heartbleed - widespread internet security problem

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities

heartbleed - widespread internet security problem

Postby in_reality » Tue Apr 08, 2014 6:12 pm

Apparently many implementations of SSL which is used to protect secure connections on the internet have had a bug for a while (two years perhaps) and as a result, people are advised to change their passwords. The New York Times article suggested taking a day off and changing all your passwords but I don't know if that should be taken so literally especially since the flaw has been there for a while.

Security researchers disclosed the flaw before patches were ready which is not a good thing but such is life.

I don't know if it's recommended to change your passwords before things get fixed, or right after or both but anyway, google "heartbleed" and tons of articles should pop up.

https://www.google.com/search?sourceid= ... heartbleed

Update:

Changing your password won't help until the site has fixed the bug, so wait for confirmation from your favorite sites before you go changing passwords. If and when you do get confirmation, audit and update your passwords as usual. If a site is not vulnerable but doesn't issue a statement, change your passwords just in case they were vulnerable in the past. After all, it can't hurt.

http://lifehacker.com/what-the-heartble ... 1560801201
Got here the hard way, but here I thankfully am...
in_reality
 
Posts: 670
Joined: 12 Jul 2013

Re: heartbleed - widespread internet security problem

Postby TimeRunner » Tue Apr 08, 2014 7:18 pm

Lastpass has created a Heartbleed checker, so you can check the websites you commonly do business with. https://lastpass.com/heartbleed/

I like Lastpass for password management a lot. 8-)
Ferris: Life moves pretty fast. If you don't stop and look around once in a while, you could miss it. | Hope is not a strategy.
User avatar
TimeRunner
 
Posts: 317
Joined: 29 Dec 2012
Location: Central Coast Beach Town, CA

Re: heartbleed - widespread internet security problem

Postby Rob5TCP » Tue Apr 08, 2014 7:19 pm

I just read a number of news articles referring to this.
This makes a weak password seem like a walk in the park.
The entire system is literally vulnerable; if these reports are accurate.

I have stopped accessing my most secure sites and am relying on automated phone calls
(like I did 5-10 years ago) to get my information.

http://www.bbc.co.uk/news/technology-26935905

http://siliconangle.com/blog/2014/04/08 ... -millions/
User avatar
Rob5TCP
 
Posts: 1794
Joined: 5 Jun 2007
Location: New York, NY

Re: heartbleed - widespread internet security problem

Postby sscritic » Tue Apr 08, 2014 7:57 pm

Can I make an https joke now?
sscritic
 
Posts: 21283
Joined: 6 Sep 2007

Re: heartbleed - widespread internet security problem

Postby vitaflo » Tue Apr 08, 2014 9:51 pm

Rob5TCP wrote:I just read a number of news articles referring to this.
This makes a weak password seem like a walk in the park.
The entire system is literally vulnerable; if these reports are accurate.

I have stopped accessing my most secure sites and am relying on automated phone calls
(like I did 5-10 years ago) to get my information.

http://www.bbc.co.uk/news/technology-26935905

http://siliconangle.com/blog/2014/04/08 ... -millions/


It is literally vulnerable and it doesn't matter how "strong" your password is. People today have been pointing simple scripts at the Yahoo Mail login and grabbing 3000 usernames/passwords in 15 minutes. The same attack can be used on about 70% of the entire internet.

The worst part isn't just usernames/passwords, it's the attackers can grab the secret "keys" for the site. So even if they patch the SSL exploit, if an attacker got the keys to the site, they can still do all the things they were doing before, perhaps more. To add on to this, this vulnerability has been out there for over 2 years.

This is a massive problem that will have a lot of repercussions, especially because it is so easy to exploit. I'm surprised this isn't getting more attention to be honest.
vitaflo
 
Posts: 66
Joined: 3 Sep 2011

website security

Postby oaksavannah » Tue Apr 08, 2014 10:16 pm

[Thread merged into here, see below. --admin LadyGeek]

"Experts Find a Door Ajar in an Internet Security Method Thought Safe"

April 8, 2014 NYTimes article:
http://bits.blogs.nytimes.com/2014/04/0 ... pe=nyt_now

Please advise if and how you will be acting on this information. E.g. will you be changing your Vanguard password? Your bank password?
oaksavannah
 
Posts: 20
Joined: 25 Nov 2012

Re: website security

Postby vitaflo » Tue Apr 08, 2014 10:23 pm

Being discussed here:

viewtopic.php?f=2&t=136922
vitaflo
 
Posts: 66
Joined: 3 Sep 2011

Re: heartbleed - widespread internet security problem

Postby LadyGeek » Tue Apr 08, 2014 10:54 pm

This thread is now in the Personal Consumer Issues forum (computer security).

