Yes, I think from my quote it is obvious that I understand that. What I was saying, which you seemed to miss, is that this is not your typical example of why it is valuable to have unique passwords for every site. The typical example is someone who uses the same password for every site. Then if only one of those sites is compromised, now a thief potentially has your password to everything. In the case of the OpenSSL bug, since most web servers in the world are compromised anyway, you're getting most of the mess anyway. My only point was that people who were citing this as a good example of why you need unique passwords for every site seemed to actually be misunderstanding the nature of this bug or at least presenting it in a way to others that is misleading. I don't really think this is a classic example of the value of unique passwords (though there would be some value in this case) and saying this obfuscates, rather than clarifies the nature of the OpenSSL bug.Mudpuppy wrote:Let me shed a little clarification on the sentence I italicized in your quote. The point of unique passwords is NOT to save you the work of having to change passwords in the wake of a compromise. The point of unique passwords IS to keep the passwords separate so if 60% of sites you visit are compromised, the information gleaned from those sites can't be used to get into the 40% of sites you visit that are NOT compromised.cb474 wrote:So while it's alway a good time to review security practices. I think people should be clear that this is not your typical password problem, where one site is compromised and then that messes you up on any other site that uses the same password. Again, as news stories have noted, two thirds of the webservers in the world use OpenSSL. This is a enormous and pernicious bug (because it leaves no traces if there is a compromise and because the bug has been present for two years, without being noticed--at least by security experts, who knows what black hat hackers have known about and exploited this and for how long). Unique passwords for every site, in this case, would not save you from having to change most of your passwords anyway.
If you used the same password for Google that you use for Vanguard, you would be in a world of hurt right now. If you use unique passwords everywhere (and 2 factor where available), you'll still have to change passwords on the affected sites, but you won't need to worry about someone using that data to get into your Vanguard account.
heartbleed - widespread internet security problem
Re: heartbleed - widespread internet security problem
Re: heartbleed - widespread internet security problem
2/3rds is not 100%, and a much lower percentage of critical sites like financial institutions are vulnerable to this issue since fewer such sites are running OpenSSL due to regulatory and industry pressures. While it's all fine and dandy to argue back and forth on technical semantics, for the average lay person, if they just take to heart the advice to always use unique passwords, they would be insulated from a great deal of the potential fallout of this bug.cb474 wrote:Yes, I think from my quote it is obvious that I understand that. What I was saying, which you seemed to miss, is that this is not your typical example of why it is valuable to have unique passwords for every site. The typical example is someone who uses the same password for every site. Then if only one of those sites is compromised, now a thief potentially has your password to everything. In the case of the OpenSSL bug, since most web servers in the world are compromised anyway, you're getting most of the mess anyway. My only point was that people who were citing this as a good example of why you need unique passwords for every site seemed to actually be misunderstanding the nature of this bug or at least presenting it in a way to others that is misleading. I don't really think this is a classic example of the value of unique passwords (though there would be some value in this case) and saying this obfuscates, rather than clarifies the nature of the OpenSSL bug.Mudpuppy wrote:Let me shed a little clarification on the sentence I italicized in your quote. The point of unique passwords is NOT to save you the work of having to change passwords in the wake of a compromise. The point of unique passwords IS to keep the passwords separate so if 60% of sites you visit are compromised, the information gleaned from those sites can't be used to get into the 40% of sites you visit that are NOT compromised.cb474 wrote:So while it's alway a good time to review security practices. I think people should be clear that this is not your typical password problem, where one site is compromised and then that messes you up on any other site that uses the same password. Again, as news stories have noted, two thirds of the webservers in the world use OpenSSL. This is a enormous and pernicious bug (because it leaves no traces if there is a compromise and because the bug has been present for two years, without being noticed--at least by security experts, who knows what black hat hackers have known about and exploited this and for how long). Unique passwords for every site, in this case, would not save you from having to change most of your passwords anyway.
If you used the same password for Google that you use for Vanguard, you would be in a world of hurt right now. If you use unique passwords everywhere (and 2 factor where available), you'll still have to change passwords on the affected sites, but you won't need to worry about someone using that data to get into your Vanguard account.
Most of the sites affected by this bug are not really high-consequence sites (e.g. not really a risk to financial or physical well-being). It's wide-spread for sure, but not really a chicken little event if someone takes this basic precaution about password reuse to heart. The primary high-consequence sites that were affected by this were webmail services that offer two-factor authentication to mitigate the effects of a password compromise and a handful of financial institutions.
The large annoyance factor in having to change 2/3rds of one's passwords for mostly low-consequence sites does not outweigh the benefit of unique passwords. It's an annoyance to have to change so many passwords, but it's a disaster to have your financial information fall into the wrong hands just because you use the same password for everything from Facebook to Paypal to Vanguard.
As a final note, it really doesn't matter to get the details of the bug to the average lay person. It's interesting to the technically oriented crowd and I'm sure it will be making headlines for weeks and months. But short of never using a computer again, there was absolutely nothing a lay person could have done to prevent this bug from coming into play and absolutely nothing they can do to prevent a similar bug from popping up in the future.
I try not to make people worry too much about things they can't control. The average lay person can't control how the servers they connect to are set up or what software those servers are running. What people can control is how they choose their passwords. It might be a small measure against the tide of a large bug, but it is something within the control of anyone who can interact with a computer.
If this seems blase, well it is to some extent. Much like the Target breach was just a symptom of a wider undercurrent of credit card theft, this bug is just a splashy reminder of how tenuous "security" really is. There are no absolutes. Prevent what you can. Mitigate damages when you can. But be prepared to accept the reality that something nasty is bound to come along that is going to give you a bad week, and just hope that the bad week is mostly filled with annoyances, instead of emptying bank accounts or other fiscal disasters.
Prevent. Detect. Recover. And don't waste too much time worrying about what you can't control in the process.
Re: heartbleed - widespread internet security problem
I agree, but that wouldn't really have done anything against this particular attack, though.dmcmahon wrote:Maybe it's time VG offered two-factor auth? And every other bank/broker site...
-
- Posts: 904
- Joined: Sat Apr 06, 2013 7:11 pm
- Location: Springfield
Re: heartbleed - widespread internet security problem
from Vanguard:
https://personal.vanguard.com/us/insigh ... Channel=ANHeartbleed was discovered in OpenSSL, the data encryption standard used by a majority of websites around the world—including vanguard.com—to transmit information securely. It lets attackers steal confidential data without being noticed, including passwords, bank account information, stored files, and Social Security numbers. Since the bug was discovered, many websites have taken steps to address the flaw.
Because Vanguard does not use the version of OpenSSL that is vulnerable to Heartbleed, your account and confidential information can't be captured through it, provided you use a unique password to log on to vanguard.com.
Heartbleed Security Flaw
[Thread merged into here, see below. --admin LadyGeek]
I came to the forum last night and again this morning hoping to find conventional wisdom on the topic of the Heartbleed security hole recently found in the internet. I can't find any discussion so I thought I would start the ball off rolling. A recent thread discussed Vanguard's security, which left me satisfied we were in good shape. But this new flaw in software appears to be very significant. Apparently, changing passwords may be useless because the the security issue has not been fixed, and it may take years to fix it.
My questions are, should we be feel comfortable using our online access to Vanguard and Fidelity? What about credit unions and banks? If this is the real deal, it could take years to make online transactions secure once again. What are your thoughts? Is this an exaggeration, or is it the real deal? What would be the safest practice going forward?
Here are a couple articles that cover the issue:
'Heartbleed Bug' puts Web security at risk
http://www.latimes.com/business/la-fi-w ... z2yUqI1DPR
Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass
http://www.washingtonpost.com/business/ ... ml?hpid=z5
I came to the forum last night and again this morning hoping to find conventional wisdom on the topic of the Heartbleed security hole recently found in the internet. I can't find any discussion so I thought I would start the ball off rolling. A recent thread discussed Vanguard's security, which left me satisfied we were in good shape. But this new flaw in software appears to be very significant. Apparently, changing passwords may be useless because the the security issue has not been fixed, and it may take years to fix it.
My questions are, should we be feel comfortable using our online access to Vanguard and Fidelity? What about credit unions and banks? If this is the real deal, it could take years to make online transactions secure once again. What are your thoughts? Is this an exaggeration, or is it the real deal? What would be the safest practice going forward?
