heartbleed - widespread internet security problem

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
Topic Author
in_reality
Posts: 4529
Joined: Fri Jul 12, 2013 6:13 am

heartbleed - widespread internet security problem

Post by in_reality »

Apparently many implementations of SSL which is used to protect secure connections on the internet have had a bug for a while (two years perhaps) and as a result, people are advised to change their passwords. The New York Times article suggested taking a day off and changing all your passwords but I don't know if that should be taken so literally especially since the flaw has been there for a while.

Security researchers disclosed the flaw before patches were ready which is not a good thing but such is life.

I don't know if it's recommended to change your passwords before things get fixed, or right after or both but anyway, google "heartbleed" and tons of articles should pop up.

https://www.google.com/search?sourceid= ... heartbleed

Update:

Changing your password won't help until the site has fixed the bug, so wait for confirmation from your favorite sites before you go changing passwords. If and when you do get confirmation, audit and update your passwords as usual. If a site is not vulnerable but doesn't issue a statement, change your passwords just in case they were vulnerable in the past. After all, it can't hurt.

http://lifehacker.com/what-the-heartble ... 1560801201
User avatar
TimeRunner
Posts: 1939
Joined: Sat Dec 29, 2012 8:23 pm
Location: Beach-side, CA

Re: heartbleed - widespread internet security problem

Post by TimeRunner »

Lastpass has created a Heartbleed checker, so you can check the websites you commonly do business with. https://lastpass.com/heartbleed/

I like Lastpass for password management a lot. 8-)
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
User avatar
Rob5TCP
Posts: 3812
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: heartbleed - widespread internet security problem

Post by Rob5TCP »

I just read a number of news articles referring to this.
This makes a weak password seem like a walk in the park.
The entire system is literally vulnerable; if these reports are accurate.

I have stopped accessing my most secure sites and am relying on automated phone calls
(like I did 5-10 years ago) to get my information.

http://www.bbc.co.uk/news/technology-26935905

http://siliconangle.com/blog/2014/04/08 ... -millions/
sscritic
Posts: 21853
Joined: Thu Sep 06, 2007 8:36 am

Re: heartbleed - widespread internet security problem

Post by sscritic »

Can I make an https joke now?
User avatar
vitaflo
Posts: 1905
Joined: Sat Sep 03, 2011 3:02 pm

Re: heartbleed - widespread internet security problem

Post by vitaflo »

Rob5TCP wrote:I just read a number of news articles referring to this.
This makes a weak password seem like a walk in the park.
The entire system is literally vulnerable; if these reports are accurate.

I have stopped accessing my most secure sites and am relying on automated phone calls
(like I did 5-10 years ago) to get my information.

http://www.bbc.co.uk/news/technology-26935905

http://siliconangle.com/blog/2014/04/08 ... -millions/
It is literally vulnerable and it doesn't matter how "strong" your password is. People today have been pointing simple scripts at the Yahoo Mail login and grabbing 3000 usernames/passwords in 15 minutes. The same attack can be used on about 70% of the entire internet.

The worst part isn't just usernames/passwords, it's the attackers can grab the secret "keys" for the site. So even if they patch the SSL exploit, if an attacker got the keys to the site, they can still do all the things they were doing before, perhaps more. To add on to this, this vulnerability has been out there for over 2 years.

This is a massive problem that will have a lot of repercussions, especially because it is so easy to exploit. I'm surprised this isn't getting more attention to be honest.
oaksavannah
Posts: 30
Joined: Sun Nov 25, 2012 6:50 am

website security

Post by oaksavannah »

[Thread merged into here, see below. --admin LadyGeek]

"Experts Find a Door Ajar in an Internet Security Method Thought Safe"

April 8, 2014 NYTimes article:
http://bits.blogs.nytimes.com/2014/04/0 ... pe=nyt_now

Please advise if and how you will be acting on this information. E.g. will you be changing your Vanguard password? Your bank password?
User avatar
vitaflo
Posts: 1905
Joined: Sat Sep 03, 2011 3:02 pm

Re: website security

Post by vitaflo »

User avatar
LadyGeek
Site Admin
Posts: 95704
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: heartbleed - widespread internet security problem

Post by LadyGeek »

This thread is now in the Personal Consumer Issues forum (computer security).

I also merged a thread into this one (posts titled "website security").
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
ccieemeritus
Posts: 714
Joined: Thu Mar 06, 2014 9:43 pm

Re: heartbleed - widespread internet security problem

Post by ccieemeritus »

<tongue in cheek>
The good news is that because this site does not support https, it is not vulnerable to the heartbleed attack!
</tongue in cheek>

Seriously though, I use keyfobs or one time passwords for my most sensitive bank and brokerage accounts. I believe not logging in during this time mitigates the risk because the attack grabs data from active memory. So my plan is to minimize logging into reusable password accounts for a few days while we get more info.
Last edited by ccieemeritus on Wed Apr 09, 2014 1:09 am, edited 1 time in total.
User avatar
patriciamgr2
Posts: 861
Joined: Mon Nov 19, 2007 2:06 pm

Re: heartbleed - widespread internet security problem

Post by patriciamgr2 »

The LastPass heartbleed checker indicated that Vanguard.com might be vulnerable. Have any of our tech-savvy Forum members checked with Vanguard on this? If so, I'd be very grateful if you would post what you learn here on the site (e.g. was there any vulnerability; if so, when can we check accounts safely & when should passwords be changed)?

thanks in advance,

Patricia
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: heartbleed - widespread internet security problem

Post by telemark »

patriciamgr2 wrote:The LastPass heartbleed checker indicated that Vanguard.com might be vulnerable. Have any of our tech-savvy Forum members checked with Vanguard on this? If so, I'd be very grateful if you would post what you learn here on the site (e.g. was there any vulnerability; if so, when can we check accounts safely & when should passwords be changed)?

thanks in advance,

Patricia
When I try the LastPass checker I see
Detected server software of LB
The server software is unknown, might use OpenSSL and could have been vulnerable.

The SSL certificate for vanguard.com valid 9 months ago at Jun 26 00:00:00 2013 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.
Apparently it only checks the reported server version and the date for the certificate. There's another checker at
http://filippo.io/Heartbleed/ which actually tries the attack, and that one reports
All good, vanguard.com seems not affected!
My take is that Vanguard is probably ok. If you run the LastPass checker and see that the certificate has been regenerated recently, that would be the time for a new password. Ditto for any other sites.
cb474
Posts: 905
Joined: Tue Jan 19, 2010 5:32 am

Re: heartbleed - widespread internet security problem

Post by cb474 »

There is yet another heartbleed checker, which I think is much more useful than the first two, here:

http://possible.lv/tools/hb/

The Lastpass checker seems unable to really tell if a site is or (especially) was vulnerable in many cases (treating sites with old certificates, but which were never vulnerable, the same as sites with old certificates that were vulnerable). Also, not every server that uses SSL is using OpenSSL to run it, so just because a certificate is old does not necessarily mean anything. A server would have to be using OpenSSL to have the problem. The filippo.io checker tells you a site is great and fine, but fails to indicate that it was vulnerable, which could lead people to think they don't need to change their password; in other words, a site could be great and fine because it was always great and fine or because it was vulnerable but has been fixed.

The possible.lv checker tells you whether a site was using the TLS protocol that was vulnerable to begin with and, if so, whether it has been patched. So for example, it tells you that vanguard.com has the TLS extension disabled that was vulnerable to the bug. This I believe means that vanguard was never using the protocol that had the problem and has always been fine (though I'm very not sure about this and would love to have someone confirm my understanding). On the other hand, gmail (which is known--in the news--to have been vulnerable) shows up in the possible.lv checker as having been patched. So you know it was vulnerable and that it has been patched, but that definitely means your password could have been compromised.

People should also keep in mind that for any site that was vulnerable, you need to change not just passwords, but security questions too, since that information could also have been compromised.
User avatar
patriciamgr2
Posts: 861
Joined: Mon Nov 19, 2007 2:06 pm

Re: heartbleed - widespread internet security problem

Post by patriciamgr2 »

FWIW, I just checked with a Flagship rep. She said that the Vanguard IT team issued an internal notice late last night saying that the Vanguard site did not have Open Heart & therefore none of our information is affected by Bleeding Heart. Caution: I am not tech-savvy & therefore don't really, truly understand this issue.

I assume they'll eventually post a notice on the website.
Jeff7
Posts: 329
Joined: Sat Nov 24, 2012 1:30 pm

Re: heartbleed - widespread internet security problem

Post by Jeff7 »

darrellr wrote:<tongue in cheek>
The good news is that because this site does not support https, it is not vulnerable to the heartbleed attack!
</tongue in cheek>

Seriously though, I use keyfobs or one time passwords for my most sensitive bank and brokerage accounts. I believe not logging in during this time mitigates the risk because the attack grabs data from active memory. So my plan is to minimize logging into reusable password accounts for a few days while we get more info.
My understanding of this issue is that it doesn't matter much if it's a one-time password, keyfob, etc. This bypasses that, effectively gaining direct read access to virtually anything that resides in the server's RAM. Encryption keys, passwords, password hints, system configuration, cookie data, user IP lists, and of course the data package that you were trying to send securely in the first place.

Each "hearbeat" request can only return a 64 kilobyte chunk of memory data at a time, but that's not a huge limitation. Someone would just need to keep sending those heartbeat requests over and over, and piece together the results. They said that within a few hours of this information being released, there were cracking tools written and available online.
User avatar
Blues
Posts: 2501
Joined: Wed Dec 10, 2008 10:58 am
Location: Blue Ridge Mtns

Re: heartbleed - widespread internet security problem

Post by Blues »

Frightening scenarios and I fear that we have only seen / experienced the tip of the iceberg going forward.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: heartbleed - widespread internet security problem

Post by Mudpuppy »

This is yet another reason why one should always use unique passwords for every site and just use a password locker with a strong master password to store them. If you're concerned about storing your social media passwords next to your banking passwords, use two password vaults (or however many you need to feel happy with your separation of sites).

This bug will get a lot of splashy headlines, but any security professional will tell you stuff like this goes on all the time. Even with the best software in the world, you will always have the "wetware" risk, e.g. there are always going to be people involved and people can be tricked out of almost anything. And software is coded by people, so it will not always be the best.

You can't control these variables, but you can plan for it by always using unique passwords. That way, even if one site (or a whole swath of sites) is compromised, your passwords at other sites remain protected.

Side bonuses to using a password locker: passwords can be truly strong and pseudo-random passwords (people tend to have letter/number/pattern biases even if they think they're being random) and you can change the passwords regularly without having to memorize each new site password (just have to memorize your master password and any other 2nd factor authentication you chose for password lockers that support 2-factor authentication).
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: heartbleed - widespread internet security problem

Post by Mudpuppy »

Rob5TCP wrote:I just read a number of news articles referring to this.
This makes a weak password seem like a walk in the park.
The entire system is literally vulnerable; if these reports are accurate.

I have stopped accessing my most secure sites and am relying on automated phone calls
(like I did 5-10 years ago) to get my information.

http://www.bbc.co.uk/news/technology-26935905

http://siliconangle.com/blog/2014/04/08 ... -millions/
FWIW, using phone systems isn't going to make your data any more secure. The problem is on the server end. It doesn't matter if it's you accessing the server through a website or a call center phone rep accessing the server through their side. The problem is still at the server. Avoiding websites only works when the problem is the communication between you and the server or the problem is your machine.
User avatar
BigFoot48
Posts: 3115
Joined: Tue Feb 20, 2007 9:47 am
Location: Arizona

Re: heartbleed - widespread internet security problem

Post by BigFoot48 »

I checked Schwab with the third tool listed above and it reported: "TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected." but I will wait for confirmation from Schwab before rushing to change the password, which I actually changed a week ago.

Advice on what to do from CNET: http://www.cnet.com/news/how-to-protect ... CAD1acfa04
Retired | Two-time in top-10 in Bogleheads S&P500 contest; 18-time loser
nhrdls
Posts: 108
Joined: Tue Aug 20, 2013 5:14 pm

Re: heartbleed - widespread internet security problem

Post by nhrdls »

This site indicates vanguard may not be impacted. http://filippo.io/Heartbleed/#vanguard.com

While caution is advised while visiting any website on internet, my understanding so far is that many of the big providers are not impacted as far as https connection goes. Reference at https://devcentral.f5.com/articles/open ... 0WTP6biBTM

It has to do how https connection is terminated on server side. For big providers its not practical to have SSL installation on all servers. That's why they have load balancer and termination point. This termination point may be vulnerable based on technology used, but normally your passwords and actual data are handled by actual server and not by termination point.

Its smaller providers that we should be worried about a lot. They need to regenerate secret keys and get SSL certificates installed again.

Please be warned, its not just https traffic, but any services that use openssl on server side might be impacted. This is why its much bigger problem as openssl has more than 66% market share. For example, your VPN service also might be impacted, no matter who the vendor of the service is.