I also merged a thread into this one (posts titled "website security").
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 17674
Joined: 20 Dec 2008
Location: Philadelphia

Re: heartbleed - widespread internet security problem

Postby darrellr » Wed Apr 09, 2014 1:57 am

<tongue in cheek>
The good news is that because this site does not support https, it is not vulnerable to the heartbleed attack!
</tongue in cheek>

Seriously though, I use keyfobs or one time passwords for my most sensitive bank and brokerage accounts. I believe not logging in during this time mitigates the risk because the attack grabs data from active memory. So my plan is to minimize logging into reusable password accounts for a few days while we get more info.
Last edited by darrellr on Wed Apr 09, 2014 2:09 am, edited 1 time in total.
darrellr
 
Posts: 86
Joined: 6 Mar 2014

Re: heartbleed - widespread internet security problem

Postby patriciamgr2 » Wed Apr 09, 2014 2:00 am

The LastPass heartbleed checker indicated that Vanguard.com might be vulnerable. Have any of our tech-savvy Forum members checked with Vanguard on this? If so, I'd be very grateful if you would post what you learn here on the site (e.g. was there any vulnerability; if so, when can we check accounts safely & when should passwords be changed)?

thanks in advance,

Patricia
User avatar
patriciamgr2
 
Posts: 330
Joined: 19 Nov 2007

Re: heartbleed - widespread internet security problem

Postby telemark » Wed Apr 09, 2014 4:40 am

patriciamgr2 wrote:The LastPass heartbleed checker indicated that Vanguard.com might be vulnerable. Have any of our tech-savvy Forum members checked with Vanguard on this? If so, I'd be very grateful if you would post what you learn here on the site (e.g. was there any vulnerability; if so, when can we check accounts safely & when should passwords be changed)?

thanks in advance,

Patricia


When I try the LastPass checker I see
Detected server software of LB
The server software is unknown, might use OpenSSL and could have been vulnerable.

The SSL certificate for vanguard.com valid 9 months ago at Jun 26 00:00:00 2013 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.


Apparently it only checks the reported server version and the date for the certificate. There's another checker at
http://filippo.io/Heartbleed/ which actually tries the attack, and that one reports

All good, vanguard.com seems not affected!


My take is that Vanguard is probably ok. If you run the LastPass checker and see that the certificate has been regenerated recently, that would be the time for a new password. Ditto for any other sites.
User avatar
telemark
 
Posts: 791
Joined: 11 Aug 2012

Re: heartbleed - widespread internet security problem

Postby cb474 » Wed Apr 09, 2014 6:24 am

There is yet another heartbleed checker, which I think is much more useful than the first two, here:

http://possible.lv/tools/hb/

The Lastpass checker seems unable to really tell if a site is or (especially) was vulnerable in many cases (treating sites with old certificates, but which were never vulnerable, the same as sites with old certificates that were vulnerable). Also, not every server that uses SSL is using OpenSSL to run it, so just because a certificate is old does not necessarily mean anything. A server would have to be using OpenSSL to have the problem. The filippo.io checker tells you a site is great and fine, but fails to indicate that it was vulnerable, which could lead people to think they don't need to change their password; in other words, a site could be great and fine because it was always great and fine or because it was vulnerable but has been fixed.

The possible.lv checker tells you whether a site was using the TLS protocol that was vulnerable to begin with and, if so, whether it has been patched. So for example, it tells you that vanguard.com has the TLS extension disabled that was vulnerable to the bug. This I believe means that vanguard was never using the protocol that had the problem and has always been fine (though I'm very not sure about this and would love to have someone confirm my understanding). On the other hand, gmail (which is known--in the news--to have been vulnerable) shows up in the possible.lv checker as having been patched. So you know it was vulnerable and that it has been patched, but that definitely means your password could have been compromised.

People should also keep in mind that for any site that was vulnerable, you need to change not just passwords, but security questions too, since that information could also have been compromised.
cb474
 
Posts: 712
Joined: 19 Jan 2010

Re: heartbleed - widespread internet security problem

Postby patriciamgr2 » Wed Apr 09, 2014 10:06 am

FWIW, I just checked with a Flagship rep. She said that the Vanguard IT team issued an internal notice late last night saying that the Vanguard site did not have Open Heart & therefore none of our information is affected by Bleeding Heart. Caution: I am not tech-savvy & therefore don't really, truly understand this issue.

I assume they'll eventually post a notice on the website.
User avatar
patriciamgr2
 
Posts: 330
Joined: 19 Nov 2007

Re: heartbleed - widespread internet security problem

Postby Jeff7 » Wed Apr 09, 2014 10:23 am

darrellr wrote:<tongue in cheek>
The good news is that because this site does not support https, it is not vulnerable to the heartbleed attack!
</tongue in cheek>

Seriously though, I use keyfobs or one time passwords for my most sensitive bank and brokerage accounts. I believe not logging in during this time mitigates the risk because the attack grabs data from active memory. So my plan is to minimize logging into reusable password accounts for a few days while we get more info.
My understanding of this issue is that it doesn't matter much if it's a one-time password, keyfob, etc. This bypasses that, effectively gaining direct read access to virtually anything that resides in the server's RAM. Encryption keys, passwords, password hints, system configuration, cookie data, user IP lists, and of course the data package that you were trying to send securely in the first place.

Each "hearbeat" request can only return a 64 kilobyte chunk of memory data at a time, but that's not a huge limitation. Someone would just need to keep sending those heartbeat requests over and over, and piece together the results. They said that within a few hours of this information being released, there were cracking tools written and available online.
Jeff7
 
Posts: 260
Joined: 24 Nov 2012

Re: heartbleed - widespread internet security problem

Postby Blues » Wed Apr 09, 2014 11:17 am

Frightening scenarios and I fear that we have only seen / experienced the tip of the iceberg going forward.
“Tactics without strategy is the noise before defeat.” - Sun Tzu | "Everybody has a plan until they get punched in the mouth." - Mike Tyson
User avatar
Blues
 
Posts: 1223
Joined: 10 Dec 2008

Re: heartbleed - widespread internet security problem

Postby Mudpuppy » Wed Apr 09, 2014 12:05 pm

This is yet another reason why one should always use unique passwords for every site and just use a password locker with a strong master password to store them. If you're concerned about storing your social media passwords next to your banking passwords, use two password vaults (or however many you need to feel happy with your separation of sites).

This bug will get a lot of splashy headlines, but any security professional will tell you stuff like this goes on all the time. Even with the best software in the world, you will always have the "wetware" risk, e.g. there are always going to be people involved and people can be tricked out of almost anything. And software is coded by people, so it will not always be the best.

You can't control these variables, but you can plan for it by always using unique passwords. That way, even if one site (or a whole swath of sites) is compromised, your passwords at other sites remain protected.

Side bonuses to using a password locker: passwords can be truly strong and pseudo-random passwords (people tend to have letter/number/pattern biases even if they think they're being random) and you can change the passwords regularly without having to memorize each new site password (just have to memorize your master password and any other 2nd factor authentication you chose for password lockers that support 2-factor authentication).
Mudpuppy
 
Posts: 2500
Joined: 27 Aug 2011
Location: Sunny California

Re: heartbleed - widespread internet security problem

Postby Mudpuppy » Wed Apr 09, 2014 12:21 pm

Rob5TCP wrote:I just read a number of news articles referring to this.
This makes a weak password seem like a walk in the park.
The entire system is literally vulnerable; if these reports are accurate.

I have stopped accessing my most secure sites and am relying on automated phone calls
(like I did 5-10 years ago) to get my information.

http://www.bbc.co.uk/news/technology-26935905

http://siliconangle.com/blog/2014/04/08 ... -millions/

FWIW, using phone systems isn't going to make your data any more secure. The problem is on the server end. It doesn't matter if it's you accessing the server through a website or a call center phone rep accessing the server through their side. The problem is still at the server. Avoiding websites only works when the problem is the communication between you and the server or the problem is your machine.
Mudpuppy
 
Posts: 2500
Joined: 27 Aug 2011
Location: Sunny California

Re: heartbleed - widespread internet security problem

Postby BigFoot48 » Wed Apr 09, 2014 2:07 pm

I checked Schwab with the third tool listed above and it reported: "TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected." but I will wait for confirmation from Schwab before rushing to change the password, which I actually changed a week ago.

Advice on what to do from CNET: http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/?tag=nl.e404&s_cid=e404&ttag=e404&ftag=CAD1acfa04
Retired | Two-time Top-10 Diehard S&P500 Picker; Nine-Time Loser
User avatar
BigFoot48
 
Posts: 2045
Joined: 20 Feb 2007
Location: Arizona

Re: heartbleed - widespread internet security problem

Postby nhrdls » Wed Apr 09, 2014 2:38 pm

This site indicates vanguard may not be impacted. http://filippo.io/Heartbleed/#vanguard.com

While caution is advised while visiting any website on internet, my understanding so far is that many of the big providers are not impacted as far as https connection goes. Reference at https://devcentral.f5.com/articles/open ... 0WTP6biBTM

It has to do how https connection is terminated on server side. For big providers its not practical to have SSL installation on all servers. That's why they have load balancer and termination point. This termination point may be vulnerable based on technology used, but normally your passwords and actual data are handled by actual server and not by termination point.

Its smaller providers that we should be worried about a lot. They need to regenerate secret keys and get SSL certificates installed again.

Please be warned, its not just https traffic, but any services that use openssl on server side might be impacted. This is why its much bigger problem as openssl has more than 66% market share. For example, your VPN service also might be impacted, no matter who the vendor of the service is.

