Psa: Heartbleed, Change Your Passwords

[arfink]

This is a PSA for members of the forum who have not heard this news yet:

 

Roughly 2/3rds of the Internet has been affected by a nasty bug in OpenSSL called the Heartbleed bug. This bug has been undetected for the last 2 years, and effectively allows attackers to steal top-level SSL encryption keys. In plain English, this means that for the past two years, anybody who somehow knew about this bug would be able to read all encrypted and supposedly secure data which you transmitted or received over the internet in the last 2 years using OpenSSL. Most modern operating systems including Windows, OSX, and Linux use OpenSSL, as well as nearly 66% of all web services.

 

It is at this time completely unknown who might have been compromised or what information has been stolen, because the Heartbleed bug leaves absolutely no trace. Information suggests that this bug was not widely known until this week, when security researchers patched OpenSSL to remove the bug. However, most administrators are lax or slow about updating their software, and since the announcement was made many attacks using the bug have been made on administrators and certificate authorities who were slow to update.

 

If you see a website which indicates that its certificate has been revoked, this means that it has likely been attacked by the Heartbleed bug. As soon as you are able to sign back into these services you must change your password. Also, be sure to change your passwords on all other major social media, business, banking, or personal sites as soon as possible. Any passwords used during the last 2 years should be assumed to be compromised.

[arfink]

Note: since changing your password will only do good if you do it after the bug has been patched, please use this tool to determine if the website in question has had its implementation of OpenSSL updated:

 

http://filippo.io/Heartbleed/

 

Yahoo users in particular should be aware that for a period of nearly 24 hours, Yahoo was unprotected. They have not notified users of this comparatively prolonged exposure or advised users to change passwords. If you use Yahoo, do it immediately.

[PhuturePriest]

If you use Yahoo, do it immediately. you were likely an adult when the internet was made.

 

Fixed.

[arfink]

Oh, and before people ask, Phatmass doesn't use OpenSSL, you're fine here.

[blazeingstar]

https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt

 

From my CS fiancee's opinion change passwords does nothing at this point....it will be immediately useless again.

 

The bug allows an attacker to pull 64k at random from a given server's working memory. It's a bit like fishing — attackers don't know what usable data will be in the haul — but since it can be performed over and over again, there's the potential for a lot of sensitive data to be exposed. The server's private encryption keys are a particular target, since they're necessarily kept in working memory and are easily identifiable among the data. That would allow attackers to eavesdrop on traffic to and from the service, and potentially decrypt any past traffic that had been stored in encrypted form.

 

What do I do? What do I do?

 
Do you Yahoo? Do you use your Yahoo password on other sites? That password was possibly compromised by the security bug, and you'll have to change it once the bug is fixed. But because each system administrator has to manually fix the problem, which takes time, there's really nothing you can do until the compromised sites are up and running with an updated version of OpenSSL, and a new security certificate in place — a "reset" of the encryption used to protect current and archived information on the server going forward. Yahoo is working on a fix, but isn't there yet with all of its properties. Each site affected will have to do the same. Until then, stay away from those sites. It could take days, or longer, for vulnerable sites to recover from the bug.

 

 

 

 

Edited April 10, 2014 by blazeingstar

[blazeingstar]

Fixed.

 

Ummmm....you were likely alive when the internet was made.  But not an adult.  I got my first email address when I was 10 or 11?  But I wasn't born with one like kids now adays.

[PhuturePriest]

Ummmm....you were likely alive when the internet was made.  But not an adult.  I got my first email address when I was 10 or 11?  But I wasn't born with one like kids now adays.

 

I don't remember what year it was made, but I was born in 1996. Regardless, that's why I specified "adult" in my post.

[arfink]

https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt

 

From my CS fiancee's opinion change passwords does nothing at this point....it will be immediately useless again.

 

 

Like I said. If your service provider isn't patched it does nothing.

[Selah]

I don't remember what year it was made, but I was born in 1996. Regardless, that's why I specified "adult" in my post.

 

Dude! I've played zookeeper on window's systems older than you xD

 

(played it against my will, damn stupid game).

[arfink]

I don't remember what year it was made, but I was born in 1996. Regardless, that's why I specified "adult" in my post.

 

My keyboard is older than you. :P

[PhuturePriest]

My keyboard is older than you. :P

 

Dinosaur.

[arfink]

I dunno, I got it new in box just this week.

[blazeingstar]

I don't remember what year it was made, but I was born in 1996. Regardless, that's why I specified "adult" in my post.

 

o.0 in what world is an 11 year old an adult?

[blazeingstar]

Like I said. If your service provider isn't patched it does nothing.

 

So your advice to change passwords immediately is bad advice.  it won't do anything if you have Yahoo.

[arfink]

So your advice to change passwords immediately is bad advice.  it won't do anything if you have Yahoo.

 

Note: since changing your password will only do good if you do it after the bug has been patched, please use this tool to determine if the website in question has had its implementation of OpenSSL updated:

 

Ugg read things. Ugg notice this.