Go Back  PPRuNe Forums > PPRuNe Social > Jet Blast
Reload this Page >

Heartbleed Bug: Public urged to reset all passwords (for everything)...

Jet Blast Topics that don't fit the other forums. Rules of Engagement apply.

Heartbleed Bug: Public urged to reset all passwords (for everything)...

Old 9th Apr 2014, 17:19
  #1 (permalink)  
Uneasy Pleistocene Leftover
Thread Starter
 
Join Date: Feb 2003
Location: Gone, but not forgotten apparently?! All forums marked "Private"...
Posts: 316
Heartbleed Bug: Public urged to reset all passwords (for everything)...

As reported by the BBC here:
Several tech firms are urging people to change all their passwords after the discovery of a major security flaw.

The Yahoo blogging platform Tumblr has advised the public to "change your passwords everywhere - especially your high-security services like email, file storage and banking"...
If you've ever suffered any financial loss/es and/or inconvenience, perhaps as a consequence of being connected to websites using OpenSSL, please call us on 1-800-NSA-GCHQ (24/24H).

NB (1). For non-US citizens overseas, please address your enquiry to your nearest USA embassy: NSA, c/o US Embassy... (or if there is no US embassy in your country, try GCHQ / NSA c/o UK High Commission...), copying the enquiry to your local MP, MEP etc.

NB (2). If you're a corporation, please contact the trade dept. / ministry (or equivalent) in the country in which your company is registered.

NB (3). If you're AMEX, VISA, MasterCard, SWIFT etc., please ask your CEO to call President Obama directly. I'm pretty sure the USA would prefer swapping the state of Texas in lieu of going into court...?!

PS. California, Oklahoma and some other central US states have already been promised to be kept in reserve for eventual pay-outs.

And just because "the lady" wanted a way to spy on everyone...
airship is offline  
Old 9th Apr 2014, 18:55
  #2 (permalink)  
bnt
 
Join Date: Feb 2007
Location: Dublin, Ireland. (No, I just live here.)
Posts: 712
Originally Posted by airship View Post
As reported by the BBC here:

...
And just because "the lady" wanted a way to spy on everyone...
Did you read the BBC article?
'No rush'

A researcher at the University of Cambridge Computer Laboratory said it would be an overreaction to say everyone should drop what they are doing to reset all their passwords, but that those concerned should still act.

"I think there is a low to medium risk that any given password has been compromised," said Dr Steven Murdoch.

"It's not the same as previous breaches where there's been confirmed password lists posted to the internet. It's not as urgent as that.

"But changing your password is very easy. So it's not a bad idea but it's not something people have to rush out to do unless the service recommends you do so."
This bug could make sites vulnerable to "man in the middle" attacks, allowing encrypyted traffic to be decrypted. Such attacks don't just happen without specific steps: you have to get in the "middle" to capture traffic in the first place, which is not a trivial undertaking. That's why there are concerns about Chinese-made routers, for example - since routers are in the "middle". Ditto for the NSA and Cisco.

But the rest of what you wrote is total rubbish e.g. "please call us on 1-800-NSA-GCHQ (24/24H)". Really?
bnt is offline  
Old 9th Apr 2014, 19:54
  #3 (permalink)  
Uneasy Pleistocene Leftover
Thread Starter
 
Join Date: Feb 2003
Location: Gone, but not forgotten apparently?! All forums marked "Private"...
Posts: 316
bnt wrote:
But the rest of what you wrote is total rubbish e.g. "please call us on 1-800-NSA-GCHQ (24/24H)".
Really?!

My only regret is not knowing how to register "1-800-NSA-GCHQ" as a phone number representing lawyers who get paid on the results.

IMHO, most, if not all of the "blame" concerning "software security exploits" etc. could be laid at the door of the NSA / GCHQ / assimilated organisations and complicit commercial operators / companies...?! They should be made to pay today (or somehow prove that "someone else" is to blame)...

Not only are all the general spying and eaves-dropping activities conducted by our secretive organisations such as the NSA and GCHQ etc. probably illegal. They exploit/ed (having done much to ensure "much lower encryption standards" than were available at the time etc. to the general public and corporations in past years), the same frailties as the criminal organisations (read Eastern European / Asian / African) and mafia. Heads should roll...
airship is offline  
Old 9th Apr 2014, 19:55
  #4 (permalink)  
 
Join Date: Aug 2000
Location: Patterson, NY
Age: 61
Posts: 436
airship:

OpenSSL, which is the protocol exploited, is maintained and packaged by the open source community. Thus, there is no one person to level the blame at.
rgbrock1 is offline  
Old 9th Apr 2014, 20:14
  #5 (permalink)  
Uneasy Pleistocene Leftover
Thread Starter
 
Join Date: Feb 2003
Location: Gone, but not forgotten apparently?! All forums marked "Private"...
Posts: 316
rgbrock1, one begs to differ (when has one ever not done so when confronted by one of your poorly-researched replies?)...

