Heartbleed: Serious OpenSSL zero day vulnerability revealed

Heartbleed flaw affects mobile apps, too

http://www.computerworld.com/s/article/9247632/Heartbleed_flaw_affects_mobile_apps_too

 

Was only a matter of time, not surprised here anymore

" Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, "

http://www.bloomberg.com/news/2014-...e-used-heartbleed-bug-exposing-consumers.html

 

Schneier on Security: More on Heartbleed

 

LastPass Heartbleed checker:
Site: www.wilderssecurity.com
Server software: Apache/2
Was vulnerable: Probably (known use OpenSSL, but might be using a safe version)
SSL Certificate: Now Safe (created 3 days ago at Apr 8 22:42:02 2014 GMT)
Assessment:Change your password on this site if your last password change was more than 3 days ago
https://lastpass.com/heartbleed/?h=www.wilderssecurity.com
-------------------

 

Do we need to change our checking accounts?

I have never used online banking.

I have paid by check over the phone. I have been paying my auto insurance with GEICO. It is my understanding that GEICO has been vulnerable to the Heartbleed attack. Do I need to change my checking account number?? What if I just sent in a check by mail?

I do not know yet if my bank has been vulnerable. Even though I do not use on-line banking if they were vulnerable would a heartbleed attack allow them somehow to get info. that might allow them to get into my bank's internal system and obtain my personal info and checking account number by some means facilitated by a heartbleed attack on an online banking customer at my bank , or is only info actually sent over the net been subject to prying eyes?

What about the systems used to clear checks between banks?? Have they been vulnerable?

 

Does this mean that practically speaking that this has all been much ado about nothing (or very little) ?

 

Heartbleed certificate revocation tsunami yet to arrive | Netcraft

 

In the same calming reality tone:

"
Heartbleed and passwords: don’t panic

Was/is Heartbleed used for stealing large numbers of passwords?

I doubt it, though this is impossible to rule out and the security community is still searching for and analyzing evidence of Heartbleed exploits in the wild. Heartbleed isn’t targeted, so large-scale password collection would have required a large amount of Heartbleed traffic to login servers. This would possibly have tripped intrusion-detection systems and it almost surely would have left evidence that will be found in logs sooner rather than later. Every day which passes without this evidence strengthens the likelihood that Heartbleed was never exploited at scale to steal passwords.

Furthermore, to an attacker with a zero-day exploit as powerful as Heartbleed the risk of burning it to collect mundane passwords doesn’t seem worth the benefit. It’s much more likely that Heartbleed would have been used to go after server keys, or possibly in targeted attacks after observing a specific high-value user log in somewhere. It’s possible some passwords were stolen as a byproduct of more targeted attacks, but I doubt that was on a large scale.

So is Heartbleed actually a big deal?

For the security community, absolutely yes. Fixing the problem everywhere is a major engineering challenge that will take years. There will definitely be negative real-world impact and that’s a major black eye for security engineers everywhere. For most ordinary users though, the impact is probably negligible.

If it isn’t such a big deal to me, why have I heard so much about it?

Like most security vulnerabilities, the impact of Heartbleed, particularly with regards to passwords, is likely overstated due to a number of biases:

We prefer to be safe rather than sorry. Prospect theory suggests that we are biased towards loss aversion and avoiding potentially large negative outcomes.It’s easy to enumerate potential negative costs of a security vulnerability and much harder to tabulate the cost of asking millions of people to change behavior (change passwords) let alone the cost of panicking them.

Claiming the sky is falling lets us feel our job as security engineers is important, whereas admitting that even a very bad technical flaw may not impact the outside world much has the opposite effect.

There are always a few cases of individual grandstanding and attention-seeking and this encourages dire predictions.

Users want to do something in response and changing passwords is one of the few things they can do. Security engineers and reporters want to tell them something they can do besides “rely on a bunch of overworked sysadmins to patch this up with duct tape.”

https://freedom-to-tinker.com/blog/jbonneau/heartbleed-and-passwords-dont-panic-2/
(Sorry for the huge text - don't know why this happens sometimes)

~ Edited Text Size - JRViejo ~

 

Been checking out the links provided by our members regarding the websites that are vulnerable and have either applied the fix or are still in the process of doing so. These links have helped ... Tnx to those members. I was not comfortable with running the program that interrogates specific URLs. Seems a bit dodgy to me.

Regarding Public Awareness/communications: Some banks and some governments are issuing statements to the media, mostly indicating their current status, which is the decent thing to do IMO. A few government sites have completely shutdown access for the time being. There are a lot of private company sites that offer online services to the public and have issued no public statement or placed any type of information or alert on their home page. Customer relations seems to have dropped the ball on this one. Guess they think the public will call if they want to know ... help line gurus!!!

 

I have received one request, so far. I have a couple of accounts with Fastmail, that cost me nothing many years ago, and which have limited storage. They are handy and great to use.

They gave comprehensive instructions, in how to go about changing my passwords.



P.S. Don't change your choice, once you have made it, between Full Image and Thumbmail, otherwise you will get in all sorts of bother. It happened to me, just now.

 

Thanks, Tarnak.
I have received zero so far. And I have lots of accounts that require logins.... forums, online shopping, work-related, etc, etc.
Not so much as a peep from any of them regarding this.

 

You're Welcome.

 

From link in post #107: How certificate revocation (doesn’t) work in practice.

 

Behind the Scenes: The Crazy 72 Hours Leading Up to the Heartbleed Discovery

 

Trying to protect yourself from Heartbleed could land you in jail

 

I've received two and both were phishing.

 

Even if a site has fixed the HeartBleed bug, it's still potentially compromised. Unless and until it's been nuked from orbit and rebuilt, adversaries could still have access and be harvesting information.

 

Anyone running the Chrome plugin Chromebleed ? (tnx MrBrian, re post #115)
Seems a lot less dodgy than the other programs suggested.

Edit: Especially would like to know if anyone has opened a website and got an alert from this plugin that the site is vulnerable. Also if anyone has received an email to change their password ...to see if it comes up without a warning.

 

Tor Browser Updated with "Heartbleed" Fix

http://news.softpedia.com/news/Tor-Browser-Updated-with-quot-Heartbleed-quot-Fix-437340.shtml


(Why does my text get so big and bold--how do I fix this?)

 

You can select the text you want to edit and uncheck BOLD at top and set font size to 4.

hqsec

 

"Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible

Many already thought that the "Heartbleed" security flaw in OpenSSL could be used to steal SSL keys from a server, but now there's proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he'd done it earlier this evening, which the Cloudflare team later verified, crediting Indutny and another participant Illkka Mattila. Indutny has promised not to publish his method for a week so affected servers can still implement fixes, but according to Cloudflare his Node.js script generated more than 2.5 million requests for data over the span of the challenge."

http://www.engadget.com/2014/04/11/heartbleed-openssl-cloudflare-challenge/

https://www.cloudflarechallenge.com/heartbleed

 

Thanks

 

Select text, then click "Remove Formatting" button (on far right). Or use PureText (free software).

 

The Results of the CloudFlare Challenge

 

Here's a member who has installed the Chromebleed extension.