Interestingly, this time Microsoft is innocent as their server (IIS) was not impacted.
nhrdls
 
Posts: 96
Joined: 20 Aug 2013

Heartbleed Web Hack Test on Websites of Interest Here

Postby Mike83 » Wed Apr 09, 2014 6:12 pm

[Thread merged into here, see below. --admin LadyGeek]

Todays WSJ has an article about the password vulnerability called Heartbleed and references a tool to test websites for exposure to this liability to expose customer ID and Password when signing in. So I went to SSLLABS.com (server test) and got the following results:

vanguard.com ---- Passed GRADE A-
online.citibank.com --- Passed GRADE A-
TIAA-CREF.org --- Failed GRADE F
myvanguardplan.com (the Acensus small business 401k admin for Vanguard) --- No Secure Protocols Supported (ungraded)
login.fidelity.com --- Passed GRADE A-

WSJ says today is good day to change your password if you are exposed to a badly protected site (about 25% of sites are affected according to the news). And never use the same ID and Password for multiple sites as you can see the possible problem for those that use TIAA and then another.

EDIT:
Just checked
paypal.com and two of their sites passed (A-) and one failed (F)
bbt.com has one site graded F and one site with no protocols supported
Last edited by Mike83 on Wed Apr 09, 2014 6:35 pm, edited 2 times in total.
Mike83
 
Posts: 19
Joined: 1 Apr 2014

Re: heartbleed - widespread internet security problem

Postby BlueEars » Wed Apr 09, 2014 6:20 pm

This security issue has convinced me to go with a password manager like maybe Lastpass.

Will Lastpass users have to go to each site and rework their password? I would imagine the answer is yes. If yes, is the process easier for them?
User avatar
BlueEars
 
Posts: 3145
Joined: 10 Mar 2007
Location: West Coast

Re: Heartbleed Web Hack Test on Websites of Interest Here

Postby midareff » Wed Apr 09, 2014 6:24 pm

I used two of the Heartbleed test sites today on 27 different sites, some financial, some like eBay and PayPal, etc., and found none failed. Regardless, I spent most of the day changing passwords as a precautionary measure.

http://possible.lv/tools/hb/

http://filippo.io/Heartbleed/
User avatar
midareff
 
Posts: 2239
Joined: 29 Nov 2010
Location: Biscayne Bay, South Florida

Re: Heartbleed Web Hack Test on Websites of Interest Here

Postby cherijoh » Wed Apr 09, 2014 6:34 pm

Mike83 wrote:Todays WSJ has an article about the password vulnerability called Heartbleed and references a tool to test websites for exposure to this liability to expose customer ID and Password when signing in. So I went to SSLLABS.com (server test) and got the following results:

vanguard.com ---- Passed GRADE A-
online.citibank.com --- Passed GRADE A-
TIAA-CREF.org --- Failed GRADE F
myvanguardplan.com (the Acensus small business 401k admin for Vanguard) --- No Secure Protocols Supported (ungraded)
login.fidelity.com --- Passed GRADE A-

WSJ says today is good day to change your password if you are exposed to a badly protected site (about 25% of sites are affected according to the news). And never use the same ID and Password for multiple sites as you can see the possible problem for those that use TIAA and then another.

EDIT:
Just checked paypal.com and two of their sites passed (A-) and one failed (F)


Thanks for posting. I was looking for the URL to check the sites I use.
cherijoh
 
Posts: 787
Joined: 20 Feb 2007
Location: Charlotte NC

Re: heartbleed - widespread internet security problem

Postby Blues » Wed Apr 09, 2014 6:34 pm

BlueEars wrote:This security issue has convinced me to go with a password manager like maybe Lastpass.

Will Lastpass users have to go to each site and rework their password? I would imagine the answer is yes. If yes, is the process easier for them?


LastPass will do a security audit on your passwords and sites via the "Tools" : "Security" menu.

For example, when I ran it a little while ago, it mentioned that one of my email addresses was compromised via an adobe.com issue some months back and recommended that I go to the site and change the old password.

Additionally, regarding Heartbleed, it stated that one of my credit card issuers sites may potentially have been susceptible or have had an issue. It further advised when the certificate was updated (two days ago) and recommended a course of action which was to update / change the password immediately.

(LastPass will also generate a new password according to your needs and parameters.)

According to the audit, no other site was effected by "heartbleed".

I held off using LastPass for years. Now, I'm very pleased to have put it to work for me.
Last edited by Blues on Wed Apr 09, 2014 6:39 pm, edited 1 time in total.
“Tactics without strategy is the noise before defeat.” - Sun Tzu | "Everybody has a plan until they get punched in the mouth." - Mike Tyson
User avatar
Blues
 
Posts: 1223
Joined: 10 Dec 2008

Re: heartbleed - widespread internet security problem

Postby telemark » Wed Apr 09, 2014 6:38 pm

If you have an email account with Yahoo you should change the password--especially if you've given it as the email address for a password reset from any other sites.
User avatar
telemark
 
Posts: 791
Joined: 11 Aug 2012

Internet Security Problem

Postby Dutchgirl » Wed Apr 09, 2014 7:16 pm

[Thread merged into here, see below. --admin LadyGeek]

Does anyone know whether Vanguard has dealt with the internet security problem described in the New York Times today? Here is the reference: bits.blogs.nytimes.com/2014/04/08/flaw-found-in-key-method-for-protecting-data-on-the-internet/?src=me&ref=general
User avatar
Dutchgirl
 
Posts: 146
Joined: 5 Mar 2007
Location: Oakland, California

Re: heartbleed - widespread internet security problem

Postby agent13x » Wed Apr 09, 2014 7:19 pm

in_reality wrote:
Security researchers disclosed the flaw before patches were ready which is not a good thing but such is life.


Not true. The vulnerability was released to many security companies via responsible disclosure distro lists before being made public. Most operating systems had updates to fix the issue concurrently with public release of this information.

As another user said, the only thing you can do as a user is keep your system up to date and use UNIQUE passwords for each site you visit. You should always change all of your passwords on a regular basis regardless of whether big security vulns like this happen or not.
agent13x
 
Posts: 30
Joined: 22 Mar 2014
Location: Nebraska

Re: Internet Security Problem

Postby Rob5TCP » Wed Apr 09, 2014 7:35 pm

I got off with Vanguard internet access about 5:00 tonight and I was told "it does not affect us".
I could not get an answer whether it did in the past. I did change my password and questions about 5 minutes later.
One thing I did ask was when will we have 2 factor authentication and he said that depends on how much demand there is for it.
The more that ask, the more likely it will be offered. I wouldn't care if it were an extra cost option, I would go for it.
User avatar
Rob5TCP
 
Posts: 1794
Joined: 5 Jun 2007
Location: New York, NY

Re: heartbleed - widespread internet security problem

Postby LadyGeek » Wed Apr 09, 2014 8:18 pm

We have a lengthy discussion on passwords here: Another reason why you should never reuse passwords... - it's chock full of suggested techniques and other helpful information.
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 17674
Joined: 20 Dec 2008
Location: Philadelphia

Re: heartbleed - widespread internet security problem

Postby cb474 » Wed Apr 09, 2014 8:23 pm

nhrdls wrote:This site indicates vanguard may not be impacted. http://filippo.io/Heartbleed/


Just to repeat what I said above, the filippo site is not useful and can be very misleading. It returns the same response ("all good, whatever-website-you-entered seems fixed or unaffected") for websites that use OpenSSL, but have been patched, as well as for sites that were never using OpenSSL to begin with. This is very misleading. When you get this response for Vanguard, I think it's because Vanguard is using Windows servers or something other than Linux/Unix. So Vanguard was never vulnerable and this problem does not affect them (i.e. you don't need to change your password, etc.). But when it gives the exact same response for Gmail, it's because Google has patched their servers, but they were vulnerable, and just because it's fine now, doesn't mean that your password, etc., wasn't stolen.

So I recommend against using that checker. It can create a false sense of security vis-a-vis sites that may have been compromised. The LastPass checker also does not give enough information to be useful. If a web server is not using OpenSSL then it doesn't matter how old its certificate is, as far as this bug is concerned. And the LastPass checker doesn't seem to be able to distinguish between sites using OpenSSL and those that aren't. LastPass can create a false sense of concern, where there need be no concern. (I'm surprised a security focused company like this has made availabe such an essentially useless tool.)

The best checker I've found is the one I link to above. http://possible.lv/tools/hb/ It can tell if the server was using the type of TLS that needs to be patched and whether it has been patched. It is also checking certificates now (making the one bit of useful information from the LastPass checker redundant).

I also called Vanguard today and they also told me, as someone above said, that their system is not subject to the OpenSSL bug. The person I spoke with was not very knowledgeable though and did not transfer me directly to the technical website people. He was unwilling to disclose whether they use Windows servers or what (which I think is really not secret information that a technical person couldn't figure out in a second, going to the Vanguard website). It sounds like Vanguard simply does not and never did use OpenSSL, so it's not an issue. But it was a little hard to tell give the lack of technical knowledge and forthcomingness from the person I spoke with. "We aren't subject to the OpenSSL bug" could mean they patched it and are no longer subject or that they simply never used OpenSSL. But my sense was Vanguard just isn't using OpenSSL.
cb474
 
Posts: 712
Joined: 19 Jan 2010

Re: heartbleed - widespread internet security problem

Postby cb474 » Wed Apr 09, 2014 8:32 pm

LadyGeek wrote:We have a lengthy discussion on passwords here: Another reason why you should never reuse passwords... - it's chock full of suggested techniques and other helpful information.

It's true as many people have been reiterating here that the best practice is not to use the same password for more than one website. In the case of the OpenSSL bug, however, because it so broadly affects most of the servers in the world, that particular security measure would not have been a great help. People are going to have to change their passwords on most sites that they use.