The original source code etc. may well have been "free and open". But do you really believe that any major commercial enterprise such as Microsoft etc. would have incorporated any such code without claming a "proprietary interest" in the (modified) code...?!

PS. How much is the NSA / Microsoft willing to pay you for your support?!
airship is offline  
Old 9th Apr 2014, 20:27
  #6 (permalink)  
 
Join Date: Aug 2002
Location: Earth
Posts: 3,674
Thus, there is no one person to level the blame at.
Well, technically there is....

The idiot who committed that extremely incompetent few lines of code in the first place.

How somebody can write code that performs no bounds checking is beyond me. Its a schoolboy error.

And yes, everybody should reset passwords just to be on the safe side.
mixture is offline  
Old 9th Apr 2014, 22:21
  #7 (permalink)  
 
Join Date: Nov 2000
Location: Cambridge, England, EU
Posts: 3,383
How somebody can write code that performs no bounds checking is beyond me.
In an open source project? Easy, just check it in.

Maybe someone else will look at it and spot the error, or maybe they won't.

Sometimes you get what you pay for.
Gertrude the Wombat is offline  
Old 10th Apr 2014, 00:30
  #8 (permalink)  
 
Join Date: Mar 2009
Location: Perth Western Australia
Age: 52
Posts: 809
How somebody can write code that performs no bounds checking is beyond me. Its a schoolboy error.
Easily and more common than you really want to know. Had a researcher the other day show me some shonky apple source code.
rh200 is offline  
Old 10th Apr 2014, 03:05
  #9 (permalink)  
 
Join Date: Nov 2007
Location: The Fletcher Memorial Home
Age: 53
Posts: 300
The commercial software world tends to skip the trivial litle step of testing new code allegedly, it shoves it out the door and gets teh customer to beta test it for free. Hence the almost continuous round of updates and patches....

Or so I was reliably informed....
Ogre is offline  
Old 10th Apr 2014, 05:47
  #10 (permalink)  
 
Join Date: Aug 2002
Location: Earth
Posts: 3,674
Maybe someone else will look at it and spot the error, or maybe they won't.
Indeed. There was a nice quote from someone at the Irish CERT yesterday that essentially said just that...(unforuntatley I didn't bookmark it and can't find it now).

It went along the lines of ..... The proponents of open source frequently cite the nonsense claim it has inherent security because the code is open and anybody can check it..... however if nobody checks it or nobody knows how to check it then its as good as useless.

Had a researcher the other day show me some shonky apple source code.
Oh goodie..... I wondered how long it would take the Apple bashers to turn up on this thread !

(a) Was it actual Apple code or was it open source libraries within Apple given that much of Apple's code is open source based on BSD.

(b) For every one Apple bug, I can show you half a million Microsoft bugs and probably a dozen lousy Linux bugs.

(c) I doubt your Apple bug was anywhere near as critical as this OpenSSL one.

Nobody is perfect, but Apple have always had a focus on security and write better code than most.

Or so I was reliably informed....
Reliably informed by who ? Your pet monkey ?

Never heard so much nonsense in all my life.

Maybe the cheap stuff with a low R&D budget might be pushed out the door sooner..... but the larger the commercial projects, the more care goes into it. Sure you still get bugs from Microsoft, but given the volume and complexity of code, the number of bugs is pretty tiny in proportion.

Bugs can obviously happen to anyone, but the commercial people employ security analysts and QA teams to try to fight it ..... in the open source world, priority is given to bashing out code and very few projects do much in the way of serious QA and code reviews (e.g. OpenBSD and one or two others are renowned for being proactive.... but the other projects are very much reactive).
mixture is offline  
Old 10th Apr 2014, 06:08
  #11 (permalink)  
 
Join Date: Dec 2007
Location: Pasadena
Posts: 633
Why call 1-800-NSA-GCHQ?

If you're paranoid enough to do so, then surely you already believe that they know whatever it is that you'd be going to tell them when you got through.
awblain is offline  
Old 10th Apr 2014, 06:58
  #12 (permalink)  
 
Join Date: Aug 2002
Location: England.
Posts: 439
changing your password is very easy
Password in the singular.

I must be missing something.

Advice elsewhere is that you have different passwords for different sites. Which means recording them in a reference book. How else do you 'remember' them? 'Changing your password' means not only changing every one of your many passwords, but also changing every entry in your password reference book.
acbus1 is offline  
Old 10th Apr 2014, 07:01
  #13 (permalink)  
 
Join Date: Aug 2002
Location: England.
Posts: 439
please call us on 1-800-NSA-GCHQ (24/24H)
...or simply send a private email to a friend and include the words 'obama' and 'assassinate'.
acbus1 is offline  
Old 10th Apr 2014, 07:12
  #14 (permalink)  
 
Join Date: May 2009
Location: Confoederatio Helvetica
Age: 63
Posts: 2,847
PPRuNe is not SSL and is behind a password to keep out the great unwashed masses, not to keep my money safe.

So why would I need to change my PPRuNe password?

It's somewhat ironic but my Password manager doesn't have a routine to change all of my passwords. I.e.
  1. Take you to the login page
  2. Pause while you find the change my password button
  3. Enter your old password in the appropriate box
  4. Offer to generate a new password, or let you chose one
  5. Log out, close window and go to the next password
  6. Repeat as necessary
  7. Provide report/list of any site where change failed

Please? Thank you
ExXB is offline  
Old 10th Apr 2014, 07:45
  #15 (permalink)  
bnt
 
Join Date: Feb 2007
Location: Dublin, Ireland. (No, I just live here.)
Posts: 712
Have a look here for a more detailed description. The bug presented the potential for passwords and other encrypted data to be compromised, given specific conditions and some effort, but it's not correct to tell people that's already happened on a large scale. "Change your passwords" is too generic as advice and (as already pointed out) may be pointless (if there's no SSL, such as here). Or you'd want to do it again later once a specific particular site is patched.

For example, my bank website uses "2-factor" authentication - the two factors being "something I have" and "something I know". It asks me for parts of a code, not the whole code. What's the fix? If the NSA has my banking transactions, then the horse has bolted. I expect the bank will patch their web servers (assuming they were vulnerable), update their SSL keys, and issue new codes to customers.

I might be panicking if I knew my banking passwords were compromised and out there, but a potential breach is not an actual breach. I might be angry if I thought any government agency was behind that, but (as the old saying goes): never attribute to malice that which is adequately explained by stupidity.
bnt is offline  
Old 10th Apr 2014, 08:21
  #16 (permalink)  
Paid...Persona Grata
 
Join Date: Aug 2004
Location: Between BHX and EMA
Age: 73
Posts: 235
Sometimes you get what you pay for.
True, but there are likely to be just as many bugs in stuff you do pay for. Plenty of MS security holes have been due to lack of bounds checks.
UniFoxOs is offline  
Old 10th Apr 2014, 08:23
  #17 (permalink)  
 
Join Date: Mar 2009
Location: Perth Western Australia
Age: 52
Posts: 809
Take a Valium mixture

Oh goodie..... I wondered how long it would take the Apple bashers to turn up on this thread
It wasn't meant to be apple bashing just an example, are you saying apple doesn't make mistakes.


Can't remember what bit it was in, I would have to go back and find out what it was. But was good for a laugh. I have nothing but respect for software engineers who have to code up microsoft, linux and apple.

Though I loved to stick the boot into microsoft and take the piss out of apple.
rh200 is offline  
Old 10th Apr 2014, 08:52
  #18 (permalink)  
 
Join Date: Aug 2002
Location: Earth
Posts: 3,674
The bug presented the potential for passwords and other encrypted data to be compromised, given specific conditions and some effort, but it's not correct to tell people that's already happened on a large scale
From what I've read, if you've got the conditions (i.e. the right version of the software and no L4 firewall in front).... the effort is minimal.

It really is important not to underestimate the criticality of this bug .... it really is very, very nasty !
mixture is offline  
Old 10th Apr 2014, 08:56
  #19 (permalink)  
 
Join Date: Aug 2002
Location: Earth
Posts: 3,674
For example, my bank website uses "2-factor" authentication - the two factors being "something I have" and "something I know". It asks me for parts of a code, not the whole code. What's the fix?
Yes, you may very well login to your bank with 2FA .... but with this exploit the attacker could see what you're looking at.

It also opens you up to MITM replay attacks if the attackers have managed to get hold of the private key through this exploit.
mixture is offline  
Old 10th Apr 2014, 11:46
  #20 (permalink)  
 
Join Date: Aug 2007
Location: Brazil
Posts: 67
According to this, it works by getting the server to return random memory blocks of up to 64k. The attacker has no control over what is returned, and most of it will be garbage but with persistence, filtering and luck some useful data may be found.
belfrybat is offline  

Thread Tools
Search this Thread

Contact Us Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.