Internet users told to change ALL passwords in wake of ‘catastrophic’ Heartbleed security bug

  • Posted by a hidden member.
    Log in to view his profile

    Apr 09, 2014 11:37 PM GMT
    Yikes - given that this affects an estimated TWO THIRDS of the Internet's Webservers - including the most trafficked sites out there including Yahoo, OKCupid, Flickr, steamcommunity, slate.com, imgur, duckduckgo, 500px:

    http://blogs.wsj.com/five-things/2014/04/09/5-questions-about-heartbleed/?mod=e2fb

    If a service you use was affected by Heartbleed, wait until the company makes the update before changing your password. Not sure if the service is affected? Type in the address in this tool set up by Qualys, a cybersecurity company.

    https://www.ssllabs.com/ssltest/
    https://lastpass.com/heartbleed/

    https://www.schneier.com/blog/archives/2014/04/heartbleed.html

    Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

    "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

    Half a million sites are vulnerable, including my own. Test your vulnerability here.

    The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.

    At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.


    List of some of the servers affected (including some that weren't like Google, Facebook):
    https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
  • Posted by a hidden member.
    Log in to view his profile

    Apr 09, 2014 11:46 PM GMT
    Internet users told to change ALL passwords in wake of ‘catastrophic’ Heartbleed security bug
    http://dailycaller.com/2014/04/09/internet-users-told-to-change-all-passwords-in-wake-of-catastrophic-heartbleed-security-bug/
  • Posted by a hidden member.
    Log in to view his profile

    Apr 10, 2014 1:33 AM GMT
    Just to repeat..

    DO NOT CHANGE YOUR PASSWORD UNTIL YOU ARE TOLD TO DO SO

    If you change your password before they patch the vulnerability, then you increase your chances of getting your login swiped.
  • Posted by a hidden member.
    Log in to view his profile

    Apr 10, 2014 5:10 AM GMT
    xrichx saidJust to repeat..

    DO NOT CHANGE YOUR PASSWORD UNTIL YOU ARE TOLD TO DO SO

    If you change your password before they patch the vulnerability, then you increase your chances of getting your login swiped.


    Definitely... though it's probably a good idea to start changing passwords on the sites that are not considered vulnerable (e.g. google, facebook) if you use similar passwords.
  • Posted by a hidden member.
    Log in to view his profile

    Apr 10, 2014 5:48 AM GMT
    Many Devices Will Never Be Patched to Fix Heartbleed Bug
    Home automation systems and networking equipment vulnerable to a major encryption flaw are unlikely to be fixed.

    http://www.technologyreview.com/news/526451/many-devices-will-never-be-patched-to-fix-heartbleed-bug/
  • Posted by a hidden member.
    Log in to view his profile

    Apr 10, 2014 6:07 AM GMT
    On Tumblr it said "Now would be a good time to change your PW" today but I disreguarded it. I guess they weren't playin. icon_neutral.gif
  • Posted by a hidden member.
    Log in to view his profile

    Apr 10, 2014 6:11 AM GMT
    https://lastpass.com/heartbleed/
  • Posted by a hidden member.
    Log in to view his profile

    Apr 10, 2014 6:13 AM GMT
    Also, RJ isn't affected by this bug because this site doesn't even use SSL on the login page, or anywhere. icon_lol.gificon_rolleyes.gif
  • Posted by a hidden member.
    Log in to view his profile

    Apr 10, 2014 6:19 AM GMT
    xrichx saidAlso, RJ isn't affected by this bug because this site doesn't even use SSL on the login page, or anywhere. icon_lol.gificon_rolleyes.gif


    Aha! indeed.
  • Posted by a hidden member.
    Log in to view his profile

    Apr 10, 2014 1:51 PM GMT
    CNN has a link dedicated to this.

    http://www.cnn.com/2014/04/08/tech/web/heartbleed-openssl/index.html?iref=allsearch

    There is also a link, from CNN, to check your browser (near the bottom of the site) and more info on Heartbleed.

    http://heartbleed.com


  • Posted by a hidden member.
    Log in to view his profile

    Apr 10, 2014 4:28 PM GMT
    woodsmen saidWikipedia has a test for you to run to test whether the web site that you transact with uses Heartbleed. But to repeat what xrichx said DO NOT CHANGE ANY PASSWORD until the particular web site tells you that they have fixed the security breach.


    Er again, no, you should change passwords of any site that isn't affected first - that is if you use the same password for multiple sites.

    You can check if your site is vulnerable here:
    https://www.ssllabs.com/ssltest/
    https://lastpass.com/heartbleed/

    BUT if a site is currently vulnerable, don't change your password until after they've fixed the issue.
  • MNGUY

    Posts: 82

    Apr 10, 2014 4:37 PM GMT
    So which sites are safe to change the password on right now?
    okcupid? facebook? tumblr? hotmail? yahoo?

    Is paypal and ebay safe?
  • Posted by a hidden member.
    Log in to view his profile

    Apr 10, 2014 5:08 PM GMT
    Neon saidSo which sites are safe to change the password on right now?
    okcupid? facebook? tumblr? hotmail? yahoo?

    Is paypal and ebay safe?


    Huh... Facebook and Google are saying they were vulnerable after all ugh.

    http://www.telegraph.co.uk/technology/internet-security/10756807/Heartbleed-bug-which-passwords-should-you-change.html

    Facebook. Change now.
    LinkedIn. Unaffected (but change if you use the same password as another vulnerable site)
    Tumblr. Change now.
    Google. Change now.
    Yahoo!. Only partially corrected, wait (or if you are just on their "main properties" like mail you can change now)
    Aol. Unaffected (but change if you use the same password as another vulnerable site)
    Hotmail/Outlook. Unaffected (but change if you use the same password as another vulnerable site)
    Amazon. Amazon.com unaffected (but change if you use the same password as another vulnerable site).
    Ebay. Odd - says "unknown".
    PayPal. Unaffected (but change if you use the same password as another vulnerable site)
    Dropbox. Change now.
    OKCupid. Change now.
    Match. Unaffected (but change if you use the same password as another vulnerable site)
    Instagram. Change now.
    Twitter. Unaffected (but change if you use the same password as another vulnerable site)
    Expedia. Unaffected (but change if you use the same password as another vulnerable site)
    REI. Unaffected (but change if you use the same password as another vulnerable site)
  • Posted by a hidden member.
    Log in to view his profile

    Apr 10, 2014 6:23 PM GMT
    Can we just all live in a big mansion somewhere, I've changed mine so many times the process is not exciting me much :/
  • Posted by a hidden member.
    Log in to view his profile

    Apr 10, 2014 10:06 PM GMT
    This doesn't trouble me as much for some reason... I figure most people would be bored. I'd be worried about other uses...

    -------------

    Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?

    https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013
  • Posted by a hidden member.
    Log in to view his profile

    Apr 14, 2014 2:34 AM GMT
    Y2K 2.0?

    Ehhh
  • Posted by a hidden member.
    Log in to view his profile

    Apr 14, 2014 2:03 PM GMT
    mentioned this before; its a good time to get a password manager that sits on the cloud.

    -good place to park notes
    -each site you visit can easily have a unique password
    -it backups your passwords and or prints them out
    -in theory it has improved encryption
    -if it is cloud based, all your OSX & dos based devices can share