Jump to content
House Price Crash Forum

Archived

This topic is now archived and is closed to further replies.

Oliver Sutton

Heartbleed Bug

Recommended Posts

BBC

Several tech firms are urging people to change all their passwords after the discovery of a major security flaw.

It follows news that a product used to safeguard data could be compromised to allow eavesdropping.

OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.

Share this post


Link to post
Share on other sites

Yes I'm afraid to connect to my accounts to check, but I guess I'll have to.

UBS have one of those card code thingies so you can't pinch their passwords, but not all my accounts have that.......

Share this post


Link to post
Share on other sites

This story just happens to come a day after Microsoft stopped security patches to Windows XP - funny that.

Time to upgrade to Linux, then? :huh:

Share this post


Link to post
Share on other sites

This story just happens to come a day after Microsoft stopped security patches to Windows XP - funny that.

As much as I hate defending MS but this has nothing to do with MS, it's openssl that's affected and openssl is opensource software that's mostly used on Unix/Linux based servers.

Share this post


Link to post
Share on other sites

BBC

changing my passwords won't help if the websites have not updated ssl though. If I login to change them, I actually will expose myself because this attack is now widely known.

Share this post


Link to post
Share on other sites

changing my passwords won't help if the websites have not updated ssl though. If I login to change them, I actually will expose myself because this attack is now widely known.

Good point. How would you know which sites have been patched and what have not? I suppose Google is a given, but others like Natwest - they may never get round to bother patching...

Share this post


Link to post
Share on other sites

As much as I hate defending MS but this has nothing to do with MS, it's openssl that's affected and openssl is opensource software that's mostly used on Unix/Linux based servers.

It is Apache web servers and their users who are most at risk.

Unfortunately that means about half of the Internet

I would not rush to change passwords until you are sure that the site to which you are connecting is not compromised

http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/

http://filippo.io/Heartbleed/

Share this post


Link to post
Share on other sites

It is Apache web servers and their users who are most at risk.

Not just apache web servers, every web server that uses openssl version 1.0 or 1.1 (older versions aren't affected). While apache is often used together with openssl, there are also many other servers (not just web servers) that use it.

A lot of 'appliances' use openssl, too.

Share this post


Link to post
Share on other sites

Not just apache web servers, every web server that uses openssl version 1.0 or 1.1 (older versions aren't affected). While apache is often used together with openssl, there are also many other servers (not just web servers) that use it.

A lot of 'appliances' use openssl, too.

Indeed, they do. Including some routers and network devices

http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

Apache along with nginx just happens to be a very popular on the internet which is where most of the threat is likely to be emanating.

It is also where the best trawl of data from exploiting the vulnerability is likely to be found.

Anyway it is serious sh*t which ever way you cut it.

And for once MS are not the villains.

Share this post


Link to post
Share on other sites

I've working on this all day and I've been quite shocked by the nature of what's being leaked out. As soon as I ran a test tool against one of the sites on the list below I received a response containing the username and password of some poor soul who presumably happened to be logging in at that moment.

Take a look at this list compiled yesterday and the latest update of it here which identifies the affected sites from the Alexa Top 10000.

If you've logged in to any of the sites on the first list in the last couple of days there's a good chance your username/email and password has been compromised. If you use the same pair anywhere more important you should change it there now if the latter site is safe already. Conversely, don't take too much assurance from any absence from this list, the bug was known before it was compiled and it's only from testing the top 10000 sites by Alexa's dubious measure anyway.

My broad advice would be; if you use the same password everywhere and have been active online this week, you should start changing it on any high target sites like banks and email hosts immediately, otherwise it's probably a good idea to wait a few days until things settle down, maybe ease of the surfing a bit, and then take it as a good opportunity to have a password spring clean.

Share this post


Link to post
Share on other sites
Better log out of HPC then!

Since when does HPC use encryption?

All our HPC usernames and passwords have always been traveling in plain-text over the internet which doesn't really matter as long as nobody is so dumb to use the same password on more sensitive sites.

Share this post


Link to post
Share on other sites

I know very little about stuff like this but I really need to get into a hotmail account right now. The password is a gobbledegook of 10 numbers and letters so is it safe to use?

Can't change the password directly after using as it's not my hotmail account.

Share this post


Link to post
Share on other sites

I know very little about stuff like this but I really need to get into a hotmail account right now. The password is a gobbledegook of 10 numbers and letters so is it safe to use?

Can't change the password directly after using as it's not my hotmail account.

As far as I understand it you would need to wary if the account has sensitive information in it, financial etc.? As far as I understand this problem has been around for a couple of years? Wasn`t the Year 2000 bug supposed to be the end of the world as we know it? Every time you buy a Chinese meal over the phone with a credit card you give them enough info to use the card fraudulently, but in all the years of using credit cards I have only been hit with fraud once, and all they bought was a small phone top up (bank said this was them testing the waters) If you have 100`s of k in the bank it might be time for a phone call to them, but it would be safe to assume that the banks will be on the hook for any losses due to this?

Share this post


Link to post
Share on other sites

Since when does HPC use encryption?

All our HPC usernames and passwords have always been traveling in plain-text over the internet which doesn't really matter as long as nobody is so dumb to use the same password on more sensitive sites.

Yeh, not really thought about it before. HPC is one of the few sites I use regularly where I don't use the SSL version. I really can't think why Fubra can't SSL it and fork out for a certificate.

Share this post


Link to post
Share on other sites

Bugger. This has existed for 2 years? The Telegraph have a walkthrough of affected but advice seems to be to change all passwords. As for the previous 2 years presumably hackers had free reign? Might harden my luddite views!

Share this post


Link to post
Share on other sites

Not sure that you can.

There are various web sites that allow you to check this, the first one has been mentioned already earlier in this thread:

http://filippo.io/Heartbleed/

https://lastpass.com/heartbleed/

If it were running a Windows server OS (IIS web server) you could have more confidence.

It is running Apache.

Again this is not a web server issue but a openssl library issue. While it is true that openssl is commonly used with apache, there are alternative ssl libraries that get used with apache and openssl is used with other web servers, too.

Also IIS might not be affected by this particular issue but using IIS opens a whole other can of worms as IIS has a very chequered history with regards to security.

Share this post


Link to post
Share on other sites

I haven't read much about it. Though the thought of the black t-shirted nerdy Linux geeks running around with their ponytails flapping about does arouse somewhat. This one is up there with that insecure piece of crap called Oracle Java.

I'll get back to trying to work out which part of the Html for the page I'm working on has been destroyed by that afterthought of an Html editor included with MS Visual Studio.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • The Prime Minister stated that there were three Brexit options available to the UK:   224 members have voted

    1. 1. Which of the Prime Minister's options would you choose?


      • Leave with the negotiated deal
      • Remain
      • Leave with no deal

    Please sign in or register to vote in this poll. View topic


×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.