Announcement

**Ray Finkle** · 04-10-2014, 05:42 AM

Originally posted by Fedaykin View Post

Just a heads up. Anyone that uses the Internet really needs to be aware of this. You may have seen something pop in in the news about an 'SSL' bug and/or the name "Heartbleed".

This is a catastrophic security bug (on a scale of 1 to 10, it's a 12) that affects EVERYONE. The entire security infrastructure of the internet has been compromised.

You need to immediately change any and ALL passwords on anything that you want to keep secure (banks, etc.). Unfortunately, due to the nature of this bug, that does not necessarily mean you are protected. This bug has invalidated the entire chain of trust for all encrypted data on the internet. It will be months or years before that chain of trust can be properly rebuilt.

What has happened, in a nutshell, is that there is a bug in the software that most webservers use to encrypt traffic between you and the webserver. That bug has made it so that attackers can easily get the encryption keys used (both the temporary ones assigned to you, and the master keys for the web sever), and read your traffic effortlessly.

For more detail, see:

http://heartbleed.com/

the first thing to do is check if your system has been compromised. If it hasn't there is no need to change your password. If it has, it doesn't matter if you change your password…..

**HILife** · 04-10-2014, 05:59 AM

Originally posted by Ray Finkle View Post

the first thing to do is check if your system has been compromised. If it hasn't there is no need to change your password. If it has, it doesn't matter if you change your password…..

Heartbleed doesn't work that way. It leaves little to no trace of exploit, and it's really the servers that you access with passwords, that you need to worry about. Your client computer will probably be untouched since it probably doesn't use OpenSSL, since most home computers are windows or Macs. Also, they probably won't be targeted cause you can get a lot more info from the servers then the clients.

**Fedaykin** · 04-10-2014, 06:06 AM

Originally posted by Ray Finkle View Post

the first thing to do is check if your system has been compromised. If it hasn't there is no need to change your password. If it has, it doesn't matter if you change your password…..

That's not true. This is not a compromise of user systems; it's a compromise of the encryption used while communicating with a web server, and the compromise does not leave any trace whatsoever. No one knows what has or has not been attacked. However, many major online services (such as Amazon, Facebook, Yahoo, Intuit/TurboTax, Dropbox, Google/Gmail, etc. ) have been running vulnerable systems for a while. Unknown numbers of less popular sites are also affected, but it is known that about 66% of all websites were running vulnerable software.

Any attacker going after those systems could have accessed any data that you transmitted, including usernames & passwords. If the systems are still affected, it's meaningless to change your password. However, once the systems are patched and new encryption keys generated, it is meaningful to change your password. Won't protect you from anything that was previously leaked, but will stop future problems related to this bug.

**Ray Finkle** · 04-10-2014, 07:22 AM

Originally posted by Fedaykin View Post

That's not true. This is not a compromise of user systems; it's a compromise of the encryption used while communicating with a web server, and the compromise does not leave any trace whatsoever. No one knows what has or has not been attacked. However, many major online services (such as Amazon, Facebook, Yahoo, Intuit/TurboTax, Dropbox, Google/Gmail, etc. ) have been running vulnerable systems for a while. Unknown numbers of less popular sites are also affected, but it is known that about 66% of all websites were running vulnerable software.

Any attacker going after those systems could have accessed any data that you transmitted, including usernames & passwords. If the systems are still affected, it's meaningless to change your password. However, once the systems are patched and new encryption keys generated, it is meaningful to change your password. Won't protect you from anything that was previously leaked, but will stop future problems related to this bug.

Same thing I was trying to say, you just wrote it a hell of a lot better.

**v2micca** · 04-10-2014, 07:31 AM

This is something that really has to be dealt with more on the infrastructure level instead of the user level. Fortunately, at my company, our external facing assets were running on code so dated it was using an older version of OpenSSL that doesn't possess the vulnerability. Yay for procrastination?

**crush17** · 04-10-2014, 07:49 AM

So, basically changing my passwords was a waste of time?

**BroncosSR** · 04-10-2014, 07:50 AM

Slow down a bit.

It's unlikely that any private keys were vulnerable. There are a few ways memory is allocated in Linux. Using sbrk (which is believe to be the method in this case), it follows the heap goes upward rules and really limits what can be found. If mmap was used to allocate, then you'd be able to find some user documents and info and such.

From one of the discoverers of the bug:

Neel Mehta @neelmehta Heap allocation patterns make private key exposure unlikely for #heartbleed #dontpanic.

**v2micca** · 04-10-2014, 08:02 AM

Originally posted by crush17 View Post

So, basically changing my passwords was a waste of time?

Changing your passwords alone doesn't correct the problem if the website or external resource you are accessing has not addressed the issue. This isn't a virus or a bug that infects your machine, its a vulnerability that exists in current infrastructure.

To indulge a tortured metaphor, its driving into town over a stretch of highway that has gone to crap and tears up your tires. You can replace your tires, but until they fix that stretch of highway, you are going to keep tearing up your tires every time you drive over it.

**Guess Who** · 04-10-2014, 08:27 AM

I use the password denverbroncosruleeverything17 on all my accounts.

**Kaylore** · 04-10-2014, 08:52 AM

This isn't a password issue. And telling everyone to change their passwords right now isn't helpful or even going to make a difference.

**HILife** · 04-10-2014, 08:57 AM

Originally posted by Kaylore View Post

This isn't a password issue. And telling everyone to change their passwords right now isn't helpful or even going to make a difference.

It's a cause and effect thing. OpenSSL vulnerability causes the effect of lost passwords, if successful. Or something like that.

**baja** · 04-10-2014, 08:58 AM

Originally posted by Fedaykin View Post

That's not true. This is not a compromise of user systems; it's a compromise of the encryption used while communicating with a web server, and the compromise does not leave any trace whatsoever. No one knows what has or has not been attacked. However, many major online services (such as Amazon, Facebook, Yahoo, Intuit/TurboTax, Dropbox, Google/Gmail, etc. ) have been running vulnerable systems for a while. Unknown numbers of less popular sites are also affected, but it is known that about 66% of all websites were running vulnerable software.

Any attacker going after those systems could have accessed any data that you transmitted, including usernames & passwords. If the systems are still affected, it's meaningless to change your password. However, once the systems are patched and new encryption keys generated, it is meaningful to change your password. Won't protect you from anything that was previously leaked, but will stop future problems related to this bug.

The really bad news is this has been known for at least two years.

**ScottXray** · 04-10-2014, 08:59 AM

This probably is most important for anyone using Paypal, or on-line purchasing
that might allow you to move funds out of an account, etc. Changing your password on those might be prudent....but if the site for access isn't secured yet, or not updated, the account can still be hit. A bit worrisome.

Hope my banks are secure.

**HILife** · 04-10-2014, 09:02 AM

Originally posted by baja View Post

The really bad news is this has been known for at least two years.

I see an NSA joke somewhere in there.

Announcement

Heartbleed: Your passwords and data HAVE been compromised.

Heartbleed: Your passwords and data HAVE been compromised.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment