguard. No issue there
Quote:
Vanguard has taken proactive measures to protect client information. We can confirm that Heart Bleed issue does not affect Vanguard's systems or websites. Clients can logon, access their accounts, perform transactions, and make changes 24 hours a day on vanguard.com.

Vanguard uses several methods and technologies to protect client accounts. These include security certificates, multi-step logon authentication, and communication with you when changes are made to your account. We cannot discuss specifics of the measures we take to protect client accounts, mainly to secure those measures that Vanguard uses. Protecting client accounts and personal information is a priority at Vanguard.

One precaution that clients can take is to ensure that you don't use the same password at Vanguard that you use at other websites. This and other steps that clients can take to stay safe online can be found at Vanguard - Security Center.
__________________
walkinwood is online now   Reply With Quote
Old 04-09-2014, 06:42 PM   #7
Thinks s/he gets paid by the post
 
Join Date: Jun 2004
Location: E. Wash
Posts: 1,057
I had a preschedule time with my Fido Advisor today and asked her about status Fidelity's web access. She had just gotten a internal missive to advise Fidelity does not use OpenSSL for their encryption.
I also found Fidelity on a list WaPo posted as not being vulnerable
Nwsteve.
__________________
nwsteve is offline   Reply With Quote
Old 04-09-2014, 09:54 PM   #8
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,886
I've read various differing suggestion on how to act in the near term. From changing all your passwords immediately, to don't change your passwords now, to stay off the internet for a few days, to wait and see for awhile.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 04-09-2014, 10:21 PM   #9
Thinks s/he gets paid by the post
 
Join Date: Jul 2012
Location: Mississippi
Posts: 1,878
Quote:
Originally Posted by easysurfer View Post
I've read various differing suggestion on how to act in the near term. From changing all your passwords immediately, to don't change your passwords now, to stay off the internet for a few days, to wait and see for awhile.
The problem is on the server side, so changing your passwords without having them fix the problem on their end doesn't do anything. Just another bump of living on the www. The only real security is to not use it.

Here's a site tester

Test your server for Heartbleed (CVE-2014-0160)
__________________
rbmrtn is offline   Reply With Quote
Old 04-09-2014, 10:51 PM   #10
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,465
List of major sites and status.
The Heartbleed Hit List: The Passwords You Need to Change Right Now
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 04-10-2014, 12:19 AM   #11
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,886
Quote:
Originally Posted by audreyh1 View Post
Thanks for the Hit List. Very helpful!
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 04-10-2014, 06:34 AM   #12
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
donheff's Avatar
 
Join Date: Feb 2006
Location: Washington, DC
Posts: 8,642
So this vulnerability allows an attacker to download current RAM from the server. Does anyone out there know enough about this exploit and what is stored in RAM to judge how likely this is to provide massive exploitable info? My guess is that user data might stay in RAM for a few seconds, possibly more in a low use server. Is the vulnerability exploitable to the extent that attackers could write a script to continually hit the server and download multiple dumps thus getting data over time? Without being noticed by security software on key sites? If yes, maybe a serious issue. If no, much less likely to affect us. I don't relish replacing all of my passwords and wouldn't know when to start.
__________________
Every man is, or hopes to be, an Idler. -- Samuel Johnson
donheff is offline   Reply With Quote
Old 04-10-2014, 08:44 AM   #13
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,570
Quote:
Originally Posted by donheff View Post
So this vulnerability allows an attacker to download current RAM from the server. Does anyone out there know enough about this exploit and what is stored in RAM to judge how likely this is to provide massive exploitable info? My guess is that user data might stay in RAM for a few seconds, possibly more in a low use server. Is the vulnerability exploitable to the extent that attackers could write a script to continually hit the server and download multiple dumps thus getting data over time? Without being noticed by security software on key sites? If yes, maybe a serious issue. If no, much less likely to affect us. I don't relish replacing all of my passwords and wouldn't know when to start.
Think it depends. The error was in a library used for SSL encryption. This is mainly used on web servers or other internet exposed IPs, routers firewalls......
The concern I read about was being able to get the server's private SSL key. Most security conscious providers don't allow for application data to be stored on Internet facing devices, it's burried behind a couple of firewalls and another application server.
That said anything can happen, one application could use it for session data, no telling what's in that.