So while it's alway a good time to review security practices. I think people should be clear that this is not your typical password problem, where one site is compromised and then that messes you up on any other site that uses the same password. Again, as news stories have noted, two thirds of the webservers in the world use OpenSSL. This is a enormous and pernicious bug (because it leaves no traces if there is a compromise and because the bug has been present for two years, without being noticed--at least by security experts, who knows what black hat hackers have known about and exploited this and for how long). Unique passwords for every site, in this case, would not save you from having to change most of your passwords anyway.

Also, people should remember, on sites that did use the compromised verison of OpenSSL, you need to change security questions too. And you may want to change email addresses used for password recovery, if that email address is at a site (like Gmail, Yahoo) that was compromised. Or be sure you have secured your email first.
cb474
 
Posts: 712
Joined: 19 Jan 2010

Re: heartbleed - widespread internet security problem

Postby LadyGeek » Wed Apr 09, 2014 8:44 pm

cb474 wrote:I also called Vanguard today and they also told me, as someone above said, that their system is not subject to the OpenSSL bug. The person I spoke with was not very knowledgeable though and did not transfer me directly to the technical website people. He was unwilling to disclose whether they use Windows servers or what (which I think is really not secret information that a technical person couldn't figure out in a second, going to the Vanguard website). It sounds like Vanguard simply does not and never did use OpenSSL, so it's not an issue. But it was a little hard to tell give the lack of technical knowledge and forthcomingness from the person I spoke with. "We aren't subject to the OpenSSL bug" could mean they patched it and are no longer subject or that they simply never used OpenSSL. But my sense was Vanguard just isn't using OpenSSL.

Bear in mind that any company worth its salt (crypto pun intended) will NOT disclose security techniques to the general public. What the person told you is probably what they were instructed to say (read this script...). I would hope think that the "real" stuff is being addressed internally.

I agree that changing your email password, especially one used for resetting other accounts (like your bank), should be done.
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 17674
Joined: 20 Dec 2008
Location: Philadelphia

Re: heartbleed - widespread internet security problem

Postby DRiP Guy » Wed Apr 09, 2014 8:58 pm

The discussion of 'best practices' for passwords is useful, but people need to remember that on this exploit, it doesn't matter how clever your password was, how you stored it, it was being grabbed out of raw system memory on the server-side (not your PC).

True, changing it often and using different passwords for different sites mitigates your exposure, but it does not eliminate it.

One of the best pieces of information to come from this debacle, in my opinion has yet to be mentioned on the thread, so I'll do so briefly, and leave any further followup to those few technically oriented or with server-side responsibilities, who might be interested. This technique at least prevents retrospective decryption using keys gathered after initial encrypted sessions were captured:
https://www.eff.org/deeplinks/2011/11/l ... rd-secrecy
http://www.perfectforwardsecrecy.com/
Last edited by DRiP Guy on Wed Apr 09, 2014 9:00 pm, edited 2 times in total.
User avatar
DRiP Guy
 
Posts: 2237
Joined: 20 Feb 2007

Re: heartbleed - widespread internet security problem

Postby madbrain » Wed Apr 09, 2014 8:58 pm

agent13x wrote:
in_reality wrote:
Security researchers disclosed the flaw before patches were ready which is not a good thing but such is life.


Not true. The vulnerability was released to many security companies via responsible disclosure distro lists before being made public. Most operating systems had updates to fix the issue concurrently with public release of this information.

As another user said, the only thing you can do as a user is keep your system up to date and use UNIQUE passwords for each site you visit. You should always change all of your passwords on a regular basis regardless of whether big security vulns like this happen or not.


As someone who works primarily SSL encryption technology for a major corporation, I can tell you that this vulnerability wasn't disclosed to us before it was made public.
Zero-day exploits are never good. On the other hand, the products I work on aren't affected, so this isn't that big of a deal.
madbrain
 
Posts: 2263
Joined: 9 Jun 2011
Location: San Jose, California

Re: heartbleed - widespread internet security problem

Postby cb474 » Wed Apr 09, 2014 9:15 pm

LadyGeek wrote:
cb474 wrote:I also called Vanguard today and they also told me, as someone above said, that their system is not subject to the OpenSSL bug. The person I spoke with was not very knowledgeable though and did not transfer me directly to the technical website people. He was unwilling to disclose whether they use Windows servers or what (which I think is really not secret information that a technical person couldn't figure out in a second, going to the Vanguard website). It sounds like Vanguard simply does not and never did use OpenSSL, so it's not an issue. But it was a little hard to tell give the lack of technical knowledge and forthcomingness from the person I spoke with. "We aren't subject to the OpenSSL bug" could mean they patched it and are no longer subject or that they simply never used OpenSSL. But my sense was Vanguard just isn't using OpenSSL.

Bear in mind that any company worth its salt (crypto pun intended) will NOT disclose security techniques to the general public. What the person told you is probably what they were instructed to say (read this script...). I would hope think that the "real" stuff is being addressed internally.

There is a lot of debate about transparency vs. secrecy for with respect to software security. I don't think there is actually an obvious answer here. It also really depends on the context.

In this case, what sort of server Vanguard runs (Windows? Linux?), I don't really see the security issue. And that was the only thing I was commenting on. As I said, I assume any halfway sophisticated developer/hacker could tell what kind of server Vanguard is running just by visiting their website (in fact, if I'm understanding it correctly, the heartbleed checker website I link to above reveals this information). So the only people Vanguard is keeping the secret from (in this case a customer) are the people who don't matter. My bank was happy to tell me they use Windows servers and are not subject to the bug. And frankly, the people I spoke with at my bank seemed a lot more technically sophisticated and well informed about this bug than the person I spoke with at Vangaurd. In fact, the Vanguard person didn't know what I was talking about and had to check with someone else.

So I think the Vanguard person was being cautious, but in this case the caution was a sign of a lack of understanding of the issue. And it was actually a problem, because it meant that he was unable to clearly explain to me, someone with some technical understanding of the issue, whether or not Vanguard really never was vulnerable or not. As I said, I had the impression Vanguard doesn't use OpenSSL, but it really wasn't clear. I think I should be able to know that and make my own judgement about whether or not I should change my password.
cb474
 
Posts: 712
Joined: 19 Jan 2010

Re: heartbleed - widespread internet security problem

Postby roymeo » Wed Apr 09, 2014 9:28 pm

The LastPass Vault Security Check feature just told me I have 11 vulnerable sites out of a couple hundred passwords stored, and 2 have now updated their SSL tickets and are ready for be to change my password. I'm not sure that I believe that this lists everything that may have been using OpenSSL, but it's at least something to keep me from updating too soon all contained in one dashboard.
The sewer system is a form of welfare state. | -- "Libra", Don DeLillo
User avatar
roymeo
 
Posts: 956
Joined: 28 Apr 2007
Location: SF, CA

Re: Heartbleed Web Hack Test on Websites of Interest Here

Postby whaleknives » Wed Apr 09, 2014 9:34 pm

It could be worse:

Image
"I'm an indexer. I own the market. And I'm happy." (John Bogle, "BusinessWeek", 8/17/07) ☕ Maritime signal flag W - Whiskey: "I require medical assistance."
User avatar
whaleknives
 
Posts: 222
Joined: 24 Jun 2012

Re: heartbleed - widespread internet security problem

Postby whaleknives » Wed Apr 09, 2014 9:36 pm

It could be worse.
Last edited by whaleknives on Thu Apr 10, 2014 10:19 pm, edited 1 time in total.
"I'm an indexer. I own the market. And I'm happy." (John Bogle, "BusinessWeek", 8/17/07) ☕ Maritime signal flag W - Whiskey: "I require medical assistance."
User avatar
whaleknives
 
Posts: 222
Joined: 24 Jun 2012

Re: Heartbleed Web Hack Test on Websites of Interest Here

Postby susze » Wed Apr 09, 2014 9:45 pm

Doesnt the test only check the current status? So if they were vulnerable before and we logged in wouldnt we still be exposed if we didnt change our passwords?
susze
 
Posts: 92
Joined: 27 Jul 2008

Re: Heartbleed Web Hack Test on Websites of Interest Here

Postby Mike83 » Wed Apr 09, 2014 9:53 pm

Yes. If the test fails now, it likely failed before now.

Companies that are exposed are, or should be, racing to close the hole. One they pass the test, you should create new log-on credentials to (help) insure you have a secured password.
Mike83
 
Posts: 19
Joined: 1 Apr 2014

Re: Heartbleed Web Hack Test on Websites of Interest Here

Postby Saving$ » Wed Apr 09, 2014 10:02 pm

Wow! USAA, which is so obsessed with security that they broke their own deposit at home system in the name of security, gets an F.
Small bank I use got a B.
Saving$
 
Posts: 821
Joined: 5 Nov 2011

Re: heartbleed - widespread internet security problem

Postby LadyGeek » Wed Apr 09, 2014 10:16 pm

FYI - I merged two more threads into here, which is in the Personal Consumer Issues forum (website security, general discussion).

The individual post title (top left corner) will display the original thread title.
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 17674
Joined: 20 Dec 2008
Location: Philadelphia

Re: heartbleed - widespread internet security problem

Postby geoff2 » Wed Apr 09, 2014 10:27 pm

An article that contains statements from various companies, including some financial firms, about their vulnerability to Heartbleed is available on Mashable.
geoff2
 
Posts: 18
Joined: 7 Mar 2007
Location: North Carolina

Re: heartbleed - widespread internet security problem

Postby LongDistanceRunner » Wed Apr 09, 2014 10:50 pm

I tested Lastpass.com using their own heartbleed test and it appears that it failed. It also appears to have been possibly compromised by the test of http://possible.lv/ which says it was patched. So if Lastpass could be compromised, would it be advisable to use it?
LDR | | "Work like you don't need the money. | Love like you've never been hurt. | Dance like nobody's watching." - Satchel Paige
User avatar
LongDistanceRunner
 
Posts: 121
Joined: 25 Sep 2009

Re: heartbleed - widespread internet security problem

Postby roymeo » Wed Apr 09, 2014 11:11 pm

LongDistanceRunner wrote:I tested Lastpass.com using their own heartbleed test and it appears that it failed. It also appears to have been possibly compromised by the test of http://possible.lv/ which says it was patched. So if Lastpass could be compromised, would it be advisable to use it?


You'll notice LastPass even lists their own site as someone to check out at the bottom of the page here: https://lastpass.com/heartbleed/

According to the support comments on http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html your LastPass vault password isn't transmitted to the site, it is only used locally, even on mobile.

LastPass.com apparently did use OpenSSL, but there doesn't seem to be any way for a regular user to have an account on LastPass.com, so it doesn't appear to be relevant to the LastPass tool.
The sewer system is a form of welfare state. | -- "Libra", Don DeLillo
User avatar
roymeo
 
Posts: 956
Joined: 28 Apr 2007
Location: SF, CA

Re: heartbleed - widespread internet security problem

Postby Jfet » Wed Apr 09, 2014 11:22 pm

Something similar to this heartbleed is probably going to be the next black swan event that causes a 50% drop in the market.

Imagine if Vanguard, Fidelity, Etrade, etc. were hacked and thousands of users had malicious trades executed. Total chaos and immediate distrust of the internet. It would be bad.

Hmmm, maybe those gold bugs were not so dumb after all...
Jfet
 
Posts: 1048
Joined: 21 Dec 2010

Re: heartbleed - widespread internet security problem

Postby roymeo » Wed Apr 09, 2014 11:27 pm

Jfet wrote:Something similar to this heartbleed is probably going to be the next black swan event that causes a 50% drop in the market.

Imagine if Vanguard, Fidelity, Etrade, etc. were hacked and thousands of users had malicious trades executed. Total chaos and immediate distrust of the internet. It would be bad.

Hmmm, maybe those gold bugs were not so dumb after all...


Except the asteroid-born gold-eating-bacteria native to Nemesis will get here first.
The sewer system is a form of welfare state. | -- "Libra", Don DeLillo
User avatar
roymeo
 
Posts: 956
Joined: 28 Apr 2007
Location: SF, CA

Re: heartbleed - widespread internet security problem

Postby Nummerkins » Thu Apr 10, 2014 12:06 am

Here is a link to a visual explanation for anyone who is interested: http://info.elastica.net/2014/04/openss ... erability/

The worst part is that this attack is so simple -- anyone can understand it.
Nummerkins
 
Posts: 124
Joined: 1 Jun 2010

Re: heartbleed - widespread internet security problem

Postby Mudpuppy » Thu Apr 10, 2014 12:07 am

cb474 wrote:So while it's alway a good time to review security practices. I think people should be clear that this is not your typical password problem, where one site is compromised and then that messes you up on any other site that uses the same password. Again, as news stories have noted, two thirds of the webservers in the world use OpenSSL. This is a enormous and pernicious bug (because it leaves no traces if there is a compromise and because the bug has been present for two years, without being noticed--at least by security experts, who knows what black hat hackers have known about and exploited this and for how long). Unique passwords for every site, in this case, would not save you from having to change most of your passwords anyway.

Let me shed a little clarification on the sentence I italicized in your quote. The point of unique passwords is NOT to save you the work of having to change passwords in the wake of a compromise. The point of unique passwords IS to keep the passwords separate so if 60% of sites you visit are compromised, the information gleaned from those sites can't be used to get into the 40% of sites you visit that are NOT compromised.

If you used the same password for Google that you use for Vanguard, you would be in a world of hurt right now. If you use unique passwords everywhere (and 2 factor where available), you'll still have to change passwords on the affected sites, but you won't need to worry about someone using that data to get into your Vanguard account.
Mudpuppy
 
Posts: 2500
Joined: 27 Aug 2011
Location: Sunny California

Re: heartbleed - widespread internet security problem

Postby dmcmahon » Thu Apr 10, 2014 12:48 am

Maybe it's time VG offered two-factor auth? And every other bank/broker site...
User avatar
dmcmahon
 
Posts: 1768
Joined: 21 Mar 2008

Next

Return to Personal Consumer Issues

Who is online

Users browsing this forum: cjking, KyleAAA, Trurl Klapaucius, tyrion, wmackey and 69 guests