Here are a couple articles that cover the issue:
'Heartbleed Bug' puts Web security at risk
http://www.latimes.com/business/la-fi-w ... z2yUqI1DPR
Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass
http://www.washingtonpost.com/business/ ... ml?hpid=z5
- InvestorNewb
- Posts: 1663
- Joined: Mon Sep 03, 2012 11:27 am
Re: Heartbleed Security Flaw
Another thread was started about it here:
http://www.bogleheads.org/forum/viewtop ... st=2024165
http://www.bogleheads.org/forum/viewtop ... st=2024165
My Portfolio: VTI [US], VXUS [Int'l], VNQ [REIT], VCN [Canada] (largest to smallest)
Re: Heartbleed Security Flaw
What popped up when you put "heartbleed" in the search box? Perhaps the search system isn't working.teacher wrote: I can't find any discussion
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Re: Heartbleed Security Flaw
Thanks, InvestorNewb. I didn't look in "Personal Consumer Issues".
Re: Heartbleed Security Flaw
The latest Vanguard news release says they are safe from the bug: https://personal.vanguard.com/us/insigh ... heartbleed
Bob
Bob
Re: Heartbleed Security Flaw
The search box is not restricted to just one forum. It is at the top of every thread you read. When I want to find, I search.teacher wrote:Thanks, InvestorNewb. I didn't look in "Personal Consumer Issues".
Re: Heartbleed Security Flaw
Thanks for directing me, CyberBob.
My apologies to all for bringing up a topic already discussed.
My apologies to all for bringing up a topic already discussed.
Re: heartbleed - widespread internet security problem
Funny, that link no longer contains that quotation. It must have been edited. It still says Vanguard is safe from heartbleed, but it does not say why. (It's possible to have the bug somewhere in your systems and still be safe from a security breach.)Jeff Albertson wrote:from Vanguard:
https://personal.vanguard.com/us/insigh ... Channel=ANHeartbleed was discovered in OpenSSL, the data encryption standard used by a majority of websites around the world—including vanguard.com—to transmit information securely. It lets attackers steal confidential data without being noticed, including passwords, bank account information, stored files, and Social Security numbers. Since the bug was discovered, many websites have taken steps to address the flaw.
Because Vanguard does not use the version of OpenSSL that is vulnerable to Heartbleed, your account and confidential information can't be captured through it, provided you use a unique password to log on to vanguard.com.
- ResearchMed
- Posts: 16795
- Joined: Fri Dec 26, 2008 10:25 pm
Re: heartbleed - widespread internet security problem
Vanguard's Website, through that link, now states:tadamsmar wrote:Funny, that link no longer contains that quotation. It must have been edited. It still says Vanguard is safe from heartbleed, but it does not say why. (It's possible to have the bug somewhere in your systems and still be safe from a security breach.)Jeff Albertson wrote:from Vanguard:
https://personal.vanguard.com/us/insigh ... Channel=ANHeartbleed was discovered in OpenSSL, the data encryption standard used by a majority of websites around the world—including vanguard.com—to transmit information securely. It lets attackers steal confidential data without being noticed, including passwords, bank account information, stored files, and Social Security numbers. Since the bug was discovered, many websites have taken steps to address the flaw.
Because Vanguard does not use the version of OpenSSL that is vulnerable to Heartbleed, your account and confidential information can't be captured through it, provided you use a unique password to log on to vanguard.com.
"You may have heard about the "Heartbleed" vulnerability discovered in OpenSSL, the encryption standard used by a majority of websites, including Vanguard's, to transmit data securely. Be assured that Vanguard's websites are not and have not been subject to this vulnerability."
If the vulnerability was with OpenSSL, and it WAS used by Vanguard (per their statement), then how is it that Vanguard's website has not been subject to this vulnerability?
Are/were only some versions or implementations of OpenSSL vulnerable?
RM
Re: heartbleed - widespread internet security problem
I get passwords need to be changed regularly and personal questions in this instance needs to be changed, but what about the user name?
Re: Heartbleed Security Flaw
"The search box is not restricted to just one forum. It is at the top of every thread you read. When I want to find, I search."
When I search, the results displayed are ONLY for the board where the search was initiated. What am I doing wrong?
hs
When I search, the results displayed are ONLY for the board where the search was initiated. What am I doing wrong?
hs
- House Blend
- Posts: 4878
- Joined: Fri May 04, 2007 1:02 pm
Re: heartbleed - widespread internet security problem
Correct. The vulnerable versions of OpenSSL were first released in 2012. But not all users and distributors of the software necessarily try to stay on the bleeding edge. (Pun intended.)ResearchMed wrote:Are/were only some versions or implementations of OpenSSL vulnerable?
