It is currently Tue Mar 17, 2020 1:23 am

All times are UTC - 7 hours



Post new topic Reply to topic  [ 4 posts ] 
Author Message
Post subject: Heartbleed - internet flaw - FYI
Posted: Fri Apr 11, 2014 10:22 am
Offline
Rock Icon
Rock Icon
User avatar

Joined: Mon Jul 16, 2007 6:51 pm
Posts: 25353
Location: Witness Protection Program
This is not a virus. It is a flaw in the Open SSL security system used by most systems on the web.

The fix must be applied to the web server you are contacting. The only people that this will affect on this forum are those who have there own web servers or run webservers for their employer.

The coding keys and certificates located on the servers, which are used to establish a secure connection with the customer (you) are currently open to the hackers. They can use this information to intercept and decrypt any supposedly secure communications with the server.

If you wish to avoid exposure, stop doing any transactions with anyone via the web, until they have been certified as "fixed".
This bug also applies to most routers and switches in use, including Cisco products (Cisco is working on a fix). I have not heard of other manufacturers working on updates (they may be, I just haven't heard).
***********************************
Here's a great breakdown of the important stuff, from the Sans Institute:

"With more mass-media attention to the heartbleed bug, we are getting more questions from "normal users" about the heartbleed bug.

The "Heartbleed" bug is not affecting end users using Windows. It does not affect standard Windows browsers (Internet Explorer, Firefox, Chrome). It may affect some selected third party software, but most likely, you do not need to patch anything. The only widely used consumer platform vulnerable is Android 4.1.1, but there isn't much you can do about it but wait for a patch for your phone.

However, it is possible that a web site you used is or was affected by "Heartbleed". The result may be that the password you are using on the site was captured by someone attacking this site. So you may need to change the password that you used on the site.

How do I know if a site is/was vulnerable?
Your best bet is https://lastpass.com/heartbleed/ . They will show you if a site is vulnerable right now, or may have been vulnerable in the past. Tehre is a chance that the site received a new certificate that still uses the old issue date, which can lead to sites being identified as "not fixed".

Should I change my password?
If you think the site was vulnerable, and is no longer vulnerable, then you should change your password. If in doubt, change your password. Changing your password while the site is still vulnerable probably doesn't hurt, but the new password may leak again, so the change may not help.

Should I avoid sites that are still vulnerable?
Yes

I received an e-mail from a site I use asking me to change my password. Should I do so?
First of all: Don't click on any links in this email. Then go to the website and change your password (even if the e-mail was a fake, it doesn't hurt to change your password as long as you are sure you go to the right site). Use the "lastpass" URL above to check if the site is/was vulnerable.

What else should I do?
Standard "safe computing" practices: use difficult to guess passwords, keep your system up to date, use anti-malware, be cautious with links distributed via e-mail.
And how do I explain the problem that caused all this?
XKCD has a great cartoon explaining it: http://imgs.xkcd.com/comics/heartbleed_explanation.png . The short summary: If an SSL connection is idle, heartbeat messages are used to chck if the other side is still listening. For example, the browser sends a message "if you are still alive, reply by sending the 3 letter word 'dog'", and the server replies with "dog". To trigger the bug, the client would send "reply with the 500 letter word 'cow'". Since "cow" only got 3 letters, the server will make up the missing 497 bytes with data from memory, and this data may contain other things the server was working on, like users passwords or private encryption keys."

_________________
Being able to play and enjoy music is a gift that's often taken for granted.

Don't leave home without it!


Top
Profile
Fender Play Winter Sale 2020
Post subject: Re: Heartbleed - internet flaw - FYI
Posted: Sat Apr 12, 2014 6:00 am
Offline
Professional Musician
Professional Musician
User avatar

Joined: Thu Jan 10, 2013 7:02 pm
Posts: 1978
Location: Manchester
Heartbleed has rather thrown a spanner in the works for internet hosting companies. They are now racing to get their web servers patched with the security fix before they become targets for hackers. I've changed a lot of passwords in the last few days, things like Paypal and eBay and online banking are the main ones to worry about.

Makes me glad I do my development work on Microsoft servers which don't use OpenSSL!

_________________
Image
Image my stuff on soundcloud


Top
Profile
Post subject: Re: Heartbleed - internet flaw - FYI
Posted: Sat Apr 12, 2014 3:42 pm
Offline
Rock Icon
Rock Icon
User avatar

Joined: Tue Jun 29, 2010 1:20 pm
Posts: 9640
Location: Indiana
GilgaFrank wrote:
...Makes me glad I do my development work on Microsoft servers which don't use OpenSSL!


Really? I prefer open systems that many others can help with, rather than secret proprietary software that you have no idea of the whole system. Too much crap in MS stuff theses days, and it is not for our security as they would have us believe. :wink:

_________________
---> "The amp should be SWITCHED OFF AND UNPLUGGED before you do this!" <---

Por favor, disculpe mi español, no se llega a la práctica con mucha frecuencia.


Top
Profile
Post subject: Re: Heartbleed - internet flaw - FYI
Posted: Sat Apr 12, 2014 4:21 pm
Offline
Professional Musician
Professional Musician
User avatar

Joined: Thu Jan 10, 2013 7:02 pm
Posts: 1978
Location: Manchester
shimmilou wrote:
Really? I prefer open systems that many others can help with, rather than secret proprietary software that you have no idea of the whole system. Too much crap in MS stuff theses days, and it is not for our security as they would have us believe. :wink:


It's just what I've fallen into doing, from the old VB6/ASP to C# and VB.NET. Yes it's a proprietary memory hog but I've grown to really like the Visual Studio IDE and I find SQL Server very easy to work with. I guess it's like growing up liking Gibson instead of Fender, whatever gets the job done is the right tool for the job!

_________________
Image
Image my stuff on soundcloud


Top
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 7 hours

Fender Play Winter Sale 2020

Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to: