Heartbleed Bug

thedoc46

thedoc46

thedoc46

Soldato
Joined
18 Jan 2003
Posts
5,995
Location
Expat in the USA
Apologies if this is already being discussed but i didn't see it on the first page of GD.

Anyway, so cutting a long story short, hackers pretty much have EVERYTHING.

http://heartbleed.com/

Any Credit Cards we've ever used, any p/w for any forum, e-commerce sites, fleabay, amazon, paypal..... well to round it up, the entire internet which relied on SSL, has been compromised.

Is it even worth changing all your passwords, I mean, they're probably already working on a new hack, that won't be discovered for another couple of yrs..

I've just had all my credit cards replaced after using them in Target (USA) over xmas. Which was hacked over that period.

Does it worry you ?
 
Whilst it could happen to me there are much bigger fish to fry than me so not overly worried :p

I do find the general ease with which the net is abused (security wise) of a concern when almost everything is becoming online. The potential to destroy a lot (relatively) easily is something that seems to be ignored which I find surprising.
 
A little but what can you do :S

My brothers just had a very stressful day as he does IT support and they've had to isolate, update and pull auth keys, etc. from every device and system and update them with new keys, reset passwords, etc. on 1000s of devices.
 
Bit of a scaremongering post isn't it? Your statement is not true in the slightest. Only a specific version (yes, it is widely used and it is a big issue but they don't have "everything") of OpenSSL has the vulnerability and all the big players have already patched.

The problem does come from forums and websites etc that never bother patching or keeping up with security updates but those sorts of sites probably have many other vulnerabilities anyway.

I would check in to your important sites and see if there are any alerts to them having patched and what steps to take to ensure you are safe. You don't use the same password on all sites anyway, do you? :)
 
ubern00b said:
Bit of a scaremongering post isn't it? Your statement is not true in the slightest. Only a specific version (yes, it is widely used and it is a big issue but they don't have "everything") of OpenSSL has the vulnerability and all the big players have already patched.

The problem does come from forums and websites etc that never bother patching or keeping up with security updates but those sorts of sites probably have many other vulnerabilities anyway.

I would check in to your important sites and see if there are any alerts to them having patched and what steps to take to ensure you are safe. You don't use the same password on all sites anyway, do you? :)
Click to expand...

People who haven't bothered to update are actually those who are likely to be still unaffected by this bug - its only a relatively recent (as far as versions of OpenSSL go) version of OpenSSL (March 2012) thats affected by it and only been patched out in the very latest version released post the bug being found.
 
Crazy bad bug, "the biggest security flaw since SQL injection" isn't far of the truth.

Its been around for two years too.


Reset all you passwords, and be careful about which sites you visit from now. Now its so well known, any still vulnerable sites WILL be exploited.
 
ubern00b said:
Bit of a scaremongering post isn't it? Your statement is not true in the slightest. Only a specific version (yes, it is widely used and it is a big issue but they don't have "everything") of OpenSSL has the vulnerability and all the big players have already patched.

The problem does come from forums and websites etc that never bother patching or keeping up with security updates but those sorts of sites probably have many other vulnerabilities anyway.

I would check in to your important sites and see if there are any alerts to them having patched and what steps to take to ensure you are safe. You don't use the same password on all sites anyway, do you? :)
Click to expand...

2 thirds of all websites.

http://online.wsj.com/news/articles/SB10001424052702304819004579489813056799076
 
Rroff said:
People who haven't bothered to update are actually those who are likely to be still unaffected by this bug - its only a relatively recent (as far as versions of OpenSSL go) version of OpenSSL (March 2012) thats affected by it and only been patched out in the very latest version released post the bug being found.
Click to expand...

The code containing the bug was released in 2012 was only just discovered yesterday (Today?) so it has been around for quite some time, just undiscovered/dormant.
 
Burnsy2023 said:
Is there any evidence of anyone actually exploiting this bug?
Click to expand...

Thats part of the problem, you can't trace past exploits. It leaves no trace.

We now know what the exploit traffic looks like, so you can set up firewall rules to detect it for future exploits though.
 
None of my devices at work (Sophos email gateway, Netscalers, Checkpoint devices, web servers) were affected luckily but having checked all of those manufacturers responses they all released patches for it within hours. It is up to individuals to now be re-active and get patching if necessary.

Don't forget, any large hosting company which hosts any number of thousands to hundreds of thousands of websites will patch automatically and very very quickly so the reach of the exploit will be whittled down substantially within days.
 
How does changing my password help if the hackers can get my new password using the same method, until 'everyone' implements the fix to the encryption? Or has the fix / patch generally been implemented now?
 
almoststew1990 said:
How does changing my password help if the hackers can get my new password using the same method, until 'everyone' implements the fix to the encryption? Or has the fix / patch generally been implemented now?
Click to expand...

It doesn't. The website on which you change your password needs to be patched first or else your password could be retrievable again.
 
You must log in or register to reply here.
Back
Top Bottom