For example, the OpenSSL version distributed in Red Hat Linux 5 is not and never was vulnerable to heartbleed. Plenty of websites still use this Linux distribution or derivatives based on it (like CentOS 5).
The latest version of Red Hat Linux started distributing a vulnerable version of OpenSSL a few months ago (Dec. 2013 I believe). They pushed out a fixed version on Monday.
Re: Heartbleed Security Flaw
I just searched for heartbleed from the search box that has Google... in it (top right). This forum is 10 (look at the f=10 in the url). The first five results I got from my search were from f=2, f=11, f=2, f=10 (this thread), and f=1.
Where did you search and what did you search for?
Where did you search and what did you search for?
Re: Heartbleed Security Flaw
You are using search this forum, which search this forum does for you. That box appears on the index page for a forum.
My quote said from a thread, not from a forum. Don't go anywhere, just look up.
My quote said from a thread, not from a forum. Don't go anywhere, just look up.
I see where you could have been mislead byIt is at the top of every thread you read.
I should have said that the search results are not restricted to just one forum (unless you deliberately restrict them to just one forum).The search box is not restricted to just one forum
Re: heartbleed - widespread internet security problem
It appears that USAA has implemented a patch. I guess that means that one should change that PW and all related security codes (secret questions, online PIN).
https://communities.usaa.com/t5/USAA-Ne ... 24845029=1
https://communities.usaa.com/t5/USAA-Ne ... 24845029=1
04-09-2014 01:15 PM
heart-bleed.pngUSAA is aware of the “Heartbleed” Internet bug affecting many servers. We have already taken measures to help prevent a data breach and implemented a patch earlier this week.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Re: heartbleed - widespread internet security problem
I believe the Federal standard is RedHat 5.8 or so.House Blend wrote:Correct. The vulnerable versions of OpenSSL were first released in 2012. But not all users and distributors of the software necessarily try to stay on the bleeding edge. (Pun intended.)ResearchMed wrote:Are/were only some versions or implementations of OpenSSL vulnerable?
For example, the OpenSSL version distributed in Red Hat Linux 5 is not and never was vulnerable to heartbleed. Plenty of websites still use this Linux distribution or derivatives based on it (like CentOS 5).
The latest version of Red Hat Linux started distributing a vulnerable version of OpenSSL a few months ago (Dec. 2013 I believe). They pushed out a fixed version on Monday.
The first version of Centos with the bug was 6.5, which was released Feb 26 2014.
Even then you are not necessarily vulnerable to Heartbleed:
1. Heartbleed only affects one option in the TLS protocol suite. If that is not used the site is not vulnerable regardless of what version of OpenSSL is in use.
2. Best programming practices are to not keep plaintext credentials in addressable RAM. Sites that practice this are not vulnerable.
Re: heartbleed - widespread internet security problem
The Vanguard statement shows some confusion. OpenSSL is not a standard. SSL is a standard. OpenSSL is one implementation of that standard, and there are other implementations that don't have the bug. Most likely, Vanguard has never used OpenSSL but some other vendor's implementation (possibly IBM). And as already been said, only some versions of OpenSSL had the bug, and even those versions may have been compiled on some sites without enabling the heartbeat feature.
And just to repeat, there are two steps an affected site needs to take: fixing the leak and also regenerating its certificates with a new public/private key pair. Presumably anyone savvy enough to do the first will also perform the second, and the certificate date is publicly visible. If you see that a site has a new certificate date, that's a good signal to change your password.
And just to repeat, there are two steps an affected site needs to take: fixing the leak and also regenerating its certificates with a new public/private key pair. Presumably anyone savvy enough to do the first will also perform the second, and the certificate date is publicly visible. If you see that a site has a new certificate date, that's a good signal to change your password.
Last edited by telemark on Thu Apr 10, 2014 12:19 pm, edited 1 time in total.
- House Blend
- Posts: 4878
- Joined: Fri May 04, 2007 1:02 pm
Re: heartbleed - widespread internet security problem
Yes it was 6.5, but the release date was Dec. 1 2013.Ged wrote:The first version of Centos with the bug was 6.5, which was released Feb 26 2014.
From the horse's mouth:
Johnny Hughes at centos.org wrote:Since this is the first post about the openssl update, I want to answer a couple questions here:
1. The first susceptible version of openssl in a CentOS release was
openssl-1.0.1e-15.el6, released on December 1, 2013.
