Heartbleed bug

The friendliest place on the web for anyone that enjoys cooking.
If you have answers, please help by responding to the unanswered posts.
See posts with no answers
taxlady

taxlady

Chef Extraordinaire
Moderator Emeritus
Joined
Sep 13, 2010
Messages
32,634
Location
near Montreal, Quebec
There is a serious security vulnerability that has possibility of affecting most banking and shopping sites. It's called the heartbleed bug. Here's a link to what CNET has to say, 'Heartbleed' bug undoes Web encryption, reveals Yahoo passwords - CNET

I would suggest that everyone postpone online shopping and banking for at least a day or two. My bank assures me that they aren't vulnerable because they care about security and use SSL. Not convincing - the bug is in SSL. :wacko:

I wish PayPal, and banking sites would post something about this on their landing page. Revenue Canada did. They have temporarily closed netfile, efile, etc., etc.
 
Changing your passwords AFTER a fix has been put in place is a better idea.

Unfortunately, the media has once again has created an atmosphere of mass hysteria, all the while being completely ignorant of how technology actually works. Changing passwords before an OpenSSL vulnerability (not bug) has been plugged is a little like telling everyone in a burgled apartment building to change their access codes before the locksmith has updated the locks.

So what's one to do? The best advice I've read is to wait until a specific website notifies you it's updated its SSL software and THEN change your password. Some may even offer automatic password resets. In the meantime, don't pass any information to it that you wouldn't feel comfortable with others potentially gaining access to (e.g. credit cards, SSN, etc.)

Note that many of the largest companies, such as Yahoo, Google, Amazon, Facebook, and several major banks, already have fixes in place.

Another article offering some good advice: http://www.tomsguide.com/us/heartbleed-bug-to-do-list,news-18588.html

One more thing. You may see increased instances of "phishing" in the coming days, where hackers will send you an email that attempts to lure you to lookalike websites to collect personal information. Please be vigilant and don't fall for these ploys.
 
Last edited:
I read to change your passwords now and change them again when the fix is in place. That makes sense to me.
 
taxlady said:
...Bruce Schneier, who has been writing about computer security for more than fifteen years...
Click to expand...
No offense, TL, but Bruce Schneier is also a writer who has an interest in talking to the media and selling books.

I've been a computer programmer since 1978 and have worked in the past as both a network and database administrator. I'm currently employed as a database developer for the largest real estate network in the US. Part of my job has included securing networks and preventing prying eyes from getting access to data.

I'm not trying to downplay the seriousness of this exploit, but I am saying that much of the advice passed on by the media and anonymous "experts" when these things happen is dead wrong. Some of the solutions I've seen over the last couple of days (example: Don't go to work today. Instead, stay home and change all your passwords) are just plain silly and naive.

Furthermore, this vulnerability didn't just pop up last week. It's been around for two years. If you are a regular user of the internet, chances are some of your data may have already been compromised during this period. A better strategy than some of the knee-jerk solutions offered is to stay on top of things by changing your passwords every few months. I have several that I rotate through on different sites. And on sites that I visit often and that store important personally identifiable information, such as credit cards, banking information, home addresses, etc., I may change my password every few weeks.
 
Last edited:
Steve Kroll said:
No offense, TL, but Bruce Schneier is also a writer who has an interest in talking to the media and selling books.

I've been a computer programmer since 1978 and have worked in the past as both a network and database administrator. Part of my job has included securing networks.

I'm not trying to downplay the seriousness of this exploit, but I am saying that much of the advice passed on by the media and anonymous "experts" when these things happen is dead wrong. Some of the solutions I've seen over the last couple of days (example: Don't go to work today. Instead, stay home and change all your passwords) are just plain silly and naive.

Furthermore, this vulnerability didn't just pop up last week. It's been around for two years. If you are a regular user of the internet, chances are some of your data may have already been compromised during this period. A better strategy than some of the knee-jerk solutions offered is to stay on top of things by changing your passwords every few months. I have several that I rotate through on different sites. And on sites that I visit often and that store important personally identifiable information, such as credit cards, banking information, home addresses, etc., I may change my password every few weeks.
Click to expand...
"...Bruce Schneier, who has been writing about computer security for more than fifteen years, is not given to panic or hyperbole..." This is well known among those interested in security and I knew it before I read it in that New Yorker article.

I agree that some of the advice is mostly "Panic!"

Of course it's a good idea to change passwords regularly, but most people don't. It's also a really good idea not to use the same password on more than one "important" site. E.g., though Discuss Cooking is important to me, it isn't a big deal if someone got the password, so mine is the same as on lots of similar sites, but it isn't the same as any of the sites where security is important, like banking, PayPal, Amazon, etc., etc.

I've been talking to Stirling about this and he is concerned too. He has been a programmer since 1983 or 1984. He is very interested in security and cryptography and keeps up on it. I'm not sure what all he has done in security, but he did work on the software for a system of secure distributed backup for companies. He worked with/for his friend who was the designer of the software and the founder of the company that was making it.
 
luckily my Credit Union doesn't use that version of SSL. My other credit union which I don't keep much money in, doesn't have anything on their website.
 
Stirling says that, yes, this is how the heartbleed bug works. This sort of implies that the last changes are the ones most likely to be grabbed by someone exploiting the bug. That implies that, yes, it's best to wait until the patch is applied to change passwords. But, since the bug has been around for two years, it may have been exploited and according to this link, it looks like it has. https://www.eff.org/deeplinks/2014/...gence-agencies-using-heartbleed-november-2013

heartbleed_explanation.png
 
You must log in or register to reply here.

Similar threads

Just Cooking
Copy Me That Data Breach
Replies
8
Views
6K
Ababy
A

Latest posts

Back
Top Bottom