PDA

View Full Version : Heartbleed Bug: Public urged to reset all passwords (for everything)...


airship
9th Apr 2014, 18:19
As reported by the BBC here (http://www.bbc.com/news/technology-26954540): Several tech firms are urging people to change all their passwords after the discovery of a major security flaw.

The Yahoo blogging platform Tumblr has advised the public to "change your passwords everywhere - especially your high-security services like email, file storage and banking"...

If you've ever suffered any financial loss/es and/or inconvenience, perhaps as a consequence of being connected to websites using OpenSSL, please call us on 1-800-NSA-GCHQ (24/24H).

NB (1). For non-US citizens overseas, please address your enquiry to your nearest USA embassy: NSA, c/o US Embassy... (or if there is no US embassy in your country, try GCHQ / NSA c/o UK High Commission...), copying the enquiry to your local MP, MEP etc.

NB (2). If you're a corporation, please contact the trade dept. / ministry (or equivalent) in the country in which your company is registered.

NB (3). If you're AMEX, VISA, MasterCard, SWIFT etc., please ask your CEO to call President Obama directly. I'm pretty sure the USA would prefer swapping the state of Texas in lieu of going into court...?! :ok:

PS. California, Oklahoma and some other central US states have already been promised to be kept in reserve for eventual pay-outs. :p

And just because "the lady" wanted a way to spy on everyone... :sad: :confused:

bnt
9th Apr 2014, 19:55
As reported by the BBC here (http://www.bbc.com/news/technology-26954540):

...
And just because "the lady" wanted a way to spy on everyone... :sad: :confused:
Did you read the BBC article?
'No rush'

A researcher at the University of Cambridge Computer Laboratory said it would be an overreaction to say everyone should drop what they are doing to reset all their passwords, but that those concerned should still act.

"I think there is a low to medium risk that any given password has been compromised," said Dr Steven Murdoch.

"It's not the same as previous breaches where there's been confirmed password lists posted to the internet. It's not as urgent as that.

"But changing your password is very easy. So it's not a bad idea but it's not something people have to rush out to do unless the service recommends you do so."This bug could make sites vulnerable to "man in the middle" attacks, allowing encrypyted traffic to be decrypted. Such attacks don't just happen without specific steps: you have to get in the "middle" to capture traffic in the first place, which is not a trivial undertaking. That's why there are concerns about Chinese-made routers, for example - since routers are in the "middle". Ditto for the NSA and Cisco.

But the rest of what you wrote is total rubbish e.g. "please call us on 1-800-NSA-GCHQ (24/24H)". Really?

airship
9th Apr 2014, 20:54
bnt wrote: But the rest of what you wrote is total rubbish e.g. "please call us on 1-800-NSA-GCHQ (24/24H)".

Really?!

My only regret is not knowing how to register "1-800-NSA-GCHQ" as a phone number representing lawyers who get paid on the results.

IMHO, most, if not all of the "blame" concerning "software security exploits" etc. could be laid at the door of the NSA / GCHQ / assimilated organisations and complicit commercial operators / companies...?! They should be made to pay today (or somehow prove that "someone else" is to blame)... :rolleyes:

Not only are all the general spying and eaves-dropping activities conducted by our secretive organisations such as the NSA and GCHQ etc. probably illegal. They exploit/ed (having done much to ensure "much lower encryption standards" than were available at the time etc. to the general public and corporations in past years), the same frailties as the criminal organisations (read Eastern European / Asian / African) and mafia. Heads should roll... :}

rgbrock1
9th Apr 2014, 20:55
airship:

OpenSSL, which is the protocol exploited, is maintained and packaged by the open source community. Thus, there is no one person to level the blame at.

airship
9th Apr 2014, 21:14
rgbrock1, one begs to differ (when has one ever not done so when confronted by one of your poorly-researched replies?)...

The original source code etc. may well have been "free and open". But do you really believe that any major commercial enterprise such as Microsoft etc. would have incorporated any such code without claming a "proprietary interest" in the (modified) code...?!

PS. How much is the NSA / Microsoft willing to pay you for your support?! :p

mixture
9th Apr 2014, 21:27
Thus, there is no one person to level the blame at.

Well, technically there is....

The idiot who committed that extremely incompetent few lines of code in the first place.

How somebody can write code that performs no bounds checking is beyond me. Its a schoolboy error.

And yes, everybody should reset passwords just to be on the safe side.

Gertrude the Wombat
9th Apr 2014, 23:21
How somebody can write code that performs no bounds checking is beyond me.
In an open source project? Easy, just check it in.

Maybe someone else will look at it and spot the error, or maybe they won't.

Sometimes you get what you pay for.

rh200
10th Apr 2014, 01:30
How somebody can write code that performs no bounds checking is beyond me. Its a schoolboy error.

Easily and more common than you really want to know. Had a researcher the other day show me some shonky apple source code.

Ogre
10th Apr 2014, 04:05
The commercial software world tends to skip the trivial litle step of testing new code allegedly, it shoves it out the door and gets teh customer to beta test it for free. Hence the almost continuous round of updates and patches....

