heartbleed - widespread internet security problem

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
cb474
Posts: 905
Joined: Tue Jan 19, 2010 5:32 am

Re: heartbleed - widespread internet security problem

Post by cb474 »

Mudpuppy wrote:
cb474 wrote:So while it's alway a good time to review security practices. I think people should be clear that this is not your typical password problem, where one site is compromised and then that messes you up on any other site that uses the same password. Again, as news stories have noted, two thirds of the webservers in the world use OpenSSL. This is a enormous and pernicious bug (because it leaves no traces if there is a compromise and because the bug has been present for two years, without being noticed--at least by security experts, who knows what black hat hackers have known about and exploited this and for how long). Unique passwords for every site, in this case, would not save you from having to change most of your passwords anyway.
Let me shed a little clarification on the sentence I italicized in your quote. The point of unique passwords is NOT to save you the work of having to change passwords in the wake of a compromise. The point of unique passwords IS to keep the passwords separate so if 60% of sites you visit are compromised, the information gleaned from those sites can't be used to get into the 40% of sites you visit that are NOT compromised.

If you used the same password for Google that you use for Vanguard, you would be in a world of hurt right now. If you use unique passwords everywhere (and 2 factor where available), you'll still have to change passwords on the affected sites, but you won't need to worry about someone using that data to get into your Vanguard account.
Yes, I think from my quote it is obvious that I understand that. What I was saying, which you seemed to miss, is that this is not your typical example of why it is valuable to have unique passwords for every site. The typical example is someone who uses the same password for every site. Then if only one of those sites is compromised, now a thief potentially has your password to everything. In the case of the OpenSSL bug, since most web servers in the world are compromised anyway, you're getting most of the mess anyway. My only point was that people who were citing this as a good example of why you need unique passwords for every site seemed to actually be misunderstanding the nature of this bug or at least presenting it in a way to others that is misleading. I don't really think this is a classic example of the value of unique passwords (though there would be some value in this case) and saying this obfuscates, rather than clarifies the nature of the OpenSSL bug.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: heartbleed - widespread internet security problem

Post by Mudpuppy »

cb474 wrote:
Mudpuppy wrote:
cb474 wrote:So while it's alway a good time to review security practices. I think people should be clear that this is not your typical password problem, where one site is compromised and then that messes you up on any other site that uses the same password. Again, as news stories have noted, two thirds of the webservers in the world use OpenSSL. This is a enormous and pernicious bug (because it leaves no traces if there is a compromise and because the bug has been present for two years, without being noticed--at least by security experts, who knows what black hat hackers have known about and exploited this and for how long). Unique passwords for every site, in this case, would not save you from having to change most of your passwords anyway.
Let me shed a little clarification on the sentence I italicized in your quote. The point of unique passwords is NOT to save you the work of having to change passwords in the wake of a compromise. The point of unique passwords IS to keep the passwords separate so if 60% of sites you visit are compromised, the information gleaned from those sites can't be used to get into the 40% of sites you visit that are NOT compromised.

If you used the same password for Google that you use for Vanguard, you would be in a world of hurt right now. If you use unique passwords everywhere (and 2 factor where available), you'll still have to change passwords on the affected sites, but you won't need to worry about someone using that data to get into your Vanguard account.
Yes, I think from my quote it is obvious that I understand that. What I was saying, which you seemed to miss, is that this is not your typical example of why it is valuable to have unique passwords for every site. The typical example is someone who uses the same password for every site. Then if only one of those sites is compromised, now a thief potentially has your password to everything. In the case of the OpenSSL bug, since most web servers in the world are compromised anyway, you're getting most of the mess anyway. My only point was that people who were citing this as a good example of why you need unique passwords for every site seemed to actually be misunderstanding the nature of this bug or at least presenting it in a way to others that is misleading. I don't really think this is a classic example of the value of unique passwords (though there would be some value in this case) and saying this obfuscates, rather than clarifies the nature of the OpenSSL bug.
2/3rds is not 100%, and a much lower percentage of critical sites like financial institutions are vulnerable to this issue since fewer such sites are running OpenSSL due to regulatory and industry pressures. While it's all fine and dandy to argue back and forth on technical semantics, for the average lay person, if they just take to heart the advice to always use unique passwords, they would be insulated from a great deal of the potential fallout of this bug.

