HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
I guess now is as good of a time as any to reset all your passwords. Thanks to everyone that sent this one in.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Heartbleed Bug: Public Urged To Reset All Passwords
- Thread starter HardOCP News
- Start date
Modred189
Can't Read the OP
- Joined
- May 24, 2006
- Messages
- 16,320
Changing now is a waste of time until the websites all upgrade their software. Ought to wait a week or so, and limit any activity until then.
bucketlist
Gawd
- Joined
- Oct 8, 2013
- Messages
- 1,019
That's alot of PWs....
I have just under 100 passwords that I'll need to go through.. Then I have to do the same thing for my parents... Curse being the tech guy. 
At least I'm using password managers, so it makes it relatively easy to figure out what actually needs to be changed. I feel bad for the guy out there that's panicking, trying to think of all of the things needed to be done.
At least I'm using password managers, so it makes it relatively easy to figure out what actually needs to be changed. I feel bad for the guy out there that's panicking, trying to think of all of the things needed to be done.
That's alot of PWs....
Realistically though, only passwords you are wise to change ASAP are the ones which might have information that could hurt you financially or lead to identity theft. (email, shopping services you frequent and services that might have access to your bank account) Who gives a shit about random forum accounts when the bad guys/bots can make new ones and post their spam. No money to be made really.
Apparently you can use this to test if the site you frequent is vulnerable to Heartbleed. For example Paypal is not, which is a relief. But if the password happens to be something you use elsewhere that happens to be vulnerable, you know what to do.
https://www.ssllabs.com/ssltest/index.html
https://www.ssllabs.com/ssltest/index.html
dr.stevil
[H]F Junkie
- Joined
- Sep 26, 2008
- Messages
- 9,266
that was my thought as well
jojo69
[H]F Junkie
- Joined
- Sep 13, 2009
- Messages
- 11,267
ffs
JosiahBradley
[H]ard|Gawd
- Joined
- Mar 19, 2006
- Messages
- 1,791
Thank god for legacy software on Enterprise Red Hat all my servers were safe. This only affected openSSL 1.0.1a-f and not 1.0.0/fips.
TwistedAegis
[H]F Junkie
- Joined
- Oct 7, 2009
- Messages
- 8,958
Have we built our hardware and software in an unsustainable fashion? I look at a major bug like this in conjunction with banking security protocols being breached non-stop (Neiman Marcus, Target, Global Payments, Experian, Lexis Nexis, the list goes on and on...) and just don't know how long it can continue.
temujin987
[H]ard|Gawd
- Joined
- Jun 24, 2008
- Messages
- 1,351
banks are fine. any losses will be covered by their clients and if they crash completely, they get bailed out by the government (i mean the tax payers).
InternationalHat
[H]ard|Gawd
- Joined
- Aug 13, 2004
- Messages
- 1,481
No. No security is perfect in any medium. It will continue like this as the convenience of open electronic exchange is worth far more to the economy than going back to shuttling everything around via batch over hard lines.
Also, I'd really rather not go back to manual swipe credit card imprint machines or holding a ton of cash. Stealing manual swipe info/sheets is easier than stealing electronic CC data and holding a lot of cash is dangerous for businesses and consumers.
MrGuvernment
Fully [H]
- Joined
- Aug 3, 2004
- Messages
- 21,815
Think of it this way, how many issues this large has OpenSSL had before? i know they have had some..
what worries me more, is this took 2 years to catch... i think who ever is doing QA over at OpenSSL needs to be fired.
PolarSSL anyone?
what worries me more, is this took 2 years to catch... i think who ever is doing QA over at OpenSSL needs to be fired.
PolarSSL anyone?
InternationalHat
[H]ard|Gawd
- Joined
- Aug 13, 2004
- Messages
- 1,481
OpenSSL is open source so I'm not sure you can fire contributors if they're not part of some foundation.
I have direct professional experience doing security audits for applications and code security audits within the last 5 years. Code audits are not easy. Security testing a framework essentially requires devs with security experience, not QA professionals and things are going to get missed. There just aren't that many people available to do this work.
I do not have the skillset to audit the low-level areas of cryptographic frameworks, but I can still occasionally monkey around and find problems very rarely. Designing these things and catching vulnerabilities are very different skills, and normal QA won't catch stuff like this very easily.
Some of these issues are VERY difficult to observe even under typical input fuzzing and looking for patterns. I don't think 2 years is some sign of major failure. We have no idea if it was even being exploited prior to that. It's possible that it was unknown prior to it being acknowledged by cloudflare or whoever spilled the beans.
http://en.wikipedia.org/wiki/Padding_oracle_attack is another that came out and was pretty nasty and difficult to solve. The people trying to break things have more resources and time than the people trying to secure stuff. Sometimes it's some company like cloudflare that finds it and has to discuss it before anyone has time to patch. That's basically a total dick move.
Bluesun311
2[H]4U
- Joined
- Sep 21, 2013
- Messages
- 2,523
Me either. So tired of changing passwords. The one time my debit card got swiped the bank had my money back in my account next day.
The code error that broke OpenSSL was nothing to do with the low level cryptography math. It was a memcopy of data that originated outside the program without verifying it's claimed length matched it's actual length. Seriously junior shit.
MrGuvernment
Fully [H]
- Joined
- Aug 3, 2004
- Messages
- 21,815
^^ that.
The bad guys have as many resources as the good guys, the problem is the good guys don't think in a negative "how can i exploit this" mentality, which to me is scary...
You want to catch a criminal, think like a criminal comes to mind
if i am building a system to secure something, i am sure as heck going to try and get past it's security to see how i can exploit it before someone else does.
The bad guys have as many resources as the good guys, the problem is the good guys don't think in a negative "how can i exploit this" mentality, which to me is scary...
You want to catch a criminal, think like a criminal comes to mind
if i am building a system to secure something, i am sure as heck going to try and get past it's security to see how i can exploit it before someone else does.
More food for thought, HeartBleed bug allows scrapping of what is in system memory, so if you haven't used the site in awhile your stuff has long been flushed and replaced or already captured. Going there now only increases your risks until the systems are patched. Stay away from your sites that use OpenSSL including HTTPS: connections. Flush your browser of all those cookies and check them for the vulnerability before trying to log into your accounts and change your passwords.
Everything is a measure of gain vs risk, (or loss). It's like an extension of the insurance game, an increase in the rate of deaths to heart attack never killed the Life Insurance biz, they just raise the premiums and play with the fine print.
Deepminer
n00b
- Joined
- Jun 13, 2013
- Messages
- 22
The caveat being that changing said passwords without the exploit being addressed, serves no purpose other than providing another opportunity to hackers to obtain updated passwords.
Article sensationalism/fear-mongering ftw... not.
Article sensationalism/fear-mongering ftw... not.