I messed up didn't follow 'the stay offline advice'. Looking at my brokerage account last night, there's a few extra thousand dollars there, obviously fraud.

Seriously I'm not changing passwords unless a provider sents a secure message telling me to.
MRG
__________________
MRG is offline   Reply With Quote
Old 04-10-2014, 09:08 AM   #14
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
RunningBum's Avatar
 
Join Date: Jun 2007
Posts: 5,175
I changed my passwords on the affected sites. Seems like cheap insurance in case someone does hack me. Email especially is a good one, since someone can often use that to request a new password from other sites.

It's a pain, for sure, but I have a system for making unique passwords that isn't too hard to remember. I just changed the method a bit to make different unique passwords. If your password is the same on different sites, this is a good opportunity to make them unique. If I was a hacker and I gained access to someone's password on one site, I'd try that same password with the same or slightly different iterations of the userid on many other sites.
__________________
RunningBum is offline   Reply With Quote
Old 04-10-2014, 10:01 AM   #15
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
donheff's Avatar
 
Join Date: Feb 2006
Location: Washington, DC
Posts: 8,642
Quote:
Originally Posted by RunningBum View Post
I changed my passwords on the affected sites. Seems like cheap insurance in case someone does hack me. Email especially is a good one, since someone can often use that to request a new password from other sites.
I tend to agree on email but other "affected" sites could be just about anything. The online DBs that show sites as clear can't tell you whether they were compromised before the patch was applied.
__________________
Every man is, or hopes to be, an Idler. -- Samuel Johnson
donheff is offline   Reply With Quote
Old 04-10-2014, 11:28 AM   #16
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,886
Quote:
Originally Posted by RunningBum View Post
I changed my passwords on the affected sites. Seems like cheap insurance in case someone does hack me. Email especially is a good one, since someone can often use that to request a new password from other sites...
+1

I'm approaching the changes in a similar fashion. No way do I want to change all my passwords (too many and some seldom used). But the ones on the HIT LIST and stuff like credit card, bank accounts, I'll change for good measure.

I know some credit card sites aren't affected, but changing every so often is suggested good practice anyhow and shouldn't hurt.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 04-10-2014, 04:10 PM   #17
Full time employment: Posting here.
 
Join Date: Jan 2008
Posts: 882
I read somewhere that you also need to change secret questions. Is that true?
__________________
jebmke is offline   Reply With Quote
Old 04-10-2014, 06:28 PM   #18
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
haha's Avatar
 
Join Date: Apr 2003
Location: Hooverville
Posts: 22,384
I did that LastPass test on Pernfed.org and it said likely vulnerable. Anyone have mreo information?

I sure wish I could find a local bank paying reasonable interest on savings and cd-s. By reasonable I only mean not too far from the big mail order banks.

Ha
__________________
"As a general rule, the more dangerous or inappropriate a conversation, the more interesting it is."-Scott Adams
haha is offline   Reply With Quote
Old 04-10-2014, 06:36 PM   #19
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,570
Quote:
Originally Posted by haha View Post
I did that LastPass test on Pernfed.org and it said likely vulnerable. Anyone have mreo information?

I sure wish I could find a local bank paying reasonable interest on savings and cd-s. By reasonable I only mean not too far from the big mail order banks.

Ha
It just means the certificate is older than the fix. It means very little.

BTW - had lunch with a couple of guys that always get pulled into S-storms. Neither had been put on alert.
MRG
__________________
MRG is offline   Reply With Quote
Old 04-10-2014, 06:56 PM   #20
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,886
Quote:
Originally Posted by jebmke View Post
I read somewhere that you also need to change secret questions. Is that true?
I haven't read this, but may very well be true.

I suppose if the hacker clicks on "forgot password" and the site lets the user do a reset right there and not first contact via email, I can see the hacker taking over the ID right there.

Darn..may have to do some changes to secret questions to be safe
__________________

__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What's with the GOLD bug? charlottebandito Young Dreamers 2 06-21-2005 07:09 PM
Potential Form Bug moguls FIRE and Money 1 11-25-2002 11:36 PM

 

 
All times are GMT -6. The time now is 09:33 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.