Most of the sites affected by this bug are not really high-consequence sites (e.g. not really a risk to financial or physical well-being). It's wide-spread for sure, but not really a chicken little event if someone takes this basic precaution about password reuse to heart. The primary high-consequence sites that were affected by this were webmail services that offer two-factor authentication to mitigate the effects of a password compromise and a handful of financial institutions.

The large annoyance factor in having to change 2/3rds of one's passwords for mostly low-consequence sites does not outweigh the benefit of unique passwords. It's an annoyance to have to change so many passwords, but it's a disaster to have your financial information fall into the wrong hands just because you use the same password for everything from Facebook to Paypal to Vanguard.

As a final note, it really doesn't matter to get the details of the bug to the average lay person. It's interesting to the technically oriented crowd and I'm sure it will be making headlines for weeks and months. But short of never using a computer again, there was absolutely nothing a lay person could have done to prevent this bug from coming into play and absolutely nothing they can do to prevent a similar bug from popping up in the future.

I try not to make people worry too much about things they can't control. The average lay person can't control how the servers they connect to are set up or what software those servers are running. What people can control is how they choose their passwords. It might be a small measure against the tide of a large bug, but it is something within the control of anyone who can interact with a computer.

If this seems blase, well it is to some extent. Much like the Target breach was just a symptom of a wider undercurrent of credit card theft, this bug is just a splashy reminder of how tenuous "security" really is. There are no absolutes. Prevent what you can. Mitigate damages when you can. But be prepared to accept the reality that something nasty is bound to come along that is going to give you a bad week, and just hope that the bad week is mostly filled with annoyances, instead of emptying bank accounts or other fiscal disasters.

Prevent. Detect. Recover. And don't waste too much time worrying about what you can't control in the process.
madbrain
Posts: 6806
Joined: Thu Jun 09, 2011 5:06 pm
Location: San Jose, California

Re: heartbleed - widespread internet security problem

Post by madbrain »

dmcmahon wrote:Maybe it's time VG offered two-factor auth? And every other bank/broker site...
I agree, but that wouldn't really have done anything against this particular attack, though.
Jeff Albertson
Posts: 904
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: heartbleed - widespread internet security problem

Post by Jeff Albertson »

from Vanguard:
Heartbleed was discovered in OpenSSL, the data encryption standard used by a majority of websites around the world—including vanguard.com—to transmit information securely. It lets attackers steal confidential data without being noticed, including passwords, bank account information, stored files, and Social Security numbers. Since the bug was discovered, many websites have taken steps to address the flaw.

Because Vanguard does not use the version of OpenSSL that is vulnerable to Heartbleed, your account and confidential information can't be captured through it, provided you use a unique password to log on to vanguard.com.
https://personal.vanguard.com/us/insigh ... Channel=AN
teacher
Posts: 1165
Joined: Sun Oct 05, 2008 5:45 pm
Location: California

Heartbleed Security Flaw

Post by teacher »

[Thread merged into here, see below. --admin LadyGeek]

I came to the forum last night and again this morning hoping to find conventional wisdom on the topic of the Heartbleed security hole recently found in the internet. I can't find any discussion so I thought I would start the ball off rolling. A recent thread discussed Vanguard's security, which left me satisfied we were in good shape. But this new flaw in software appears to be very significant. Apparently, changing passwords may be useless because the the security issue has not been fixed, and it may take years to fix it.

My questions are, should we be feel comfortable using our online access to Vanguard and Fidelity? What about credit unions and banks? If this is the real deal, it could take years to make online transactions secure once again. What are your thoughts? Is this an exaggeration, or is it the real deal? What would be the safest practice going forward?
Here are a couple articles that cover the issue:
'Heartbleed Bug' puts Web security at risk
http://www.latimes.com/business/la-fi-w ... z2yUqI1DPR

Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass
http://www.washingtonpost.com/business/ ... ml?hpid=z5
User avatar
InvestorNewb
Posts: 1663
Joined: Mon Sep 03, 2012 11:27 am

Re: Heartbleed Security Flaw

Post by InvestorNewb »

Another thread was started about it here:
http://www.bogleheads.org/forum/viewtop ... st=2024165
My Portfolio: VTI [US], VXUS [Int'l], VNQ [REIT], VCN [Canada] (largest to smallest)
jebmke
Posts: 25475
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Heartbleed Security Flaw

Post by jebmke »

teacher wrote: I can't find any discussion
What popped up when you put "heartbleed" in the search box? Perhaps the search system isn't working.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
teacher
Posts: 1165
Joined: Sun Oct 05, 2008 5:45 pm
Location: California

Re: Heartbleed Security Flaw

Post by teacher »

Thanks, InvestorNewb. I didn't look in "Personal Consumer Issues".
User avatar
CyberBob
Posts: 3387
Joined: Tue Feb 20, 2007 1:53 pm

Re: Heartbleed Security Flaw

Post by CyberBob »

The latest Vanguard news release says they are safe from the bug: https://personal.vanguard.com/us/insigh ... heartbleed

Bob
sscritic
Posts: 21853
Joined: Thu Sep 06, 2007 8:36 am

Re: Heartbleed Security Flaw

Post by sscritic »

teacher wrote:Thanks, InvestorNewb. I didn't look in "Personal Consumer Issues".
The search box is not restricted to just one forum. It is at the top of every thread you read. When I want to find, I search.
teacher
Posts: 1165
Joined: Sun Oct 05, 2008 5:45 pm
Location: California

Re: Heartbleed Security Flaw

Post by teacher »

Thanks for directing me, CyberBob.
My apologies to all for bringing up a topic already discussed.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: heartbleed - widespread internet security problem

Post by tadamsmar »

Jeff Albertson wrote:from Vanguard:
Heartbleed was discovered in OpenSSL, the data encryption standard used by a majority of websites around the world—including vanguard.com—to transmit information securely. It lets attackers steal confidential data without being noticed, including passwords, bank account information, stored files, and Social Security numbers. Since the bug was discovered, many websites have taken steps to address the flaw.

Because Vanguard does not use the version of OpenSSL that is vulnerable to Heartbleed, your account and confidential information can't be captured through it, provided you use a unique password to log on to vanguard.com.
https://personal.vanguard.com/us/insigh ... Channel=AN
Funny, that link no longer contains that quotation. It must have been edited. It still says Vanguard is safe from heartbleed, but it does not say why. (It's possible to have the bug somewhere in your systems and still be safe from a security breach.)
User avatar
ResearchMed
Posts: 16795
Joined: Fri Dec 26, 2008 10:25 pm

Re: heartbleed - widespread internet security problem

Post by ResearchMed »

tadamsmar wrote:
Jeff Albertson wrote:from Vanguard:
Heartbleed was discovered in OpenSSL, the data encryption standard used by a majority of websites around the world—including vanguard.com—to transmit information securely. It lets attackers steal confidential data without being noticed, including passwords, bank account information, stored files, and Social Security numbers. Since the bug was discovered, many websites have taken steps to address the flaw.

Because Vanguard does not use the version of OpenSSL that is vulnerable to Heartbleed, your account and confidential information can't be captured through it, provided you use a unique password to log on to vanguard.com.
https://personal.vanguard.com/us/insigh ... Channel=AN
Funny, that link no longer contains that quotation. It must have been edited. It still says Vanguard is safe from heartbleed, but it does not say why. (It's possible to have the bug somewhere in your systems and still be safe from a security breach.)
Vanguard's Website, through that link, now states:

"You may have heard about the "Heartbleed" vulnerability discovered in OpenSSL, the encryption standard used by a majority of websites, including Vanguard's, to transmit data securely. Be assured that Vanguard's websites are not and have not been subject to this vulnerability."

If the vulnerability was with OpenSSL, and it WAS used by Vanguard (per their statement), then how is it that Vanguard's website has not been subject to this vulnerability?

Are/were only some versions or implementations of OpenSSL vulnerable?

RM
teacher
Posts: 1165
Joined: Sun Oct 05, 2008 5:45 pm
Location: California

Re: heartbleed - widespread internet security problem

Post by teacher »

I get passwords need to be changed regularly and personal questions in this instance needs to be changed, but what about the user name?
hstang
Posts: 91
Joined: Thu Mar 01, 2007 6:29 pm

Re: Heartbleed Security Flaw

Post by hstang »

"The search box is not restricted to just one forum. It is at the top of every thread you read. When I want to find, I search."

When I search, the results displayed are ONLY for the board where the search was initiated. What am I doing wrong?

hs
User avatar
House Blend
Posts: 4878
Joined: Fri May 04, 2007 1:02 pm

Re: heartbleed - widespread internet security problem

Post by House Blend »

ResearchMed wrote:Are/were only some versions or implementations of OpenSSL vulnerable?
Correct. The vulnerable versions of OpenSSL were first released in 2012. But not all users and distributors of the software necessarily try to stay on the bleeding edge. (Pun intended.)