Interestingly, this time Microsoft is innocent as their server (IIS) was not impacted.
Mike83
Posts: 161
Joined: Tue Apr 01, 2014 1:37 pm

Heartbleed Web Hack Test on Websites of Interest Here

Post by Mike83 »

[Thread merged into here, see below. --admin LadyGeek]

Todays WSJ has an article about the password vulnerability called Heartbleed and references a tool to test websites for exposure to this liability to expose customer ID and Password when signing in. So I went to SSLLABS.com (server test) and got the following results:

vanguard.com ---- Passed GRADE A-
online.citibank.com --- Passed GRADE A-
TIAA-CREF.org --- Failed GRADE F
myvanguardplan.com (the Acensus small business 401k admin for Vanguard) --- No Secure Protocols Supported (ungraded)
login.fidelity.com --- Passed GRADE A-

WSJ says today is good day to change your password if you are exposed to a badly protected site (about 25% of sites are affected according to the news). And never use the same ID and Password for multiple sites as you can see the possible problem for those that use TIAA and then another.

EDIT:
Just checked
paypal.com and two of their sites passed (A-) and one failed (F)
bbt.com has one site graded F and one site with no protocols supported
Last edited by Mike83 on Wed Apr 09, 2014 5:35 pm, edited 2 times in total.
User avatar
BlueEars
Posts: 3968
Joined: Fri Mar 09, 2007 11:15 pm
Location: West Coast

Re: heartbleed - widespread internet security problem

Post by BlueEars »

This security issue has convinced me to go with a password manager like maybe Lastpass.

Will Lastpass users have to go to each site and rework their password? I would imagine the answer is yes. If yes, is the process easier for them?
User avatar
midareff
Posts: 7711
Joined: Mon Nov 29, 2010 9:43 am
Location: Biscayne Bay, South Florida

Re: Heartbleed Web Hack Test on Websites of Interest Here

Post by midareff »

I used two of the Heartbleed test sites today on 27 different sites, some financial, some like eBay and PayPal, etc., and found none failed. Regardless, I spent most of the day changing passwords as a precautionary measure.

http://possible.lv/tools/hb/

http://filippo.io/Heartbleed/
cherijoh
Posts: 6591
Joined: Tue Feb 20, 2007 3:49 pm
Location: Charlotte NC

Re: Heartbleed Web Hack Test on Websites of Interest Here

Post by cherijoh »

Mike83 wrote:Todays WSJ has an article about the password vulnerability called Heartbleed and references a tool to test websites for exposure to this liability to expose customer ID and Password when signing in. So I went to SSLLABS.com (server test) and got the following results:

vanguard.com ---- Passed GRADE A-
online.citibank.com --- Passed GRADE A-
TIAA-CREF.org --- Failed GRADE F
myvanguardplan.com (the Acensus small business 401k admin for Vanguard) --- No Secure Protocols Supported (ungraded)
login.fidelity.com --- Passed GRADE A-

WSJ says today is good day to change your password if you are exposed to a badly protected site (about 25% of sites are affected according to the news). And never use the same ID and Password for multiple sites as you can see the possible problem for those that use TIAA and then another.

EDIT:
Just checked paypal.com and two of their sites passed (A-) and one failed (F)
Thanks for posting. I was looking for the URL to check the sites I use.
User avatar
Blues
Posts: 2501
Joined: Wed Dec 10, 2008 10:58 am
Location: Blue Ridge Mtns

Re: heartbleed - widespread internet security problem

Post by Blues »

BlueEars wrote:This security issue has convinced me to go with a password manager like maybe Lastpass.

Will Lastpass users have to go to each site and rework their password? I would imagine the answer is yes. If yes, is the process easier for them?
LastPass will do a security audit on your passwords and sites via the "Tools" : "Security" menu.

For example, when I ran it a little while ago, it mentioned that one of my email addresses was compromised via an adobe.com issue some months back and recommended that I go to the site and change the old password.

Additionally, regarding Heartbleed, it stated that one of my credit card issuers sites may potentially have been susceptible or have had an issue. It further advised when the certificate was updated (two days ago) and recommended a course of action which was to update / change the password immediately.

(LastPass will also generate a new password according to your needs and parameters.)

According to the audit, no other site was effected by "heartbleed".

I held off using LastPass for years. Now, I'm very pleased to have put it to work for me.
Last edited by Blues on Wed Apr 09, 2014 5:39 pm, edited 1 time in total.
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: heartbleed - widespread internet security problem

Post by telemark »

If you have an email account with Yahoo you should change the password--especially if you've given it as the email address for a password reset from any other sites.
User avatar
Dutchgirl
Posts: 164
Joined: Mon Mar 05, 2007 4:52 pm
Location: Oakland, California

Internet Security Problem

Post by Dutchgirl »

[Thread merged into here, see below. --admin LadyGeek]

Does anyone know whether Vanguard has dealt with the internet security problem described in the New York Times today? Here is the reference: bits.blogs.nytimes.com/2014/04/08/flaw-found-in-key-method-for-protecting-data-on-the-internet/?src=me&ref=general
agent13x
Posts: 91
Joined: Sat Mar 22, 2014 1:35 pm
Location: Iowa

Re: heartbleed - widespread internet security problem

Post by agent13x »

in_reality wrote:
Security researchers disclosed the flaw before patches were ready which is not a good thing but such is life.
Not true. The vulnerability was released to many security companies via responsible disclosure distro lists before being made public. Most operating systems had updates to fix the issue concurrently with public release of this information.

As another user said, the only thing you can do as a user is keep your system up to date and use UNIQUE passwords for each site you visit. You should always change all of your passwords on a regular basis regardless of whether big security vulns like this happen or not.
User avatar
Rob5TCP
Posts: 3812
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Internet Security Problem

Post by Rob5TCP »

I got off with Vanguard internet access about 5:00 tonight and I was told "it does not affect us".
I could not get an answer whether it did in the past. I did change my password and questions about 5 minutes later.
One thing I did ask was when will we have 2 factor authentication and he said that depends on how much demand there is for it.
The more that ask, the more likely it will be offered. I wouldn't care if it were an extra cost option, I would go for it.
User avatar
LadyGeek
Site Admin
Posts: 95704
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: heartbleed - widespread internet security problem

Post by LadyGeek »

We have a lengthy discussion on passwords here: Another reason why you should never reuse passwords... - it's chock full of suggested techniques and other helpful information.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
cb474
Posts: 905
Joined: Tue Jan 19, 2010 5:32 am

Re: heartbleed - widespread internet security problem

Post by cb474 »

nhrdls wrote:This site indicates vanguard may not be impacted. http://filippo.io/Heartbleed/
Just to repeat what I said above, the filippo site is not useful and can be very misleading. It returns the same response ("all good, whatever-website-you-entered seems fixed or unaffected") for websites that use OpenSSL, but have been patched, as well as for sites that were never using OpenSSL to begin with. This is very misleading. When you get this response for Vanguard, I think it's because Vanguard is using Windows servers or something other than Linux/Unix. So Vanguard was never vulnerable and this problem does not affect them (i.e. you don't need to change your password, etc.). But when it gives the exact same response for Gmail, it's because Google has patched their servers, but they were vulnerable, and just because it's fine now, doesn't mean that your password, etc., wasn't stolen.

So I recommend against using that checker. It can create a false sense of security vis-a-vis sites that may have been compromised. The LastPass checker also does not give enough information to be useful. If a web server is not using OpenSSL then it doesn't matter how old its certificate is, as far as this bug is concerned. And the LastPass checker doesn't seem to be able to distinguish between sites using OpenSSL and those that aren't. LastPass can create a false sense of concern, where there need be no concern. (I'm surprised a security focused company like this has made availabe such an essentially useless tool.)

The best checker I've found is the one I link to above. http://possible.lv/tools/hb/ It can tell if the server was using the type of TLS that needs to be patched and whether it has been patched. It is also checking certificates now (making the one bit of useful information from the LastPass checker redundant).

I also called Vanguard today and they also told me, as someone above said, that their system is not subject to the OpenSSL bug. The person I spoke with was not very knowledgeable though and did not transfer me directly to the technical website people. He was unwilling to disclose whether they use Windows servers or what (which I think is really not secret information that a technical person couldn't figure out in a second, going to the Vanguard website). It sounds like Vanguard simply does not and never did use OpenSSL, so it's not an issue. But it was a little hard to tell give the lack of technical knowledge and forthcomingness from the person I spoke with. "We aren't subject to the OpenSSL bug" could mean they patched it and are no longer subject or that they simply never used OpenSSL. But my sense was Vanguard just isn't using OpenSSL.
cb474
Posts: 905
Joined: Tue Jan 19, 2010 5:32 am

Re: heartbleed - widespread internet security problem

Post by cb474 »

LadyGeek wrote:We have a lengthy discussion on passwords here: Another reason why you should never reuse passwords... - it's chock full of suggested techniques and other helpful information.
It's true as many people have been reiterating here that the best practice is not to use the same password for more than one website. In the case of the OpenSSL bug, however, because it so broadly affects most of the servers in the world, that particular security measure would not have been a great help. People are going to have to change their passwords on most sites that they use.

So while it's alway a good time to review security practices. I think people should be clear that this is not your typical password problem, where one site is compromised and then that messes you up on any other site that uses the same password. Again, as news stories have noted, two thirds of the webservers in the world use OpenSSL. This is a enormous and pernicious bug (because it leaves no traces if there is a compromise and because the bug has been present for two years, without being noticed--at least by security experts, who knows what black hat hackers have known about and exploited this and for how long). Unique passwords for every site, in this case, would not save you from having to change most of your passwords anyway.

Also, people should remember, on sites that did use the compromised verison of OpenSSL, you need to change security questions too. And you may want to change email addresses used for password recovery, if that email address is at a site (like Gmail, Yahoo) that was compromised. Or be sure you have secured your email first.
User avatar
LadyGeek
Site Admin
Posts: 95704
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: heartbleed - widespread internet security problem

Post by LadyGeek »

cb474 wrote:I also called Vanguard today and they also told me, as someone above said, that their system is not subject to the OpenSSL bug. The person I spoke with was not very knowledgeable though and did not transfer me directly to the technical website people. He was unwilling to disclose whether they use Windows servers or what (which I think is really not secret information that a technical person couldn't figure out in a second, going to the Vanguard website). It sounds like Vanguard simply does not and never did use OpenSSL, so it's not an issue. But it was a little hard to tell give the lack of technical knowledge and forthcomingness from the person I spoke with. "We aren't subject to the OpenSSL bug" could mean they patched it and are no longer subject or that they simply never used OpenSSL. But my sense was Vanguard just isn't using OpenSSL.
Bear in mind that any company worth its salt (crypto pun intended) will NOT disclose security techniques to the general public. What the person told you is probably what they were instructed to say (read this script...). I would hope think that the "real" stuff is being addressed internally.

I agree that changing your email password, especially one used for resetting other accounts (like your bank), should be done.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
DRiP Guy
Posts: 2241
Joined: Tue Feb 20, 2007 3:54 pm

Re: heartbleed - widespread internet security problem

Post by DRiP Guy »

The discussion of 'best practices' for passwords is useful, but people need to remember that on this exploit, it doesn't matter how clever your password was, how you stored it, it was being grabbed out of raw system memory on the server-side (not your PC).

True, changing it often and using different passwords for different sites mitigates your exposure, but it does not eliminate it.

One of the best pieces of information to come from this debacle, in my opinion has yet to be mentioned on the thread, so I'll do so briefly, and leave any further followup to those few technically oriented or with server-side responsibilities, who might be interested. This technique at least prevents retrospective decryption using keys gathered after initial encrypted sessions were captured:
https://www.eff.org/deeplinks/2011/11/l ... rd-secrecy
http://www.perfectforwardsecrecy.com/
Last edited by DRiP Guy on Wed Apr 09, 2014 8:00 pm, edited 2 times in total.
madbrain
Posts: 6809
Joined: Thu Jun 09, 2011 5:06 pm
Location: San Jose, California

Re: heartbleed - widespread internet security problem

Post by madbrain »

agent13x wrote:
in_reality wrote:
Security researchers disclosed the flaw before patches were ready which is not a good thing but such is life.
Not true. The vulnerability was released to many security companies via responsible disclosure distro lists before being made public. Most operating systems had updates to fix the issue concurrently with public release of this information.

As another user said, the only thing you can do as a user is keep your system up to date and use UNIQUE passwords for each site you visit. You should always change all of your passwords on a regular basis regardless of whether big security vulns like this happen or not.
As someone who works primarily SSL encryption technology for a major corporation, I can tell you that this vulnerability wasn't disclosed to us before it was made public.
Zero-day exploits are never good. On the other hand, the products I work on aren't affected, so this isn't that big of a deal.
cb474
Posts: 905
Joined: Tue Jan 19, 2010 5:32 am

Re: heartbleed - widespread internet security problem

Post by cb474 »

LadyGeek wrote:
cb474 wrote:I also called Vanguard today and they also told me, as someone above said, that their system is not subject to the OpenSSL bug. The person I spoke with was not very knowledgeable though and did not transfer me directly to the technical website people. He was unwilling to disclose whether they use Windows servers or what (which I think is really not secret information that a technical person couldn't figure out in a second, going to the Vanguard website). It sounds like Vanguard simply does not and never did use OpenSSL, so it's not an issue. But it was a little hard to tell give the lack of technical knowledge and forthcomingness from the person I spoke with. "We aren't subject to the OpenSSL bug" could mean they patched it and are no longer subject or that they simply never used OpenSSL. But my sense was Vanguard just isn't using OpenSSL.
Bear in mind that any company worth its salt (crypto pun intended) will NOT disclose security techniques to the general public. What the person told you is probably what they were instructed to say (read this script...). I would hope think that the "real" stuff is being addressed internally.
There is a lot of debate about transparency vs. secrecy for with respect to software security. I don't think there is actually an obvious answer here. It also really depends on the context.

In this case, what sort of server Vanguard runs (Windows? Linux?), I don't really see the security issue. And that was the only thing I was commenting on. As I said, I assume any halfway sophisticated developer/hacker could tell what kind of server Vanguard is running just by visiting their website (in fact, if I'm understanding it correctly, the heartbleed checker website I link to above reveals this information). So the only people Vanguard is keeping the secret from (in this case a customer) are the people who don't matter. My bank was happy to tell me they use Windows servers and are not subject to the bug. And frankly, the people I spoke with at my bank seemed a lot more technically sophisticated and well informed about this bug than the person I spoke with at Vangaurd. In fact, the Vanguard person didn't know what I was talking about and had to check with someone else.

So I think the Vanguard person was being cautious, but in this case the caution was a sign of a lack of understanding of the issue. And it was actually a problem, because it meant that he was unable to clearly explain to me, someone with some technical understanding of the issue, whether or not Vanguard really never was vulnerable or not. As I said, I had the impression Vanguard doesn't use OpenSSL, but it really wasn't clear. I think I should be able to know that and make my own judgement about whether or not I should change my password.
User avatar
roymeo
Posts: 1278
Joined: Sat Apr 28, 2007 7:19 pm
Location: Oakland, CA
Contact:

Re: heartbleed - widespread internet security problem

Post by roymeo »

The LastPass Vault Security Check feature just told me I have 11 vulnerable sites out of a couple hundred passwords stored, and 2 have now updated their SSL tickets and are ready for be to change my password. I'm not sure that I believe that this lists everything that may have been using OpenSSL, but it's at least something to keep me from updating too soon all contained in one dashboard.
The sewer system is a form of welfare state. | -- "Libra", Don DeLillo
User avatar
whaleknives
Posts: 1238
Joined: Sun Jun 24, 2012 7:19 pm

Re: Heartbleed Web Hack Test on Websites of Interest Here

Post by whaleknives »

It could be worse:

Image
"I'm an indexer. I own the market. And I'm happy." (John Bogle, "BusinessWeek", 8/17/07) ☕ Maritime signal flag W - Whiskey: "I require medical assistance."
User avatar
whaleknives
Posts: 1238
Joined: Sun Jun 24, 2012 7:19 pm

Re: heartbleed - widespread internet security problem

Post by whaleknives »

It could be worse.
Last edited by whaleknives on Thu Apr 10, 2014 9:19 pm, edited 1 time in total.
"I'm an indexer. I own the market. And I'm happy." (John Bogle, "BusinessWeek", 8/17/07) ☕ Maritime signal flag W - Whiskey: "I require medical assistance."
susze
Posts: 194
Joined: Sun Jul 27, 2008 2:26 pm

Re: Heartbleed Web Hack Test on Websites of Interest Here

Post by susze »

Doesnt the test only check the current status? So if they were vulnerable before and we logged in wouldnt we still be exposed if we didnt change our passwords?
Mike83
Posts: 161
Joined: Tue Apr 01, 2014 1:37 pm

Re: Heartbleed Web Hack Test on Websites of Interest Here

Post by Mike83 »

Yes. If the test fails now, it likely failed before now.

Companies that are exposed are, or should be, racing to close the hole. One they pass the test, you should create new log-on credentials to (help) insure you have a secured password.
Saving$
Posts: 2518
Joined: Sat Nov 05, 2011 8:33 pm

Re: Heartbleed Web Hack Test on Websites of Interest Here

Post by Saving$ »

Wow! USAA, which is so obsessed with security that they broke their own deposit at home system in the name of security, gets an F.
Small bank I use got a B.
User avatar
LadyGeek
Site Admin
Posts: 95704
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: heartbleed - widespread internet security problem

Post by LadyGeek »

FYI - I merged two more threads into here, which is in the Personal Consumer Issues forum (website security, general discussion).

The individual post title (top left corner) will display the original thread title.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
geoff2
Posts: 30
Joined: Wed Mar 07, 2007 9:30 pm
Location: North Carolina

Re: heartbleed - widespread internet security problem

Post by geoff2 »

An article that contains statements from various companies, including some financial firms, about their vulnerability to Heartbleed is available on Mashable.
User avatar
LongDistanceRunner
Posts: 137
Joined: Fri Sep 25, 2009 12:00 pm

Re: heartbleed - widespread internet security problem

Post by LongDistanceRunner »

I tested Lastpass.com using their own heartbleed test and it appears that it failed. It also appears to have been possibly compromised by the test of http://possible.lv/ which says it was patched. So if Lastpass could be compromised, would it be advisable to use it?
LDR | | "Work like you don't need the money. | Love like you've never been hurt. | Dance like nobody's watching." - Satchel Paige
User avatar
roymeo
Posts: 1278
Joined: Sat Apr 28, 2007 7:19 pm
Location: Oakland, CA
Contact:

Re: heartbleed - widespread internet security problem

Post by roymeo »

LongDistanceRunner wrote:I tested Lastpass.com using their own heartbleed test and it appears that it failed. It also appears to have been possibly compromised by the test of http://possible.lv/ which says it was patched. So if Lastpass could be compromised, would it be advisable to use it?
You'll notice LastPass even lists their own site as someone to check out at the bottom of the page here: https://lastpass.com/heartbleed/

According to the support comments on http://blog.lastpass.com/2014/04/lastpa ... d-bug.html your LastPass vault password isn't transmitted to the site, it is only used locally, even on mobile.

LastPass.com apparently did use OpenSSL, but there doesn't seem to be any way for a regular user to have an account on LastPass.com, so it doesn't appear to be relevant to the LastPass tool.
The sewer system is a form of welfare state. | -- "Libra", Don DeLillo
Jfet
Posts: 1081
Joined: Tue Dec 21, 2010 6:20 pm

Re: heartbleed - widespread internet security problem

Post by Jfet »

Something similar to this heartbleed is probably going to be the next black swan event that causes a 50% drop in the market.

Imagine if Vanguard, Fidelity, Etrade, etc. were hacked and thousands of users had malicious trades executed. Total chaos and immediate distrust of the internet. It would be bad.

Hmmm, maybe those gold bugs were not so dumb after all...
User avatar
roymeo
Posts: 1278
Joined: Sat Apr 28, 2007 7:19 pm
Location: Oakland, CA
Contact:

Re: heartbleed - widespread internet security problem

Post by roymeo »

Jfet wrote:Something similar to this heartbleed is probably going to be the next black swan event that causes a 50% drop in the market.

Imagine if Vanguard, Fidelity, Etrade, etc. were hacked and thousands of users had malicious trades executed. Total chaos and immediate distrust of the internet. It would be bad.

Hmmm, maybe those gold bugs were not so dumb after all...
Except the asteroid-born gold-eating-bacteria native to Nemesis will get here first.
The sewer system is a form of welfare state. | -- "Libra", Don DeLillo
Nummerkins
Posts: 674
Joined: Tue Jun 01, 2010 4:41 pm

Re: heartbleed - widespread internet security problem

Post by Nummerkins »

Here is a link to a visual explanation for anyone who is interested: http://info.elastica.net/2014/04/openss ... erability/

The worst part is that this attack is so simple -- anyone can understand it.
Today's high is tomorrow's low.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: heartbleed - widespread internet security problem

Post by Mudpuppy »

cb474 wrote:So while it's alway a good time to review security practices. I think people should be clear that this is not your typical password problem, where one site is compromised and then that messes you up on any other site that uses the same password. Again, as news stories have noted, two thirds of the webservers in the world use OpenSSL. This is a enormous and pernicious bug (because it leaves no traces if there is a compromise and because the bug has been present for two years, without being noticed--at least by security experts, who knows what black hat hackers have known about and exploited this and for how long). Unique passwords for every site, in this case, would not save you from having to change most of your passwords anyway.
Let me shed a little clarification on the sentence I italicized in your quote. The point of unique passwords is NOT to save you the work of having to change passwords in the wake of a compromise. The point of unique passwords IS to keep the passwords separate so if 60% of sites you visit are compromised, the information gleaned from those sites can't be used to get into the 40% of sites you visit that are NOT compromised.

If you used the same password for Google that you use for Vanguard, you would be in a world of hurt right now. If you use unique passwords everywhere (and 2 factor where available), you'll still have to change passwords on the affected sites, but you won't need to worry about someone using that data to get into your Vanguard account.
User avatar
dmcmahon
Posts: 2855
Joined: Fri Mar 21, 2008 10:29 pm

Re: heartbleed - widespread internet security problem

Post by dmcmahon »

Maybe it's time VG offered two-factor auth? And every other bank/broker site...
Post Reply