2. The version of openssl that you should install to fix the issue is
openssl-1.0.1e-16.el6_5.7, released on April 8, 2014.
3. Versions of CentOS-6.5 openssl that were affected are:
openssl-1.0.1e-15.el6, openssl-1.0.1e-16.el6_5,
openssl-1.0.1e-16.el6_5.1, openssl-1.0.1e-16.el6_5.4.
4. Only CentOS-6.5 was affected. CentOS-6 at versions 6.4 or earlier
was not affected. No versions of CentOS-5 (or any other CentOS) were
affected.
Re: heartbleed - widespread internet security problem
Definitelydmcmahon wrote:Maybe it's time VG offered two-factor auth? And every other bank/broker site...
Great recommendation -- if a site shows a new certificate date, definitely change your password.telemark wrote: If you see that a site has a new certificate date, that's a good signal to change your password.
However, can't sites update their certificates without it changing the certificate date: Gmail's cert shows - "Not valid before Wednesday, March 12, 2014 at 5:44:52 AM Eastern Daylight Time" . Facebook shows February 7, 2010. Both sites are on the Mashable hit list - http://mashable.com/2014/04/09/heartble ... -affected/
So if a site doesn't show a new certificate date, well you still may need to change your password? But don't change your password until the site has been fixed? But how do you know when a site has been fixed?
Re: heartbleed - widespread internet security problem
Qualsys SSL Labs website gives a more detailed report of website security:
Vanguard: grade A-
https://www.ssllabs.com/ssltest/analyze ... nguard.com
-- RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available. Grade reduced to A-.
-- The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-.
TIAA-CREF: grade F
https://www.ssllabs.com/ssltest/analyze ... .72.232.36
This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.
Penfed: grade C
https://www.ssllabs.com/ssltest/analyze ... penfed.org
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
There is no support for secure renegotiation.
The server does not support Forward Secrecy with the reference browsers
For several I checked, there was no vulnerability to Heartbleed. However, several including TIAA-CREF were vulnerable to man-in-the middle (MITM) attacks.
Vanguard: grade A-
https://www.ssllabs.com/ssltest/analyze ... nguard.com
-- RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available. Grade reduced to A-.
-- The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-.
TIAA-CREF: grade F
https://www.ssllabs.com/ssltest/analyze ... .72.232.36
This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.
Penfed: grade C
https://www.ssllabs.com/ssltest/analyze ... penfed.org
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
There is no support for secure renegotiation.
The server does not support Forward Secrecy with the reference browsers
For several I checked, there was no vulnerability to Heartbleed. However, several including TIAA-CREF were vulnerable to man-in-the middle (MITM) attacks.
We don't know where we are, or where we're going -- but we're making good time.
Re: heartbleed - widespread internet security problem
Good question: I don't know. I thought not, but I might be wrong. A quick Google search doesn't turn anything up.sunnyday wrote: However, can't sites update their certificates without it changing the certificate date: Gmail's cert shows - "Not valid before Wednesday, March 12, 2014 at 5:44:52 AM Eastern Daylight Time" . Facebook shows February 7, 2010. Both sites are on the Mashable hit list - http://mashable.com/2014/04/09/heartble ... -affected/
Re: heartbleed - widespread internet security problem
Well, Google has patched most of their services. But as far as I can tell, there is no way of knowing just by looking at the certificate.telemark wrote:Good question: I don't know. I thought not, but I might be wrong. A quick Google search doesn't turn anything up.sunnyday wrote: However, can't sites update their certificates without it changing the certificate date: Gmail's cert shows - "Not valid before Wednesday, March 12, 2014 at 5:44:52 AM Eastern Daylight Time" . Facebook shows February 7, 2010. Both sites are on the Mashable hit list - http://mashable.com/2014/04/09/heartble ... -affected/
Re: heartbleed - widespread internet security problem
Yahoo updated their certificate. Did not find any other update that happened this week.
Re: heartbleed - widespread internet security problem
FYI - I merged another thread into here, which is in the Personal Consumer Issues forum (general website security).
Re: heartbleed - widespread internet security problem
This is a very good tutorial - thanks!Nummerkins wrote:Here is a link to a visual explanation for anyone who is interested: http://info.elastica.net/2014/04/openss ... erability/
The worst part is that this attack is so simple -- anyone can understand it.