For example, the OpenSSL version distributed in Red Hat Linux 5 is not and never was vulnerable to heartbleed. Plenty of websites still use this Linux distribution or derivatives based on it (like CentOS 5).

The latest version of Red Hat Linux started distributing a vulnerable version of OpenSSL a few months ago (Dec. 2013 I believe). They pushed out a fixed version on Monday.
sscritic
Posts: 21853
Joined: Thu Sep 06, 2007 8:36 am

Re: Heartbleed Security Flaw

Post by sscritic »

I just searched for heartbleed from the search box that has Google... in it (top right). This forum is 10 (look at the f=10 in the url). The first five results I got from my search were from f=2, f=11, f=2, f=10 (this thread), and f=1.

Where did you search and what did you search for?
sscritic
Posts: 21853
Joined: Thu Sep 06, 2007 8:36 am

Re: Heartbleed Security Flaw

Post by sscritic »

You are using search this forum, which search this forum does for you. That box appears on the index page for a forum.

My quote said from a thread, not from a forum. Don't go anywhere, just look up.
It is at the top of every thread you read.
I see where you could have been mislead by
The search box is not restricted to just one forum
I should have said that the search results are not restricted to just one forum (unless you deliberately restrict them to just one forum).
jebmke
Posts: 25475
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: heartbleed - widespread internet security problem

Post by jebmke »

It appears that USAA has implemented a patch. I guess that means that one should change that PW and all related security codes (secret questions, online PIN).

https://communities.usaa.com/t5/USAA-Ne ... 24845029=1
04-09-2014 01:15 PM

heart-bleed.pngUSAA is aware of the “Heartbleed” Internet bug affecting many servers. We have already taken measures to help prevent a data breach and implemented a patch earlier this week.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
User avatar
Ged
Posts: 3945
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: heartbleed - widespread internet security problem

Post by Ged »

House Blend wrote:
ResearchMed wrote:Are/were only some versions or implementations of OpenSSL vulnerable?
Correct. The vulnerable versions of OpenSSL were first released in 2012. But not all users and distributors of the software necessarily try to stay on the bleeding edge. (Pun intended.)

For example, the OpenSSL version distributed in Red Hat Linux 5 is not and never was vulnerable to heartbleed. Plenty of websites still use this Linux distribution or derivatives based on it (like CentOS 5).

The latest version of Red Hat Linux started distributing a vulnerable version of OpenSSL a few months ago (Dec. 2013 I believe). They pushed out a fixed version on Monday.
I believe the Federal standard is RedHat 5.8 or so.

The first version of Centos with the bug was 6.5, which was released Feb 26 2014.

Even then you are not necessarily vulnerable to Heartbleed:

1. Heartbleed only affects one option in the TLS protocol suite. If that is not used the site is not vulnerable regardless of what version of OpenSSL is in use.
2. Best programming practices are to not keep plaintext credentials in addressable RAM. Sites that practice this are not vulnerable.
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: heartbleed - widespread internet security problem

Post by telemark »

The Vanguard statement shows some confusion. OpenSSL is not a standard. SSL is a standard. OpenSSL is one implementation of that standard, and there are other implementations that don't have the bug. Most likely, Vanguard has never used OpenSSL but some other vendor's implementation (possibly IBM). And as already been said, only some versions of OpenSSL had the bug, and even those versions may have been compiled on some sites without enabling the heartbeat feature.

And just to repeat, there are two steps an affected site needs to take: fixing the leak and also regenerating its certificates with a new public/private key pair. Presumably anyone savvy enough to do the first will also perform the second, and the certificate date is publicly visible. If you see that a site has a new certificate date, that's a good signal to change your password.
Last edited by telemark on Thu Apr 10, 2014 12:19 pm, edited 1 time in total.
User avatar
House Blend
Posts: 4878
Joined: Fri May 04, 2007 1:02 pm

Re: heartbleed - widespread internet security problem

Post by House Blend »

Ged wrote:The first version of Centos with the bug was 6.5, which was released Feb 26 2014.
Yes it was 6.5, but the release date was Dec. 1 2013.