Or so I was reliably informed....

mixture
10th Apr 2014, 06:47
Maybe someone else will look at it and spot the error, or maybe they won't.

Indeed. There was a nice quote from someone at the Irish CERT yesterday that essentially said just that...(unforuntatley I didn't bookmark it and can't find it now).

It went along the lines of ..... The proponents of open source frequently cite the nonsense claim it has inherent security because the code is open and anybody can check it..... however if nobody checks it or nobody knows how to check it then its as good as useless.

Had a researcher the other day show me some shonky apple source code.

Oh goodie..... I wondered how long it would take the Apple bashers to turn up on this thread ! :ugh:

(a) Was it actual Apple code or was it open source libraries within Apple given that much of Apple's code is open source based on BSD.

(b) For every one Apple bug, I can show you half a million Microsoft bugs and probably a dozen lousy Linux bugs.

(c) I doubt your Apple bug was anywhere near as critical as this OpenSSL one.

Nobody is perfect, but Apple have always had a focus on security and write better code than most.

Or so I was reliably informed....

Reliably informed by who ? Your pet monkey ?

Never heard so much nonsense in all my life.

Maybe the cheap stuff with a low R&D budget might be pushed out the door sooner..... but the larger the commercial projects, the more care goes into it. Sure you still get bugs from Microsoft, but given the volume and complexity of code, the number of bugs is pretty tiny in proportion.

Bugs can obviously happen to anyone, but the commercial people employ security analysts and QA teams to try to fight it ..... in the open source world, priority is given to bashing out code and very few projects do much in the way of serious QA and code reviews (e.g. OpenBSD and one or two others are renowned for being proactive.... but the other projects are very much reactive).

awblain
10th Apr 2014, 07:08
Why call 1-800-NSA-GCHQ?

If you're paranoid enough to do so, then surely you already believe that they know whatever it is that you'd be going to tell them when you got through. :)

acbus1
10th Apr 2014, 07:58
changing your password is very easy
Password in the singular.

I must be missing something.

Advice elsewhere is that you have different passwords for different sites. Which means recording them in a reference book. How else do you 'remember' them? 'Changing your password' means not only changing every one of your many passwords, but also changing every entry in your password reference book.

acbus1
10th Apr 2014, 08:01
please call us on 1-800-NSA-GCHQ (24/24H)
...or simply send a private email to a friend and include the words 'obama' and 'assassinate'.

ExXB
10th Apr 2014, 08:12
PPRuNe is not SSL and is behind a password to keep out the great unwashed masses, not to keep my money safe.

So why would I need to change my PPRuNe password?

It's somewhat ironic but my Password manager doesn't have a routine to change all of my passwords. I.e.

Take you to the login page
Pause while you find the change my password button
Enter your old password in the appropriate box
Offer to generate a new password, or let you chose one
Log out, close window and go to the next password
Repeat as necessary
Provide report/list of any site where change failed


Please? Thank you

bnt
10th Apr 2014, 08:45
Have a look here (http://www.hoax-slayer.com/heartbleed-warnings-change-all-passwords.shtml) for a more detailed description. The bug presented the potential for passwords and other encrypted data to be compromised, given specific conditions and some effort, but it's not correct to tell people that's already happened on a large scale. "Change your passwords" is too generic as advice and (as already pointed out) may be pointless (if there's no SSL, such as here). Or you'd want to do it again later once a specific particular site is patched.

For example, my bank website uses "2-factor" authentication - the two factors being "something I have" and "something I know". It asks me for parts of a code, not the whole code. What's the fix? If the NSA has my banking transactions, then the horse has bolted. I expect the bank will patch their web servers (assuming they were vulnerable), update their SSL keys, and issue new codes to customers.

I might be panicking if I knew my banking passwords were compromised and out there, but a potential breach is not an actual breach. I might be angry if I thought any government agency was behind that, but (as the old saying goes): never attribute to malice that which is adequately explained by stupidity.

UniFoxOs
10th Apr 2014, 09:21
Sometimes you get what you pay for.

True, but there are likely to be just as many bugs in stuff you do pay for. Plenty of MS security holes have been due to lack of bounds checks.

rh200
10th Apr 2014, 09:23
Take a Valium mixture:p

Oh goodie..... I wondered how long it would take the Apple bashers to turn up on this thread

It wasn't meant to be apple bashing just an example, are you saying apple doesn't make mistakes:E.


Can't remember what bit it was in, I would have to go back and find out what it was. But was good for a laugh. I have nothing but respect for software engineers who have to code up microsoft, linux and apple.

Though I loved to stick the boot into microsoft and take the piss out of apple.:p

mixture
10th Apr 2014, 09:52
The bug presented the potential for passwords and other encrypted data to be compromised, given specific conditions and some effort, but it's not correct to tell people that's already happened on a large scale

From what I've read, if you've got the conditions (i.e. the right version of the software and no L4 firewall in front).... the effort is minimal.

It really is important not to underestimate the criticality of this bug .... it really is very, very nasty !

mixture
10th Apr 2014, 09:56
For example, my bank website uses "2-factor" authentication - the two factors being "something I have" and "something I know". It asks me for parts of a code, not the whole code. What's the fix?

Yes, you may very well login to your bank with 2FA .... but with this exploit the attacker could see what you're looking at.

It also opens you up to MITM replay attacks if the attackers have managed to get hold of the private key through this exploit.

belfrybat
10th Apr 2014, 12:46
According to this (http://www.garage4hackers.com/entry.php?b=2551), it works by getting the server to return random memory blocks of up to 64k. The attacker has no control over what is returned, and most of it will be garbage but with persistence, filtering and luck some useful data may be found.

rgbrock1
10th Apr 2014, 13:13
acbus1 wrote:

..or simply send a private email to a friend and include the words 'obama' and 'assassinate'.

Seen any black helicopters hovering outside your home recently? :}

mixture
10th Apr 2014, 13:56
The attacker has no control over what is returned, and most of it will be garbage but with persistence, filtering and luck some useful data may be found.

In other words..... its easy to crack.

Both persistence and filtering can be scripted and scaled up to deliver results quicker.

You also have to understand that this isn't entirely a server-side vulnerability, there are client-side vulnerabilities too. Don't underestimate how important it is for you to change passwords and patch-up everything in sight.

MagnusP
10th Apr 2014, 15:13
I haven't yet seen a spoof posting on Prune with gratuitous insults and obscenities

You didn't follow the NORK thread before it was canned, then? :p

Lightning Mate
10th Apr 2014, 16:33
I do not use online anything except this thread.


If I need anything from my bank I simply walk into my local branch.


Doing anything else is simply STUPID.

belfrybat
11th Apr 2014, 11:16
Explained in simple terms:

http://imgs.xkcd.com/comics/heartbleed_explanation.png

Democritus
11th Apr 2014, 14:03
Interestingly the Coventry Building Society emailed this morning and in reference to the Heartbleed Bug they said that their systems are secure and in a large blue typeface advised "You do not need to do anything".

One other non-financial supplier has advised they are secure and not affected but nothing from RBS, Nationwide or Virgin Money.......

airship
11th Apr 2014, 21:19
Interestingly the Economist Newspaper website has this to say today (http://www.economist.com/help/heartbleed). Did you see the "Security Update / Announcement" pop-up? Apparently the Economist are taking the Heartbleed bug seriously. But then, they don't have a topless model on page 3... :confused:

pigboat
11th Apr 2014, 21:37
Interestingly the Coventry Building Society emailed this morning and in reference to the Heartbleed Bug they said that their systems are secure and in a large blue typeface advised "You do not need to do anything".
I had the same message from Royal Bank.

Flash2001
11th Apr 2014, 21:56
Latest gen is that the NSA has known about it for at least 2 years and has exploited it to inform themselves about some bad guys. (Heard on radio)

After an excellent landing etc...

pigboat
12th Apr 2014, 03:24
Latest gen is that the NSA has known about it for at least 2 years and has exploited it to inform themselves about some bad guys.

Yes indeed.

NSA exploited Heartbleed bug for two years to gather intelligence, sources say.
(http://business.financialpost.com/2014/04/11/nsa-exploited-heartbleed-bug-for-two-years-to-gather-intelligence-sources-say/?__lsa=d499-84c1)

mixture
12th Apr 2014, 07:31
Democritus,

You should not take the "You do not need to do anything" statement issued by your bank as generic advice. It was to do with their opinion of their systems.

:cool:

cattletruck
12th Apr 2014, 15:05
NSA knew about it for two years?

So why didn't they check in a fix, unless the author of the problem code received a donation from...

...and what's this about privately written code not happy to receive a little NSA "funding"?

airship
12th Apr 2014, 15:25
The US Department of Homeland Security has apparently advised the public (http://www.bbc.com/news/technology-26985818) to change passwords for sites affected by the flaw once they had confirmed they were secure.

airship
21st May 2014, 21:13
According to this BBC report (http://www.bbc.com/news/technology-27503290), eBay have today advised all their customers to change their passwords: Online marketplace eBay is forcing users to change their passwords after a cyber-attack compromised its systems...

...However, it said that changing the passwords was "best practice and will help enhance security for eBay users"...

...The California-based company has 128 million active users and accounted for $212bn (126bn) worth of commerce on its various marketplaces and other services in 2013.

Noone (the BBC or eBay) are saying this has anything to do with the "Heartbleed bug".

And maybe that's right. Or maybe not. The promises of "general security" of the customer data stored on their systems by even such major if not also "key" and "well-known" names and companies leave a lot to be desired IMHO.

Maybe, if one cared to, by adding together each online companies' admissions one after another (they're officially required to publicly announce such events) over a period of 2-5 years, putting these altogether, might just mean that "all of their customer data" was somehow compromised during this period.

Perhaps that's why the FBI are considering engaging IT hackers who regularly consume cannabis according to the BBC (http://www.bbc.com/news/technology-27499595). Presumably all the IT experts previously engaged by US corporations already smoked a bit of pot now and then. Hey, the FBI's pot smokers are gonna "smoke out" all dem dastardly pot smokers, presumably working in China or Russia (forgetting all those who work for coporate USA, eBay or whatever for a moment)?! With or without the "bring home NZ marijuana cats"...?! :}