Re: heartbleed - widespread internet security problem
I read that big operations can have a front end with OpenSSL and pass the encrypted data on to a different server. So the front end can be breached to get some it's internal data, but the data is not the data required to decode the transmissions. This is just one example, not sure it applies to Vanguard.ResearchMed wrote:Vanguard's Website, through that link, now states:tadamsmar wrote:Funny, that link no longer contains that quotation. It must have been edited. It still says Vanguard is safe from heartbleed, but it does not say why. (It's possible to have the bug somewhere in your systems and still be safe from a security breach.)Jeff Albertson wrote:from Vanguard:
https://personal.vanguard.com/us/insigh ... Channel=ANHeartbleed was discovered in OpenSSL, the data encryption standard used by a majority of websites around the world—including vanguard.com—to transmit information securely. It lets attackers steal confidential data without being noticed, including passwords, bank account information, stored files, and Social Security numbers. Since the bug was discovered, many websites have taken steps to address the flaw.
Because Vanguard does not use the version of OpenSSL that is vulnerable to Heartbleed, your account and confidential information can't be captured through it, provided you use a unique password to log on to vanguard.com.
"You may have heard about the "Heartbleed" vulnerability discovered in OpenSSL, the encryption standard used by a majority of websites, including Vanguard's, to transmit data securely. Be assured that Vanguard's websites are not and have not been subject to this vulnerability."
If the vulnerability was with OpenSSL, and it WAS used by Vanguard (per their statement), then how is it that Vanguard's website has not been subject to this vulnerability?
Are/were only some versions or implementations of OpenSSL vulnerable?
RM
Vanguard website & Heartbleed security flaw
OK - did an overall search -
https://www.google.com/search?sitesearc ... heartbleed
there is a main thread in the Personal Consumer Issues forum area - Go there --->>
http://www.bogleheads.org/forum/viewtop ... st=2023347 [Thread merged into here, see below. --admin LadyGeek]
wonder if Vanguard.com is working on their potential SSL (https://) Heartbleed flaw ?
The SSL software is when the little "lock" appears for those secure and encrypted website exchanges.
Here is a tester website - https://lastpass.com/heartbleed/
https://lastpass.com/heartbleed/?h=vanguard.com
Site: vanguard.com
Server software: LB
Vulnerable: Possibly (might use OpenSSL)
SSL Certificate: Unsafe (created 9 months ago at Jun 26 00:00:00 2013 GMT)
Assessment: Wait for the site to update before changing your password
https://www.google.com/search?sitesearc ... heartbleed
there is a main thread in the Personal Consumer Issues forum area - Go there --->>
http://www.bogleheads.org/forum/viewtop ... st=2023347 [Thread merged into here, see below. --admin LadyGeek]
wonder if Vanguard.com is working on their potential SSL (https://) Heartbleed flaw ?
The SSL software is when the little "lock" appears for those secure and encrypted website exchanges.
Here is a tester website - https://lastpass.com/heartbleed/
https://lastpass.com/heartbleed/?h=vanguard.com
Site: vanguard.com
Server software: LB
Vulnerable: Possibly (might use OpenSSL)
SSL Certificate: Unsafe (created 9 months ago at Jun 26 00:00:00 2013 GMT)
Assessment: Wait for the site to update before changing your password
Last edited by ps56k on Thu Apr 10, 2014 4:01 pm, edited 3 times in total.
Re: Vanguard website & Heartbleed security flaw
There is a thread running now. LadyGeek has merged at least four different threads into the master heartbleed thread. Vanguard is discussed there. You will be merged, sooner or later.
If you want to learn more, read the master thread.
If you want to learn more, read the master thread.
Re: Vanguard website & Heartbleed security flaw
Very Borg-like.sscritic wrote: You will be merged, sooner or later.
Maybe the search box should be BIGGER.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Re: Vanguard website & Heartbleed security flaw
I saw a post that Vanguard is safe from heartbleed.
Chaz |
|
“Money is better than poverty, if only for financial reasons." Woody Allen |
|
http://www.bogleheads.org/wiki/index.php/Main_Page
- Info_Hound
- Posts: 421
- Joined: Wed Mar 23, 2011 9:47 am
- Location: Threw a dart in a map and moved
Re: heartbleed - widespread internet security problem
The TSP web site just posted this message:
"TSP Safe from “Heartbleed” Bug — (April 10, 2014) We have reviewed our systems. TSP.gov is not affected by the Heartbleed vulnerability."