From the horse's mouth:
Johnny Hughes at centos.org wrote:Since this is the first post about the openssl update, I want to answer a couple questions here:

1. The first susceptible version of openssl in a CentOS release was
openssl-1.0.1e-15.el6, released on December 1, 2013.

2. The version of openssl that you should install to fix the issue is
openssl-1.0.1e-16.el6_5.7, released on April 8, 2014.

3. Versions of CentOS-6.5 openssl that were affected are:
openssl-1.0.1e-15.el6, openssl-1.0.1e-16.el6_5,
openssl-1.0.1e-16.el6_5.1, openssl-1.0.1e-16.el6_5.4.

4. Only CentOS-6.5 was affected. CentOS-6 at versions 6.4 or earlier
was not affected. No versions of CentOS-5 (or any other CentOS) were
affected.
sunnyday
Posts: 1679
Joined: Sat Jul 16, 2011 8:48 am

Re: heartbleed - widespread internet security problem

Post by sunnyday »

dmcmahon wrote:Maybe it's time VG offered two-factor auth? And every other bank/broker site...
Definitely

telemark wrote: If you see that a site has a new certificate date, that's a good signal to change your password.
Great recommendation -- if a site shows a new certificate date, definitely change your password.

However, can't sites update their certificates without it changing the certificate date: Gmail's cert shows - "Not valid before Wednesday, March 12, 2014 at 5:44:52 AM Eastern Daylight Time" . Facebook shows February 7, 2010. Both sites are on the Mashable hit list - http://mashable.com/2014/04/09/heartble ... -affected/


So if a site doesn't show a new certificate date, well you still may need to change your password? But don't change your password until the site has been fixed? But how do you know when a site has been fixed? :oops:
Browser
Posts: 4857
Joined: Wed Sep 05, 2012 4:54 pm

Re: heartbleed - widespread internet security problem

Post by Browser »

Qualsys SSL Labs website gives a more detailed report of website security:

Vanguard: grade A-
https://www.ssllabs.com/ssltest/analyze ... nguard.com

-- RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available. Grade reduced to A-.
-- The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-.

TIAA-CREF: grade F
https://www.ssllabs.com/ssltest/analyze ... .72.232.36

This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.

Penfed: grade C
https://www.ssllabs.com/ssltest/analyze ... penfed.org

The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.

There is no support for secure renegotiation.

The server does not support Forward Secrecy with the reference browsers

For several I checked, there was no vulnerability to Heartbleed. However, several including TIAA-CREF were vulnerable to man-in-the middle (MITM) attacks.
We don't know where we are, or where we're going -- but we're making good time.
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: heartbleed - widespread internet security problem

Post by telemark »

sunnyday wrote: However, can't sites update their certificates without it changing the certificate date: Gmail's cert shows - "Not valid before Wednesday, March 12, 2014 at 5:44:52 AM Eastern Daylight Time" . Facebook shows February 7, 2010. Both sites are on the Mashable hit list - http://mashable.com/2014/04/09/heartble ... -affected/
Good question: I don't know. I thought not, but I might be wrong. A quick Google search doesn't turn anything up.
sunnyday
Posts: 1679
Joined: Sat Jul 16, 2011 8:48 am

Re: heartbleed - widespread internet security problem

Post by sunnyday »

telemark wrote:
sunnyday wrote: However, can't sites update their certificates without it changing the certificate date: Gmail's cert shows - "Not valid before Wednesday, March 12, 2014 at 5:44:52 AM Eastern Daylight Time" . Facebook shows February 7, 2010. Both sites are on the Mashable hit list - http://mashable.com/2014/04/09/heartble ... -affected/
Good question: I don't know. I thought not, but I might be wrong. A quick Google search doesn't turn anything up.
Well, Google has patched most of their services. But as far as I can tell, there is no way of knowing just by looking at the certificate.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: heartbleed - widespread internet security problem

Post by tadamsmar »

Yahoo updated their certificate. Did not find any other update that happened this week.
User avatar
LadyGeek
Site Admin
Posts: 95691
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: heartbleed - widespread internet security problem

Post by LadyGeek »

FYI - I merged another thread into here, which is in the Personal Consumer Issues forum (general website security).
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
Posts: 95691
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: heartbleed - widespread internet security problem

Post by LadyGeek »

Nummerkins wrote:Here is a link to a visual explanation for anyone who is interested: http://info.elastica.net/2014/04/openss ... erability/

The worst part is that this attack is so simple -- anyone can understand it.
This is a very good tutorial - thanks!
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: heartbleed - widespread internet security problem

Post by tadamsmar »

ResearchMed wrote:
tadamsmar wrote:
Jeff Albertson wrote:from Vanguard:
Heartbleed was discovered in OpenSSL, the data encryption standard used by a majority of websites around the world—including vanguard.com—to transmit information securely. It lets attackers steal confidential data without being noticed, including passwords, bank account information, stored files, and Social Security numbers. Since the bug was discovered, many websites have taken steps to address the flaw.

Because Vanguard does not use the version of OpenSSL that is vulnerable to Heartbleed, your account and confidential information can't be captured through it, provided you use a unique password to log on to vanguard.com.
https://personal.vanguard.com/us/insigh ... Channel=AN
Funny, that link no longer contains that quotation. It must have been edited. It still says Vanguard is safe from heartbleed, but it does not say why. (It's possible to have the bug somewhere in your systems and still be safe from a security breach.)
Vanguard's Website, through that link, now states:

"You may have heard about the "Heartbleed" vulnerability discovered in OpenSSL, the encryption standard used by a majority of websites, including Vanguard's, to transmit data securely. Be assured that Vanguard's websites are not and have not been subject to this vulnerability."

If the vulnerability was with OpenSSL, and it WAS used by Vanguard (per their statement), then how is it that Vanguard's website has not been subject to this vulnerability?

Are/were only some versions or implementations of OpenSSL vulnerable?

RM
I read that big operations can have a front end with OpenSSL and pass the encrypted data on to a different server. So the front end can be breached to get some it's internal data, but the data is not the data required to decode the transmissions. This is just one example, not sure it applies to Vanguard.
User avatar
ps56k
Posts: 980
Joined: Sat Mar 19, 2011 1:28 pm
Location: Chicago area

Vanguard website & Heartbleed security flaw

Post by ps56k »

OK - did an overall search -
https://www.google.com/search?sitesearc ... heartbleed

there is a main thread in the Personal Consumer Issues forum area - Go there --->>
http://www.bogleheads.org/forum/viewtop ... st=2023347 [Thread merged into here, see below. --admin LadyGeek]

wonder if Vanguard.com is working on their potential SSL (https://) Heartbleed flaw ?
The SSL software is when the little "lock" appears for those secure and encrypted website exchanges.

Here is a tester website - https://lastpass.com/heartbleed/

https://lastpass.com/heartbleed/?h=vanguard.com

Site: vanguard.com
Server software: LB
Vulnerable: Possibly (might use OpenSSL)
SSL Certificate: Unsafe (created 9 months ago at Jun 26 00:00:00 2013 GMT)
Assessment: Wait for the site to update before changing your password
Last edited by ps56k on Thu Apr 10, 2014 4:01 pm, edited 3 times in total.
sscritic
Posts: 21853
Joined: Thu Sep 06, 2007 8:36 am

Re: Vanguard website & Heartbleed security flaw

Post by sscritic »

There is a thread running now. LadyGeek has merged at least four different threads into the master heartbleed thread. Vanguard is discussed there. You will be merged, sooner or later.

If you want to learn more, read the master thread.
jebmke
Posts: 25475
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Vanguard website & Heartbleed security flaw

Post by jebmke »

sscritic wrote: You will be merged, sooner or later.
Very Borg-like.

Maybe the search box should be BIGGER.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
chaz
Posts: 13604
Joined: Tue Feb 27, 2007 1:44 pm

Re: Vanguard website & Heartbleed security flaw

Post by chaz »

I saw a post that Vanguard is safe from heartbleed.
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page
User avatar
Info_Hound
Posts: 421
Joined: Wed Mar 23, 2011 9:47 am
Location: Threw a dart in a map and moved

Re: heartbleed - widespread internet security problem

Post by Info_Hound »

The TSP web site just posted this message:

"TSP Safe from “Heartbleed” Bug — (April 10, 2014) We have reviewed our systems. TSP.gov is not affected by the Heartbleed vulnerability."

Good to know!

However I am not feeling good about Comcast or Excel energy. I pay my bills online at these sites. Both got a grade of 'F' when I used one of the scanners mentioned earlier in this thread. Both have been silent about their situation.
User avatar
ps56k
Posts: 980
Joined: Sat Mar 19, 2011 1:28 pm
Location: Chicago area

Re: Vanguard website & Heartbleed security flaw

Post by ps56k »

there is a main thread in the Personal Consumer Issues forum area - Go there --->>
http://www.bogleheads.org/forum/viewtop ... st=2023347

/*
//
jebmke
Posts: 25475
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: heartbleed - widespread internet security problem

Post by jebmke »

Info_Hound wrote:However I am not feeling good about Comcast
Has anyone ever felt good about Comcast?
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard website & Heartbleed security flaw

Post by Epsilon Delta »

jebmke wrote:
sscritic wrote: You will be merged, sooner or later.
Very Borg-like.

Maybe the search box should be BIGGER.
Maybe the "report thread" icon could be BIGGER..

It's nice to point the OP to the right thread, but it's also nice to point the moderators to duplicate threads.
sscritic
Posts: 21853
Joined: Thu Sep 06, 2007 8:36 am

Re: Vanguard website & Heartbleed security flaw

Post by sscritic »

Since a google search box is at the top of every page, I am amazed that people who come here regularly have never seen it and don't know where it is. You can't login or logout without being on a page with the search box (there may be a page, but every time I want to login or logout, I look in the upper right). Right now I see Logout [ sscritic ] in the upper right, less than one inch (on my screen) below the google search box.

Maybe the problem is that it is on every page, which is why people can't see it. If it were in a hidden secret spot that only certain people could get to, it would be used more, just like the secret boglehead sign that people give each other when they meet on airplanes or other public places.
peppers
Posts: 1650
Joined: Tue Oct 25, 2011 7:05 pm

Re: Vanguard website & Heartbleed security flaw

Post by peppers »

There are 2 search boxes. Having more than one choice tends to confuse people. :)
"..the cavalry ain't comin' kid, you're on your own..."
sscritic
Posts: 21853
Joined: Thu Sep 06, 2007 8:36 am

Re: Vanguard website & Heartbleed security flaw

Post by sscritic »

peppers wrote:There are 2 search boxes. Having more than one choice tends to confuse people. :)
And one of them says "Search this topic" which is what I would use if I wanted to search this topic, but I wouldn't use it if I wanted to search for other topics. Also, if you are starting a new thread and go to post, the search this topic box doesn't exist as the topic doesn't exist yet, but the google search box is there. Even now, as I compose this response, I can see the google search box in the upper right, but I cannot see the "Search this topic" box even though I am composing a post about this topic (well, sort of).

P.S. It is true that the "Search this topic" box is bigger than the google search box, so that might be what is throwing people off, but I would think that the words "Search this topic" would be an understandable clue.
gordo
Posts: 185
Joined: Sun May 13, 2007 5:14 pm
Location: CA

Re: Vanguard website & Heartbleed security flaw

Post by gordo »

You can check here:

https://ssltools.websecurity.symantec.c ... tCheck.jsp

Vanguard.com is not vulnerable.
User avatar
LadyGeek
Site Admin
Posts: 95691
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Vanguard website & Heartbleed security flaw

Post by LadyGeek »

sscritic wrote:There is a thread running now. LadyGeek has merged at least four different threads into the master heartbleed thread. Vanguard is discussed there. You will be merged, sooner or later.

If you want to learn more, read the master thread.
How about now. If your count is accurate, we're up to five. This thread is in the Personal Consumer Issues forum.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Saving$
Posts: 2518
Joined: Sat Nov 05, 2011 8:33 pm

Re: heartbleed - widespread internet security problem

Post by Saving$ »

jebmke wrote:It appears that USAA has implemented a patch. I guess that means that one should change that PW and all related security codes (secret questions, online PIN).

https://communities.usaa.com/t5/USAA-Ne ... 24845029=1
04-09-2014 01:15 PM

heart-bleed.pngUSAA is aware of the “Heartbleed” Internet bug affecting many servers. We have already taken measures to help prevent a data breach and implemented a patch earlier this week.
I guess last night or this am was "earlier this week." When I posted at 10pm last night I had just run the USAA site through the website to check that is posted in this thread, and it returned an F. I wish USAA would be more forthright.
Browser
Posts: 4857
Joined: Wed Sep 05, 2012 4:54 pm

Re: Vanguard website & Heartbleed security flaw

Post by Browser »

gordo wrote:You can check here:

https://ssltools.websecurity.symantec.c ... tCheck.jsp

Vanguard.com is not vulnerable.
Just ran this to check a credit union website I use and got the warning that the certificates were installed in the wrong order and should be re-installed. What is this all about, and how in the heck do you "re-install" your certificates for a website even if you wanted to? I never installed them in the first place -- all this stuff takes place behind the magician's curtain.
We don't know where we are, or where we're going -- but we're making good time.
User avatar
TimeRunner
Posts: 1939
Joined: Sat Dec 29, 2012 8:23 pm
Location: Beach-side, CA

Re: heartbleed - widespread internet security problem

Post by TimeRunner »

Saving$ wrote:
jebmke wrote:It appears that USAA has implemented a patch. I guess that means that one should change that PW and all related security codes (secret questions, online PIN).

https://communities.usaa.com/t5/USAA-Ne ... 24845029=1
04-09-2014 01:15 PM

heart-bleed.pngUSAA is aware of the “Heartbleed” Internet bug affecting many servers. We have already taken measures to help prevent a data breach and implemented a patch earlier this week.
I guess last night or this am was "earlier this week." When I posted at 10pm last night I had just run the USAA site through the website to check that is posted in this thread, and it returned an F. I wish USAA would be more forthright.
Why not take advantage of the enhanced login options that USAA has been providing for quite awhile - cybercode tokens and cybercode texts? I use the token system (similar to Google Authenticator and provided by Symantec), and it works fine. The texts would work well too. See:
https://www.usaa.com/inet/pages/securit ... tect_logon
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
madbrain
Posts: 6806
Joined: Thu Jun 09, 2011 5:06 pm
Location: San Jose, California

Re: heartbleed - widespread internet security problem

Post by madbrain »

TimeRunner wrote: Why not take advantage of the enhanced login options that USAA has been providing for quite awhile - cybercode tokens and cybercode texts? I use the token system (similar to Google Authenticator and provided by Symantec), and it works fine. The texts would work well too. See:
https://www.usaa.com/inet/pages/securit ... tect_logon
Personally, I would recommend staying off those broken servers completely until they are actually patched.
Even if your login is not compromised, the plaintext of your financial data will still be in the server's RAM, and potentially retrievable by an attacker.
User avatar
TimeRunner
Posts: 1939
Joined: Sat Dec 29, 2012 8:23 pm
Location: Beach-side, CA

Re: heartbleed - widespread internet security problem

Post by TimeRunner »

madbrain wrote:
TimeRunner wrote: Why not take advantage of the enhanced login options that USAA has been providing for quite awhile - cybercode tokens and cybercode texts? I use the token system (similar to Google Authenticator and provided by Symantec), and it works fine. The texts would work well too. See:
https://www.usaa.com/inet/pages/securit ... tect_logon
Personally, I would recommend staying off those broken servers completely until they are actually patched.
Even if your login is not compromised, the plaintext of your financial data will still be in the server's RAM, and potentially retrievable by an attacker.
Are you saying USAA's servers are unpatched or compromised? They say they were patched "earlier this week". See: https://communities.usaa.com/t5/USAA-Ne ... ba-p/25876
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
madbrain
Posts: 6806
Joined: Thu Jun 09, 2011 5:06 pm
Location: San Jose, California

Re: heartbleed - widespread internet security problem

Post by madbrain »

TimeRunner wrote:
madbrain wrote:
TimeRunner wrote: Why not take advantage of the enhanced login options that USAA has been providing for quite awhile - cybercode tokens and cybercode texts? I use the token system (similar to Google Authenticator and provided by Symantec), and it works fine. The texts would work well too. See:
https://www.usaa.com/inet/pages/securit ... tect_logon
Personally, I would recommend staying off those broken servers completely until they are actually patched.
Even if your login is not compromised, the plaintext of your financial data will still be in the server's RAM, and potentially retrievable by an attacker.
Are you saying USAA's servers are unpatched or compromised? They say they were patched "earlier this week". See: https://communities.usaa.com/t5/USAA-Ne ... ba-p/25876
Sorry, I didn't realize that.

My statement still applies to any other unpatched servers that may be out there.
User avatar
TimeRunner
Posts: 1939
Joined: Sat Dec 29, 2012 8:23 pm
Location: Beach-side, CA

Re: heartbleed - widespread internet security problem

Post by TimeRunner »

madbrain wrote:Sorry, I didn't realize that.

My statement still applies to any other unpatched servers that may be out there.
Good advice! It's gonna be awhile before all the smaller businesses and organizations (think NGOs, non-profits, etc) work through this. :!:
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
Post Reply