Heartbleed bug

walkinwood

walkinwood

Thinks s/he gets paid by the post
Joined
Jul 16, 2006
Messages
3,520
Location
Denver
A serious flaw was discovered in the OpenSSL software that could expose security credentials, encryption keys and passwords.

'Heartbleed' bug undoes Web encryption, reveals Yahoo passwords - CNET

Since OpenSSL is widely used, this is a widespread issue.

Last Pass is not affected, but has put up a site to check other websites.

https://lastpass.com/heartbleed/

I've sent a message to Vanguard, but haven't heard anything yet. Please update if you know about the status of the major financial institutions.
 
meierlde said:
Note this statement that no Microsoft technology uses open SSL which is where the bug lies : Is Microsoft NPS affected by an equivalent of the heartbleed bug that affects free radius

If on a mac check for updates.
If one Linux get the update (I had it installed automatically yesterday on opensuse)
Click to expand...

Right, but this is mainly a server side exposure. Not many financial institutions allow Microsoft IIS exposure to the Internet, they may have IIS, behind the DMZ. The attached also states if you have IIS behind a spayer (common for Internet apps), you may have an exposure.

I used the lastpass site, pointed it at both Vanguard and Fidelity, both times it said (based on date of the sites key) there could be an exposure. I'm sure every financial institution is validating their exposure and implementing the fix to openssl.
MRG
 
Here's what I got back from Vanguard. No issue there
Vanguard has taken proactive measures to protect client information. We can confirm that Heart Bleed issue does not affect Vanguard's systems or websites. Clients can logon, access their accounts, perform transactions, and make changes 24 hours a day on vanguard.com.

Vanguard uses several methods and technologies to protect client accounts. These include security certificates, multi-step logon authentication, and communication with you when changes are made to your account. We cannot discuss specifics of the measures we take to protect client accounts, mainly to secure those measures that Vanguard uses. Protecting client accounts and personal information is a priority at Vanguard.

One precaution that clients can take is to ensure that you don't use the same password at Vanguard that you use at other websites. This and other steps that clients can take to stay safe online can be found at Vanguard - Security Center.
Click to expand...
 
I had a preschedule time with my Fido Advisor today and asked her about status Fidelity's web access. She had just gotten a internal missive to advise Fidelity does not use OpenSSL for their encryption.
I also found Fidelity on a list WaPo posted as not being vulnerable
Nwsteve.
 
I've read various differing suggestion on how to act in the near term. From changing all your passwords immediately, to don't change your passwords now, to stay off the internet for a few days, to wait and see for awhile.
 
easysurfer said:
I've read various differing suggestion on how to act in the near term. From changing all your passwords immediately, to don't change your passwords now, to stay off the internet for a few days, to wait and see for awhile.
Click to expand...

The problem is on the server side, so changing your passwords without having them fix the problem on their end doesn't do anything. Just another bump of living on the www. The only real security is to not use it.

Here's a site tester

Test your server for Heartbleed (CVE-2014-0160)
 
So this vulnerability allows an attacker to download current RAM from the server. Does anyone out there know enough about this exploit and what is stored in RAM to judge how likely this is to provide massive exploitable info? My guess is that user data might stay in RAM for a few seconds, possibly more in a low use server. Is the vulnerability exploitable to the extent that attackers could write a script to continually hit the server and download multiple dumps thus getting data over time? Without being noticed by security software on key sites? If yes, maybe a serious issue. If no, much less likely to affect us. I don't relish replacing all of my passwords and wouldn't know when to start.
 
Last edited:
donheff said:
So this vulnerability allows an attacker to download current RAM from the server. Does anyone out there know enough about this exploit and what is stored in RAM to judge how likely this is to provide massive exploitable info? My guess is that user data might stay in RAM for a few seconds, possibly more in a low use server. Is the vulnerability exploitable to the extent that attackers could write a script to continually hit the server and download multiple dumps thus getting data over time? Without being noticed by security software on key sites? If yes, maybe a serious issue. If no, much less likely to affect us. I don't relish replacing all of my passwords and wouldn't know when to start.
Click to expand...

Think it depends. The error was in a library used for SSL encryption. This is mainly used on web servers or other internet exposed IPs, routers firewalls......
The concern I read about was being able to get the server's private SSL key. Most security conscious providers don't allow for application data to be stored on Internet facing devices, it's burried behind a couple of firewalls and another application server.
That said anything can happen, one application could use it for session data, no telling what's in that.

I messed up didn't follow 'the stay offline advice'. Looking at my brokerage account last night, there's a few extra thousand dollars there, obviously fraud.:cool:

Seriously I'm not changing passwords unless a provider sents a secure message telling me to.
MRG
 
I changed my passwords on the affected sites. Seems like cheap insurance in case someone does hack me. Email especially is a good one, since someone can often use that to request a new password from other sites.

It's a pain, for sure, but I have a system for making unique passwords that isn't too hard to remember. I just changed the method a bit to make different unique passwords. If your password is the same on different sites, this is a good opportunity to make them unique. If I was a hacker and I gained access to someone's password on one site, I'd try that same password with the same or slightly different iterations of the userid on many other sites.
 
RunningBum said:
I changed my passwords on the affected sites. Seems like cheap insurance in case someone does hack me. Email especially is a good one, since someone can often use that to request a new password from other sites.
Click to expand...
I tend to agree on email but other "affected" sites could be just about anything. The online DBs that show sites as clear can't tell you whether they were compromised before the patch was applied.
 
RunningBum said:
I changed my passwords on the affected sites. Seems like cheap insurance in case someone does hack me. Email especially is a good one, since someone can often use that to request a new password from other sites...
Click to expand...

+1

I'm approaching the changes in a similar fashion. No way do I want to change all my passwords (too many and some seldom used). But the ones on the HIT LIST and stuff like credit card, bank accounts, I'll change for good measure.

I know some credit card sites aren't affected, but changing every so often is suggested good practice anyhow and shouldn't hurt.
 
I read somewhere that you also need to change secret questions. Is that true?
 
I did that LastPass test on Pernfed.org and it said likely vulnerable. Anyone have mreo information?

I sure wish I could find a local bank paying reasonable interest on savings and cd-s. By reasonable I only mean not too far from the big mail order banks.

Ha
 
haha said:
I did that LastPass test on Pernfed.org and it said likely vulnerable. Anyone have mreo information?

I sure wish I could find a local bank paying reasonable interest on savings and cd-s. By reasonable I only mean not too far from the big mail order banks.

Ha
Click to expand...

It just means the certificate is older than the fix. It means very little.

BTW - had lunch with a couple of guys that always get pulled into S-storms. Neither had been put on alert.
MRG
 
jebmke said:
I read somewhere that you also need to change secret questions. Is that true?
Click to expand...

I haven't read this, but may very well be true.

I suppose if the hacker clicks on "forgot password" and the site lets the user do a reset right there and not first contact via email, I can see the hacker taking over the ID right there.

Darn..may have to do some changes to secret questions to be safe :facepalm:
 
Here's another take...paraphrased as "we really don't know" :facepalm:

So what does it mean for you? Ordinary Web users really have no way of finding out how relatively safe or unsafe the websites they use are, or to know what, if anything, to do at this point. Yes, you can visit this site to see if a website you use is still unpatched now (if so, don’t change your password yet). Or this one to see if it was vulnerable during a scan done Tuesday. If it had a problem and was fixed, you should change your password.

But was a website vulnerable at some earlier point, but then quietly fixed? There’s no easy way to answer that. Did anyone actually walk through open front doors and take anything? Nobody knows.
Click to expand...

What Should You do About Heartbleed? Excellent Question. | MIT Technology Review
 
Many of my sites recognize my computer, and you have to go through additional levels of security from a new computer, plus you get signaled on your cellphone of changes, etc., etc.
 
I guess this Heartbleed bug is a good test to see how well the different levels end up working.

In the back of my mind, I've always wondered if those challenge questions are safer or more dangerous to have.
 
audreyh1 said:
Many of my sites recognize my computer, and you have to go through additional levels of security from a new computer, plus you get signaled on your cellphone of changes, etc., etc.
Click to expand...

Good idea. I added some alerts to a couple of credit cards.
 
MRG said:
It just means the certificate is older than the fix. It means very little.

BTW - had lunch with a couple of guys that always get pulled into S-storms. Neither had been put on alert.
MRG
Click to expand...
Thanks MRG
 
You must log in or register to reply here.

Similar threads

REWahoo
  • Sticky
The History of Early-Retirement.org
3 4 5
Replies
111
Views
108K
Helen
Helen
mickeyd
USAA Phishing Scam
Replies
0
Views
2K
mickeyd
mickeyd
Nords
An updated FIRE recommended reading list (with a military twist)
Replies
22
Views
7K
Nords
Nords
Nords
  • Locked
An updated FIRE recommended reading list (with a military twist)
Replies
8
Views
25K
Martha
Martha
dory36
500 search phrases for 2006
Replies
2
Views
12K
cute fuzzy bunny
cute fuzzy bunny

Latest posts

Back
Top Bottom