To panic or not to panic, that is the question.

In 24 hours it's gone from a mention to "don't do online banking" to "change every one of your passwords."

What say ye?

I don't know what you're referring to....?

Don't panic. There's nothing you can do and it likely doesn't affect you on your "side". They are correct to state that in terms of the web, if they used the affected technologies (OpenSSL), they could (emphasis on could) have had data that was thought to be encrypted stolen. If they are having it stolen, changing your password before they fix it is pointless.

Vulnerability Alert: http://www.us-cert.gov/ncas/alerts/TA14-098A
Vulnerability Note; http://www.kb.cert.org/vuls/id/720951
Companies Who Reported Running and Fixing the Affected Library: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&SearchOrder=4

The list of companies does not mean data was stolen (it's possible no one will really know if data was stolen until they find the data out in the wild), just that they had the potential to be affected and have closed the vulnerability.

Thanks, Insomniac. That's what I thought in the first place but then the Henny Penny's starting taking over and got me spooked.

Stroker, a vulnerability was discovered and is now being described as a black hole into which all your data will disappear into the hands of the hackers. Insomniac put it into perspective.

I ran a test against our banking and investment sites and found none of them vulnerable. Whether they were and have fixed it already is hard to say. But so far I haven't seen reports of any widespread attacks with this in the wild. They'll be starting soon but most trustworthy sites should have things fixed pretty quickly.

I'm not sure where they got the 77% of the Internet number that I've seen bandied about. Most of our systems at work were actually too old to be impacted by this relatively new bug.

To add to what nrc says, this vulnerability was discovered a year ago. That means:

1. if it were to be widely exploited, it would have been (or has been) happening for months.
2. If your provider hasn't upgraded or installed a new system in the last 12 months, they're likely using an older version of OpenSSL which doesn't have the issue. I believe the 77% number is how many apps use the OpenSSL stack, not how many use the specific buggy version of OpenSSL. Surprise: scare tactic news.


Having said that - this is a massive, critical vulnerability and is truly a black eye for open source anything.

Mashable has a list this morning of the most popular/biggest sites & services and what they say (or aren't saying) about changing your password for their vehicles.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Mashable has a list this morning of the most popular/biggest sites & services and what they say (or aren't saying) about changing your password for their vehicles.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Good list! Off to change my Dropbox password. I change my Facebook password every 2 weeks or so anyway.

It strikes me how vulnerable Yahoo always is. As an aside, could this be related to the fact that at least 25% of my friends who use Yahoo email had their accounts hacked in the last month? Or is that just the normal cycle of life with Yahoo?

Here in Canada, the Canada Revenue Agency (CRA) has cut off public access to a number of electronic services on its website due to concerns over the Heartbleed Bug. It will likely take until the weekend to restore service at its website. Electronic filing of Income Tax returns is affected.

Ted

Good list! Off to change my Dropbox password. I change my Facebook password every 2 weeks or so anyway.

It strikes me how vulnerable Yahoo always is. As an aside, could this be related to the fact that at least 25% of my friends who use Yahoo email had their accounts hacked in the last month? Or is that just the normal cycle of life with Yahoo?

I'd want to know more about the complexity of the passwords. There are definitely bots running brute force attacks constantly.

I'd want to know more about the complexity of the passwords. There are definitely bots running brute force attacks constantly.

How does that work? The majority of systems I log into lock up after about 5 failed attempts:confused:

To add to what nrc says, this vulnerability was discovered a year ago.

Huh? All indications are that this was just discovered. Yes, the bug has existed for some time but there's no evidence that it has been known or exploited prior to the discovery and release of a fix.


Having said that - this is a massive, critical vulnerability and is truly a black eye for open source anything.

Yeah, it's a black eye. But the fact that it's open source has nothing to do with the bug. It does mean that those who discovered it were able to supply a fix which was immediately available to everyone upon announcement of the bug.

Yeah, I definitely misunderstood the discovery date for the introduction date yesterday. Scratch that part.

Black eyes can occur purely from negative press, and like it or not, that's happening. Heck, the Wall Street Journal is questioning the validity of open source software due to this, as insane as that is. Search for "Heartbleed open source" and the top results are all hand-wringing.

Heck, the Wall Street Journal is questioning the validity of open source software due to this, as insane as that is.

By WSJ, do you mean the WSJ news pages or the WSJ editorial pages? The editorial pages live in an alternate "reality' (i.e. in a fantasyland). When I use to get it I would get a real giggle out of how 1 page away from a news story the editorial page would be pretending that facts established in one of their own stories just was not so.

NSA Said to Have Used Heartbleed Bug, Exposing Consumers (http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html)


The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

Nice......

and by nice I mean, nice job NSA. Do whatever is necessary to protect us. :coughcough:

Heartbleed bug affects gadgets everywhere (http://money.cnn.com/2014/04/11/technology/security/heartbleed-gear/index.html?hpt=hp_t2)

It's like a reverse Independence Day, where the aliens infect all our computer systems with a virus.

http://s22.postimg.org/t2lldkelt/history_channel_hd_aliens_thumb.jpg

Yeah, I definitely misunderstood the discovery date for the introduction date yesterday. Scratch that part.

Black eyes can occur purely from negative press, and like it or not, that's happening. Heck, the Wall Street Journal is questioning the validity of open source software due to this, as insane as that is. Search for "Heartbleed open source" and the top results are all hand-wringing.

This bug is particularly egregious because it's open to direct attack. That doesn't change the fact that there's no real evidence to support the notion that open source is less secure overall than closed source. Some CIOs may be swayed by pundit gum flapping but I don't expect much impact overall.

BTW, I find the simultaneous discovery of this by both Google and Codenomicon to be a bit hard to swallow. Three years and then it's independently discovered by two groups at the same time? I'm guessing that one group either heard it through the grapevine or saw traces of the vulnerability testing in their logs.

NSA Said to Have Used Heartbleed Bug, Exposing Consumers (http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html)



Nice......

and by nice I mean, nice job NSA. Do whatever is necessary to protect us. :coughcough:

The NSA has flatly denied this.

http://icontherecord.tumblr.com/post/82416436703/statement-on-bloomberg-news-story-that-nsa-knew

While I'm not particularly inclined to trust the NSA, the original story kind of begs belief. Failing to disclose this bug would risk the security of thousands of sites, including more than a few of the government's own.

evidentially just a programming error

and the "what it is" from http://xkcd.com/1354/

How does that work? The majority of systems I log into lock up after about 5 failed attempts:confused:

Maybe a lot of your sites, but I'm not sure how prevalent that is. I honestly don't know about Facebook, Twitter, Hotmail, GMail, etc. but I don't recall being locked out of those for any period of time for a bad password.