Ramblings of an old Doc

 

Really. This is a huge problem. There’s a bug in the security encryption software used by large segments of the internet (possibly millions of websites) to encrypt and secure private data from being transmitted to the internet which causes data leaks (passwords, user names, banking info, etc.) when the server communicates with a computer attempting to communicate with that server. Worse: The data can be stolen without leaving a trace, and impersonations would go undetected. Heartbleed is also thought to affect browser cookies.

So, instead of a wall, there’s a sieve. The bug exists in OpenSSL which is the most common software used to secure data. This software had been thought invulnerable. This bug allows criminals to eavesdrop on the connection and potentially obtain the encryption keys used to secure the connection (the Transport Layer Security – TLS) potentially revealing 64K of memory.

The good news is that there’s a fix already out there, but in addition installing the fix, there is a need to generate new keys, and new digital certificates will be needed.

So…if you own a website which employs logons with usernames and passwords, you should get the fix to OpenSSL and revoke any compromised keys, generate new ones and get a new digital certificate.

For regular folks on the Internet, c|net has put out a “What you can do to protect yourself” here.

Do not log into accounts from afflicted site until you're sure the company has patched the problem. If the company hasn't been forthcoming -- confirming a fix or keeping you up to date with progress -- reach out to its customer service teams for information, said John Miller, security research manager for TrustWave, a security and compliance firm.

Some Web sites that appeared to have been affected included Yahoo and OKCupid, though the companies have said their sites are all or partly fixed (see below for details). You can check sites on an individual basis here, though caution is still advised even if the site gives you an "all clear" indication. If you're given a red flag, avoid the site for now.

The natural response might be to want to change passwords immediately, but security experts suggest waiting for confirmation of a fix because further activity on a vulnerable site could exacerbate the problem.

Once you've got confirmation of a security patch, change passwords of sensitive accounts like banks and email first. Even if you've implemented two-factor authentication -- which, in addition to a password asks for another piece of identifying information, like a code that's been texted to you -- changing that password is recommended.

Don't be shy about reaching out to small businesses that have your data to make sure they are secure. While the high-profile companies like Yahoo and Imgur certainly know about the problem, small businesses might not even be aware of it, said TrustWave's Miller. Be proactive about making sure your information is safe.

Keep a close eye on financial statements for the next few days. Because attackers can access a server's memory for credit card information, it wouldn't hurt to be on the lookout for unfamiliar charges on your bank statements.

Tor (of anonymous browsing fame) has even recommended staying off the net for a few days until things settle out. Tests on the Google, facebook and twitter appear to have good results (the sites appear to be safe).

Yahoo is not fully, yet:

"I encourage users to not log in into [Yahoo] and other services that are affected since the credentials could have been leaked if they used the service," said Jaime Blasco, director of AlienVault Labs, a security research firm. "As soon as Yahoo solves the issue, it will be helpful if users change their password just in case."

 

Update:


Seth Rosenblatt over at c|net has put together a list of the top 100 internet sites and their Heartbleed status.

This list is being updated as he receives answers. If you're interested in keeping your data private, I's suggest changing your passwords,

checking sites you use (not on the top 100 list) with the link in reply 4 http://filippo.io/Heartbleed/

and reviewing the list here: http://www.cnet.com/news/which-sites-have-patched-the-heartbleed-bug/?ftag=CAD1acfa04&s_cid=e404&tag=nl.e404&ttag=e404

periodically.

Source:

http://phys.org/news/2014-04-heartbleed-bug-triggers-openssl-advisory.html

http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/


Comments (Page 1)
2 Pages1 2 
on Apr 09, 2014

Just saw this posted up on Snopes. Snopes of all places.

Wifey has Yahoo account. This may explain some of her latest issues.

on Apr 09, 2014

Thanks Doc.

on Apr 09, 2014

Welcome Barb!

on Apr 09, 2014

I am already upgrading all my servers. But while the Bleed Heart vulnerability only affect OpenSSL versions 1.0.1a-g, there was another advisory published that affect all past versions:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0076

For the Heart Bleed bug, there is a tool that can verify if a website is affected:

http://filippo.io/Heartbleed/

 

on Apr 09, 2014

The NSA and GCHQ must be furious that their window into secure communications has been discovered!

on Apr 09, 2014

Kamamura_CZ

I am already upgrading all my servers. But while the Bleed Heart vulnerability only affect OpenSSL versions 1.0.1a-g, there was another advisory published that affect all past versions:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0076

For the Heart Bleed bug, there is a tool that can verify if a website is affected:

http://filippo.io/Heartbleed/

 

on Apr 09, 2014

I have not been able to find any affected sites in my personal usage habits. 

You should use ssllabs.com instead to check if a website is vulnerable.

on Apr 11, 2014

Update:


Seth Rosenblatt over at c|net has put together a list of the top 100 internet sites and their Heartbleed status.

This list is being updated as he receives answers. If you're interested in keeping your data private, I's suggest changing your passwords,

checking sites you use (not on the top 100 list) with the link in reply 4 http://filippo.io/Heartbleed/

and reviewing the list here: http://www.cnet.com/news/which-sites-have-patched-the-heartbleed-bug/?ftag=CAD1acfa04&s_cid=e404&tag=nl.e404&ttag=e404

periodically.

 

on Apr 11, 2014

I would have commented earlier - but was busy patching systems!

on Apr 11, 2014

Update 2:


Bloomberg News Reports has published that the NSA has been aware of and using the Heatbleed bug for two years to gather "critical intelligence". 

This security hole probably affects 2/3 of the net's websites and is probably the biggest security debacle ever. 

Read about it here: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

 

Granted, they may well have used it for 'a higher purpose', but all I know is that the people sworn to protect and defend us left us all open to the criminals who learned of this hole and exploited it.

on Apr 11, 2014

The software engineer that introduced the bug was quoted as "it was an accident" (http://www.zdnet.com/heartbleeds-engineer-it-was-an-accident-7000028335/)!

on Apr 11, 2014

Good info Doc 

 

Do not logon to sites unless you are sure they have fixed the problem. Once they have, then change your password

on Apr 12, 2014

<humor>  Are stardock sites safe?  Where can I find the NSA's list of safe sites?  </humor>  It seems like even the lists of sites that have 'fixed the problem' might have errors.  Its getting riskier and riskier to connect to the web. Backup is great, but what about when the scoundrels develop a way to infect your bios  so even after a total wipe and copying backed up image back to HD, malware in bios reintroduces itself to your PC?

on Apr 12, 2014

Fuzzy Logic
Do not logon to sites unless you are sure they have fixed the problem. Once they have, then change your password

That's absolutely correct...also, if you've used identical passwords on different sites, change the fixed sites, then the others as they get fixed, and use unique passwords.

 

The NSA has denied that it knew anything about the bug which was recently discovered by two Google code wizards at Codenomicon.

"The origin of Heartbleed, meanwhile, can be traced back to a developer who mistakenly introduced it on New Year's Eve 2011. Robin Seggelmann, a programmer based on Germany, submitted the code in an update at 11:50 p.m., Dec. 31, 2011, intending to enable Heartbeat in OpenSSL. But he "missed the necessary validation by an oversight," Seggelmann told The Guardian."

http://www.pcmag.com/article2/0,2817,2456473,00.asp

One wonders if he was in his cups when he did it. Who codes on New Year's Eve?

on Apr 12, 2014

NSA denials are worthless.  But I doubt they have known about it for 2 years since it apparently only affects one version and that has not been around for 2 years.

2 Pages1 2