Good to know!
However I am not feeling good about Comcast or Excel energy. I pay my bills online at these sites. Both got a grade of 'F' when I used one of the scanners mentioned earlier in this thread. Both have been silent about their situation.
"TSP Safe from “Heartbleed” Bug — (April 10, 2014) We have reviewed our systems. TSP.gov is not affected by the Heartbleed vulnerability."
Good to know!
However I am not feeling good about Comcast or Excel energy. I pay my bills online at these sites. Both got a grade of 'F' when I used one of the scanners mentioned earlier in this thread. Both have been silent about their situation.
Re: Vanguard website & Heartbleed security flaw
there is a main thread in the Personal Consumer Issues forum area - Go there --->>
http://www.bogleheads.org/forum/viewtop ... st=2023347
/*
//
http://www.bogleheads.org/forum/viewtop ... st=2023347
/*
//
Re: heartbleed - widespread internet security problem
Has anyone ever felt good about Comcast?Info_Hound wrote:However I am not feeling good about Comcast
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
- Epsilon Delta
- Posts: 8090
- Joined: Thu Apr 28, 2011 7:00 pm
Re: Vanguard website & Heartbleed security flaw
Maybe the "report thread" icon could be BIGGER..jebmke wrote:Very Borg-like.sscritic wrote: You will be merged, sooner or later.
Maybe the search box should be BIGGER.
It's nice to point the OP to the right thread, but it's also nice to point the moderators to duplicate threads.
Re: Vanguard website & Heartbleed security flaw
Since a google search box is at the top of every page, I am amazed that people who come here regularly have never seen it and don't know where it is. You can't login or logout without being on a page with the search box (there may be a page, but every time I want to login or logout, I look in the upper right). Right now I see Logout [ sscritic ] in the upper right, less than one inch (on my screen) below the google search box.
Maybe the problem is that it is on every page, which is why people can't see it. If it were in a hidden secret spot that only certain people could get to, it would be used more, just like the secret boglehead sign that people give each other when they meet on airplanes or other public places.
Maybe the problem is that it is on every page, which is why people can't see it. If it were in a hidden secret spot that only certain people could get to, it would be used more, just like the secret boglehead sign that people give each other when they meet on airplanes or other public places.
Re: Vanguard website & Heartbleed security flaw
There are 2 search boxes. Having more than one choice tends to confuse people.
"..the cavalry ain't comin' kid, you're on your own..."
Re: Vanguard website & Heartbleed security flaw
And one of them says "Search this topic" which is what I would use if I wanted to search this topic, but I wouldn't use it if I wanted to search for other topics. Also, if you are starting a new thread and go to post, the search this topic box doesn't exist as the topic doesn't exist yet, but the google search box is there. Even now, as I compose this response, I can see the google search box in the upper right, but I cannot see the "Search this topic" box even though I am composing a post about this topic (well, sort of).peppers wrote:There are 2 search boxes. Having more than one choice tends to confuse people.
P.S. It is true that the "Search this topic" box is bigger than the google search box, so that might be what is throwing people off, but I would think that the words "Search this topic" would be an understandable clue.
Re: Vanguard website & Heartbleed security flaw
You can check here:
https://ssltools.websecurity.symantec.c ... tCheck.jsp
Vanguard.com is not vulnerable.
https://ssltools.websecurity.symantec.c ... tCheck.jsp
Vanguard.com is not vulnerable.
Re: Vanguard website & Heartbleed security flaw
How about now. If your count is accurate, we're up to five. This thread is in the Personal Consumer Issues forum.sscritic wrote:There is a thread running now. LadyGeek has merged at least four different threads into the master heartbleed thread. Vanguard is discussed there. You will be merged, sooner or later.
If you want to learn more, read the master thread.
Re: heartbleed - widespread internet security problem
I guess last night or this am was "earlier this week." When I posted at 10pm last night I had just run the USAA site through the website to check that is posted in this thread, and it returned an F. I wish USAA would be more forthright.jebmke wrote:It appears that USAA has implemented a patch. I guess that means that one should change that PW and all related security codes (secret questions, online PIN).
https://communities.usaa.com/t5/USAA-Ne ... 24845029=1
04-09-2014 01:15 PM
heart-bleed.pngUSAA is aware of the “Heartbleed” Internet bug affecting many servers. We have already taken measures to help prevent a data breach and implemented a patch earlier this week.
Re: Vanguard website & Heartbleed security flaw
Just ran this to check a credit union website I use and got the warning that the certificates were installed in the wrong order and should be re-installed. What is this all about, and how in the heck do you "re-install" your certificates for a website even if you wanted to? I never installed them in the first place -- all this stuff takes place behind the magician's curtain.gordo wrote:You can check here:
https://ssltools.websecurity.symantec.c ... tCheck.jsp
Vanguard.com is not vulnerable.
We don't know where we are, or where we're going -- but we're making good time.
- TimeRunner
- Posts: 1939
- Joined: Sat Dec 29, 2012 8:23 pm
- Location: Beach-side, CA
Re: heartbleed - widespread internet security problem
Why not take advantage of the enhanced login options that USAA has been providing for quite awhile - cybercode tokens and cybercode texts? I use the token system (similar to Google Authenticator and provided by Symantec), and it works fine. The texts would work well too. See:Saving$ wrote:I guess last night or this am was "earlier this week." When I posted at 10pm last night I had just run the USAA site through the website to check that is posted in this thread, and it returned an F. I wish USAA would be more forthright.jebmke wrote:It appears that USAA has implemented a patch. I guess that means that one should change that PW and all related security codes (secret questions, online PIN).
https://communities.usaa.com/t5/USAA-Ne ... 24845029=1
04-09-2014 01:15 PM
heart-bleed.pngUSAA is aware of the “Heartbleed” Internet bug affecting many servers. We have already taken measures to help prevent a data breach and implemented a patch earlier this week.
https://www.usaa.com/inet/pages/securit ... tect_logon
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
Re: heartbleed - widespread internet security problem
Personally, I would recommend staying off those broken servers completely until they are actually patched.TimeRunner wrote: Why not take advantage of the enhanced login options that USAA has been providing for quite awhile - cybercode tokens and cybercode texts? I use the token system (similar to Google Authenticator and provided by Symantec), and it works fine. The texts would work well too. See:
https://www.usaa.com/inet/pages/securit ... tect_logon
Even if your login is not compromised, the plaintext of your financial data will still be in the server's RAM, and potentially retrievable by an attacker.
- TimeRunner
- Posts: 1939
- Joined: Sat Dec 29, 2012 8:23 pm
- Location: Beach-side, CA
Re: heartbleed - widespread internet security problem
Are you saying USAA's servers are unpatched or compromised? They say they were patched "earlier this week". See: https://communities.usaa.com/t5/USAA-Ne ... ba-p/25876madbrain wrote:Personally, I would recommend staying off those broken servers completely until they are actually patched.TimeRunner wrote: Why not take advantage of the enhanced login options that USAA has been providing for quite awhile - cybercode tokens and cybercode texts? I use the token system (similar to Google Authenticator and provided by Symantec), and it works fine. The texts would work well too. See:
https://www.usaa.com/inet/pages/securit ... tect_logon
Even if your login is not compromised, the plaintext of your financial data will still be in the server's RAM, and potentially retrievable by an attacker.
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
Re: heartbleed - widespread internet security problem
Sorry, I didn't realize that.TimeRunner wrote:Are you saying USAA's servers are unpatched or compromised? They say they were patched "earlier this week". See: https://communities.usaa.com/t5/USAA-Ne ... ba-p/25876madbrain wrote:Personally, I would recommend staying off those broken servers completely until they are actually patched.TimeRunner wrote: Why not take advantage of the enhanced login options that USAA has been providing for quite awhile - cybercode tokens and cybercode texts? I use the token system (similar to Google Authenticator and provided by Symantec), and it works fine. The texts would work well too. See:
https://www.usaa.com/inet/pages/securit ... tect_logon
Even if your login is not compromised, the plaintext of your financial data will still be in the server's RAM, and potentially retrievable by an attacker.
My statement still applies to any other unpatched servers that may be out there.
- TimeRunner
- Posts: 1939
- Joined: Sat Dec 29, 2012 8:23 pm
- Location: Beach-side, CA
Re: heartbleed - widespread internet security problem
Good advice! It's gonna be awhile before all the smaller businesses and organizations (think NGOs, non-profits, etc) work through this.madbrain wrote:Sorry, I didn't realize that.
My statement still applies to any other unpatched servers that may be out there.
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli