Go Back   Android Forums > Android Forums Community > The Lounge
The Lounge We're all friends here. Hang out, kick your feet up and talk about whatever the heck you want!

Like Tree13Likes
  • 2 Post By MoodyBlues
  • 1 Post By SiempreTuna
  • 1 Post By DonB
  • 2 Post By MoebusNet
  • 1 Post By John Bean
  • 1 Post By SolApathy
  • 4 Post By Joelgp83

test: Reply
 
LinkBack Thread Tools
Old April 8th, 2014, 08:18 PM   #1 (permalink)
- Crazy peacock person -
Thread Author (OP)
 
MoodyBlues's Avatar
 
Join Date: Jan 2011
Location: /home/LosAngeles
Posts: 3,268
 
Device(s): Kindle Fire HD 8.9" (rooted), Motorola Atrix 2, Motorola Atrix 4G (retired), Motorola Bravo (retired
Carrier: AT&T

Thanks: 1,075
Thanked 1,538 Times in 944 Posts
Arrow IMPORTANT: Heartbleed bug and password vulnerability

(Posting this here rather than Computers so people who don't normally visit C&IT will see it.)

There's a very serious bug out there that can compromise the privacy/security of your Internet passwords. It's a problem in OpenSSL, and while a fix has been issued, you can't assume at this point that every site you visit [that uses OpenSSL] has applied the fix, nor can you assume that your password info wasn't compromised before the bug was discovered.

Here's an article about it in the LA Times, and here's a site dedicated to the issue.

Here's a list on GitHub showing popular sites and their vulnerability status. (Thanks to Clementine_3 for providing this link.)

Here's a link where you can check a specific server for vulnerabilities. (Thanks to girolez for providing this link.)

This list from Mashable lets you know which passwords you should change right now. (Thanks to kman9637 for providing this link.)

Here's an Android app that lets you check to see if any of your installed apps are vulnerable. (Thanks to El Presidente for posting this link.)

This site was set up to allow checking your browser's ability to detect invalid certificates. (Thanks to MoebusNet for posting this link.)

From the LA Times article:
Quote:
The Heartbleed bug makes it possible for hackers to retrieve code from websites and other online services that would give them access to other information, including user data and passwords. The bug affects services that use the widely popular OpenSSL security library.

OpenSSL is the technology that secures websites that use HTTPS encryption to keep data protected. Users might recognize this from the URL of many of the websites that they use on a regular basis.
Stinky Stinky and jamoosh like this.

Advertisements
__________________


MoodyBlues is offline  
Last edited by MoodyBlues; April 18th, 2014 at 03:39 PM.
Reply With Quote
The Following 22 Users Say Thank You to MoodyBlues For This Useful Post:
badblue1 (April 20th, 2014), Clementine_3 (April 9th, 2014), D-U-R-X (April 9th, 2014), DonB (April 10th, 2014), DragonSlayer95 (April 11th, 2014), Granite1 (April 9th, 2014), h4x0rj3ff (April 9th, 2014), jamoosh (April 14th, 2014), Lordvincent 90 (April 15th, 2014), lunatic59 (April 12th, 2014), mikedt (April 15th, 2014), mrsmumbles (April 23rd, 2014), ookoo (April 11th, 2014), out of ideas (April 8th, 2014), palmtree5 (April 9th, 2014), pastafarian (April 9th, 2014), sfbloodbrother (April 17th, 2014), SiempreTuna (April 9th, 2014), SolApathy (April 8th, 2014), Steven58 (April 17th, 2014), Stinky Stinky (April 10th, 2014), whitehat (April 9th, 2014)
sponsored links
Old April 8th, 2014, 09:38 PM   #2 (permalink)
Senior Member
 
out of ideas's Avatar
 
Join Date: May 2012
Posts: 642
 
Device(s): ZTE Merit. ICScamwich OC. Galaxy Prevail CTMod 3.68
Carrier: Pigeons

Thanks: 61
Thanked 145 Times in 114 Posts
Default

https://blog.torproject.org/blog/openssl-bug-cve-2014-0160 tor info.
__________________
Stuff of mine:
Ice Cream Scamwich (ZTE 990s)

Deodexed Stock ZTE Merit
out of ideas is offline  
Reply With Quote
The Following 4 Users Say Thank You to out of ideas For This Useful Post:
MoodyBlues (April 8th, 2014), pastafarian (April 9th, 2014), SiempreTuna (April 9th, 2014), Steven58 (April 17th, 2014)
Old April 9th, 2014, 06:25 AM   #3 (permalink)
Senior Member
 
Join Date: Jan 2013
Posts: 3,634
 
Device(s):
Carrier: Not Provided

Thanks: 50
Thanked 880 Times in 786 Posts
Default

Thanks, Moody and Out of Ideas

I saw a story about that this morning .. just not entirely sure what to do with the information
MoodyBlues likes this.
SiempreTuna is offline  
Reply With Quote
Old April 9th, 2014, 06:37 AM   #4 (permalink)
Pâtes avec votre foie
 
pastafarian's Avatar
 
Join Date: Nov 2009
Location: The Sea of Tranquility
Posts: 5,579
 
Device(s): LG G3 (Me), Samsung GS5 (Wife) Evo4G LTE (Son1), Nexus 7, Nook Tablet All rooted?
Carrier: Sprint

Thanks: 3,847
Thanked 4,549 Times in 2,019 Posts
pastafarianaf@gmail.com
Default

A lot of passwords may have been compromised, so this may be a good time to change your site passwords. This is particularly true if you recycle passwords between sites. Consider using a password manager like Lastpass too. On that subject and because I use Lastpass, they have a tool for users that will check all passwords and tell you if any are vulnerable to heartbleed. I wouldn't be surprised if other password managers are doing similar.
__________________
The RULES, follow them and prosper!

Did you forget to kiss a Mod today?
pastafarian is offline  
Reply With Quote
The Following 3 Users Say Thank You to pastafarian For This Useful Post:
Granite1 (April 9th, 2014), MoodyBlues (April 9th, 2014), Steven58 (April 17th, 2014)
Old April 9th, 2014, 06:47 AM   #5 (permalink)
New Member
 
Join Date: Apr 2014
Posts: 3
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Default

It is very necessary to keep the secure your system.
salar521 is offline  
Reply With Quote
Old April 9th, 2014, 12:20 PM   #6 (permalink)
- Crazy peacock person -
Thread Author (OP)
 
MoodyBlues's Avatar
 
Join Date: Jan 2011
Location: /home/LosAngeles
Posts: 3,268
 
Device(s): Kindle Fire HD 8.9" (rooted), Motorola Atrix 2, Motorola Atrix 4G (retired), Motorola Bravo (retired
Carrier: AT&T

Thanks: 1,075
Thanked 1,538 Times in 944 Posts
Default

Quote:
Originally Posted by SiempreTuna View Post
I saw a story about that this morning .. just not entirely sure what to do with the information
Start changing your passwords.

There are a number of ways to approach this, such as actually finding out which sites use OpenSSL and then changing passwords accordingly, OR just plunge in and start changing your passwords. Start with the sites you visit most or rely on most, and work your way down.
MoodyBlues is offline  
Reply With Quote
Old April 9th, 2014, 12:29 PM   #7 (permalink)
Senior Member
 
Clementine_3's Avatar
 
Join Date: Nov 2009
Location: Down in the park where the Machmen meet the machines and play 'kill by numbers'
Posts: 2,459
 
Device(s): Moto X developer edition
Carrier: Over-priced stooopid Verizon

Thanks: 520
Thanked 707 Times in 580 Posts
Default

BGR did a quick little write-up but what I found most helpful was the link to GitHub, they listed some of the bigger vulnerable sites.
Clementine_3 is online now  
Reply With Quote
The Following 2 Users Say Thank You to Clementine_3 For This Useful Post:
MoodyBlues (April 9th, 2014), out of ideas (April 9th, 2014)
Old April 9th, 2014, 12:47 PM   #8 (permalink)
- Crazy peacock person -
Thread Author (OP)
 
MoodyBlues's Avatar
 
Join Date: Jan 2011
Location: /home/LosAngeles
Posts: 3,268
 
Device(s): Kindle Fire HD 8.9" (rooted), Motorola Atrix 2, Motorola Atrix 4G (retired), Motorola Bravo (retired
Carrier: AT&T

Thanks: 1,075
Thanked 1,538 Times in 944 Posts
Default

Quote:
Originally Posted by Clementine_3 View Post
BGR did a quick little write-up but what I found most helpful was the link to GitHub, they listed some of the bigger vulnerable sites.
Thanks, Clementine! That GitHub list is great. Everyone should take a look at it.
MoodyBlues is offline  
Reply With Quote
Old April 9th, 2014, 01:10 PM   #9 (permalink)
Often Off Piste
 
girolez's Avatar
 
Join Date: May 2011
Location: Les Gets, France
Gender: Male
Posts: 2,653
 
Device(s): Galaxy Note2 Int. GT-N7100 rooted twrp,Galaxy S3mini,Desire GSM Rooted 4EXT, HTCwildfireS
Carrier: Free mobile (France)

Thanks: 141
Thanked 1,143 Times in 967 Posts
Default

Hi

Here is a link to a site that can check if a particular site (ie the ones you use) is susceptible

Test your server for Heartbleed (CVE-2014-0160)

Its what github used to make the list

Roger
__________________
In tartiflette we trust

Android Forums FAQs

Forum Guidelines
girolez is online now  
Reply With Quote
The Following 2 Users Say Thank You to girolez For This Useful Post:
D-U-R-X (April 9th, 2014), MoodyBlues (April 9th, 2014)
Old April 9th, 2014, 07:30 PM   #10 (permalink)
Senior Member
 
saptech's Avatar
 
Join Date: Dec 2011
Location: Third Stone from the Sun
Posts: 3,677
 
Device(s): Motorola Moto G, Samsung Stratosphere, Galaxy Tab 2 SE.
Carrier: T-Mobile

Thanks: 610
Thanked 798 Times in 637 Posts
Default

Quote:
Originally Posted by girolez View Post
Hi

Here is a link to a site that can check if a particular site (ie the ones you use) is susceptible

Test your server for Heartbleed (CVE-2014-0160)

Its what github used to make the list

Roger
Using the above link, when I put in androidforums.com, it comes back with this info.

Quote:
Uh-oh, something went wrong: tls: oversized record received with length 20291

tls: oversized record received with length 20291 (and sometimes EOF) means that the service uses STARTLS and I still need to implement it. Use the command line tool meanwhile, with -starttls=ftp/imap/....



So are we okay with this?
__________________
"I'm gonna put a curse on you and all your kids will be born completely naked" - Jimi Hendrix
saptech is offline  
Reply With Quote
sponsored links
Old April 10th, 2014, 06:47 AM   #11 (permalink)
Senior Member
 
Join Date: Jan 2013
Posts: 3,634
 
Device(s):
Carrier: Not Provided

Thanks: 50
Thanked 880 Times in 786 Posts
Default

The vulnerability also affects clients, potentially including phones and tablets.

The Google site states:

Quote:
Android
All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners)
Basically, if you're running 4.1.1 it may be worth contacting your phone manufacturer, otherwise your phone / tablet should be OK - though obviously, the servers you connect to may not.

Having read a bit more on this, it occurs to me that you BEFORE you change your password on an affected site, you might want to ensure they've fixed the bug. If not, you'd potentially be exposing your new and old passwords to a watcher who didn't have the old one

Hopefully, a google search will find notifications from websites regarding their fix status - a collation of vendor notifications can be found here.

Apparently there are tools that claim to identify which sites are at risk - I think by looking at the webserver they're running. Not sure if this can tell you when the sites have been patched.
SiempreTuna is offline  
Last edited by SiempreTuna; April 10th, 2014 at 10:49 AM.
Reply With Quote
The Following User Says Thank You to SiempreTuna For This Useful Post:
MoodyBlues (April 10th, 2014)
Old April 10th, 2014, 02:12 PM   #12 (permalink)
- Crazy peacock person -
Thread Author (OP)
 
MoodyBlues's Avatar
 
Join Date: Jan 2011
Location: /home/LosAngeles
Posts: 3,268
 
Device(s): Kindle Fire HD 8.9" (rooted), Motorola Atrix 2, Motorola Atrix 4G (retired), Motorola Bravo (retired
Carrier: AT&T

Thanks: 1,075
Thanked 1,538 Times in 944 Posts
Default

Quote:
Originally Posted by SiempreTuna View Post
The vulnerability also affects clients, potentially including phones and tablets.

The Google site states:

Basically, if you're running 4.1.1 it may be worth contacting your phone manufacturer, otherwise your phone / tablet should be OK - though obviously, the servers you connect to may not.
Now I can claim to have been prescient! I wanted to avoid the Heartbleed thing, and THAT'S why I never got around to upgrading any of my Android devices above 4.0.4.

Quote:
Having read a bit more on this, it occurs to me that you BEFORE you change your password on an affected site, you might want to ensure they've fixed the bug. If not, you'd potentially be exposing your new and old passwords to a watcher who didn't have the old one
This is a very good point. The problem I'm seeing is that people contacting sites end up with CSRs who don't even know what they're talking about. Think about the usual outcome of a random call to some place like Bank of America; you call their 800 number and get a menu of choices; none of those choices will take you to an IT-smart, up-to-the-minute informed tech person.
MoodyBlues is offline  
Reply With Quote
Old April 10th, 2014, 07:43 PM   #13 (permalink)
Junior Member
 
kman9637's Avatar
 
Join Date: Oct 2013
Location: Mississauga, Ontario
Gender: Male
Posts: 99
 
Device(s): (Former) Kyocera Rise C5156 LG Google Nexus 5
Carrier: Wind

Thanks: 2
Thanked 21 Times in 16 Posts
Default

Y'all might want to check this infographic by mashable too, it shows what's been compromised, if they patched it and if you should change your passwords
__________________
If I've Helped You Out, The Thank You Button Is At The Bottom Right!!!
kman9637 is offline  
Last edited by kman9637; April 10th, 2014 at 07:45 PM. Reason: Link issue
Reply With Quote
The Following 2 Users Say Thank You to kman9637 For This Useful Post:
MoodyBlues (April 10th, 2014), palmtree5 (April 10th, 2014)
Old April 11th, 2014, 05:50 AM   #14 (permalink)
♡ Spidey Sense !! ♡ ™
 
DonB's Avatar
 
Join Date: Nov 2009
Location: 18th Hole Of the Golf Course
Gender: Male
Posts: 18,626
 
Device(s): Moto X 16 GB Cricket Wireless®/ Stock Galaxy Note 10.1 ®
Carrier: Crickets Wireless ®

Thanks: 6,674
Thanked 7,080 Times in 4,173 Posts
Default

Also keep in mind, it is fine to change your passwords, but if the sites visited have not issued a patch, then you are still at risk, until they patch their sites.
MoodyBlues likes this.
__________________


Site Rules/Guidelines
If something needs attention, Report it .
If someone helped you, hit to show it.

CRICKET Referral Program Bonus $ PM me if you need a referral



DonB is online now  
Reply With Quote
The Following 2 Users Say Thank You to DonB For This Useful Post:
El Presidente (April 11th, 2014), SiempreTuna (April 11th, 2014)
Old April 11th, 2014, 06:17 PM   #15 (permalink)
Beware The Milky Pirate!
 
El Presidente's Avatar
 
Join Date: Jan 2011
Location: Scotland
Posts: 27,270
 
Device(s): Xperia Z1, Nexus 7 3G, HTC One X, SGS3 Mini
Carrier: EE

Thanks: 14,350
Thanked 16,351 Times in 8,750 Posts
Default

https://play.google.com/store/apps/details?id=com.bblabs.heartbleedscanner

That will let you know if any of the apps on your phone/tab are vulnerable.
__________________
Site Rules & Guidelines / Staff List / Ask the Staff
Want to bring naughty posts to our attention? Use:
Be respectful to each other - That's what we're all about.
El Presidente is online now  
Reply With Quote
The Following 5 Users Say Thank You to El Presidente For This Useful Post:
DonB (April 11th, 2014), girolez (April 12th, 2014), Kaat72 (April 13th, 2014), MoodyBlues (April 11th, 2014), SolApathy (April 17th, 2014)
Old April 15th, 2014, 10:31 PM   #16 (permalink)
Junior Member
 
Join Date: Dec 2010
Posts: 33
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 8 Times in 3 Posts
Exclamation Heartbleed & browsers

I've checked my Rezound for the default browser, Chrome & Dolphin. None of them check or can be set (to my knowledge) to check for an expired security certificate on a website that could be affected by the Heartbleed bug.

Only Firefox (so far) seems to check for an expired or invalid security certificate on websites.

Prove it to yourself:

https://revoked.grc.com/

This web site was intentionally designed to have an invalid security certificate and should refuse to load (you'll get an error message).

If it successfully loads, you'll see a message telling you that your browser isn't checking for invalid security certificates.

I confirmed this behavior on my Hisense Sero 7 Pro also.
Attached Images
File Type: jpg Screenshot from 2014-04-15 22:16:34.jpg (15.1 KB, 15 views)
mikedt and PiscesCloud like this.
MoebusNet is offline  
Reply With Quote
The Following 3 Users Say Thank You to MoebusNet For This Useful Post:
mikedt (April 16th, 2014), MoodyBlues (April 18th, 2014), PiscesCloud (April 16th, 2014)
Old April 16th, 2014, 01:50 AM   #17 (permalink)
Happy Wanderer
 
Join Date: Jul 2010
Location: Waterfoot, Lancashire
Gender: Male
Posts: 1,219
 
Device(s): Nexus 4, Nexus 7, Lenovo Yoga 10
Carrier: 3

Thanks: 123
Thanked 442 Times in 307 Posts
Default

Interesting. Chrome on desktop does of course refuse to connect but Chrome on Android ignores the revoked certificate and just gets on with it.

Black mark to the Android team on that one :-(
mikedt likes this.
John Bean is online now  
Reply With Quote
The Following User Says Thank You to John Bean For This Useful Post:
mikedt (April 16th, 2014)
Old April 16th, 2014, 04:44 AM   #18 (permalink)
Senior Member
 
zuben el genub's Avatar
 
Join Date: Jan 2011
Posts: 5,152
 
Device(s): Oppo Find 7 Nexus 4, Nexus S
Carrier: Not Provided

Thanks: 62
Thanked 971 Times in 776 Posts
Default

Pale Moon checks also. It uses most of FX tools.
__________________
Sent by UFO
zuben el genub is offline  
Reply With Quote
Old April 16th, 2014, 05:17 AM   #19 (permalink)
你好
 
mikedt's Avatar
 
Join Date: Sep 2010
Location: Xilinhot, China
Posts: 9,992
 
Device(s): Oppo Find 7a, Samsung Galaxy Win Duos(spare), Lenovo P700i(retired), KIRF Galaxy Note(deceased)
Carrier: China Mobile

Thanks: 3,476
Thanked 2,861 Times in 2,068 Posts
Send a message via Skype™ to mikedt
Default

Quote:
Originally Posted by John Bean View Post
Interesting. Chrome on desktop does of course refuse to connect but Chrome on Android ignores the revoked certificate and just gets on with it.

Black mark to the Android team on that one :-(
Dolphin ignores the revoked cert as well and shows the GRC page. FAIL.

Opera is ok though and refuses to connect. PASS.
__________________
The People's Guide to Android in the People's Republic.
Honorary Grand Poobah Shenzhen University English Corner.
http://welcometomychina.tumblr.com/
There are nine million bicycles in Beijing.
There are nine million Androids in Shenzhen.
mikedt is online now  
Reply With Quote
Old April 17th, 2014, 02:03 PM   #20 (permalink)
Cleverness is not wisdom
 
SolApathy's Avatar
 
Join Date: Jun 2010
Location: Ohio
Gender: Male
Posts: 1,362
 
Device(s): EVO LTE | HTC M7 | HTC M8- ViperROM |
Carrier: Sprint-Rooted

Thanks: 408
Thanked 836 Times in 460 Posts
Default

This is going to take a minute to fix...

Over 50 million android devices still vulnerable


Myths debunked...

The revelation this week shocked the world. And new reports coming out about Heartbleed only seem to inspire more worries, not less. The unfortunate result is a lot of misinformation going around.

Care to join me in a little debunking session? Here are some of the doozies I heard this week, and why they’re not true.

Myth #1: Heartbleed Is A Virus


This OpenSSL bug is not a virus. It's a flaw, a simple coding error in the open-source encryption protocol used by many websites and other servers.

When it works as it should, OpenSSL helps ensure networked communication is protected from eavesdropping. (One clue that a website may be using it is when there’s a “HTTPS” in the Web address, with the extra “s”—although other forms of security do the same thing.)

So it’s a bug, a security hole that was accidentally left open, allowing others to surveil a communication or login event, as well as pull confidential data or other records out.

Myth #2: The Bug Only Affects Websites

See also: How Codenomicon Found The Heartbleed Bug Now Plaguing The Internet
Potential security breaches for servers and routers are massive issues, as they allow for the greatest amount of data to leak. And so, websites, online services and network servers tend to get the lion’s share of press. But they’re not the only potential targets.

The clients that communicate with those servers—i.e. your phones, laptops and other devices used to jump online or connect to other networks—are at risk too due to what’s increasingly being called “reverse Heartbleed.” What that means is that the data stored in your device’s memory could be up for grabs.

See also: Heartbleed—What's Next? Check Your Clients, Routers, Virtual Machines And VPNs
“Typically on the client, the memory is allocated just to that process that’s running. So you don’t necessarily get access to all the processes,” David Chartier, CEO of Codenomicon—the Finnish security firm that co-discovered Heartbleed—told ReadWrite. “[But] you can still leak contents of emails, documents and logins.”

The idea of unauthorized account and systems setting access can be particularly disconcerting for smart home users. I reached out to startups like SmartThings and Revolv, as well as Zonoff—the company powering Staples Connect’s smart home system—and iControl, which supplies the technology for services like Time Warner Cable, ADT, Comcast, Cox, Rogers and others.

SmartThings and Revolv have both patched the bug by updating their software to the latest version of OpenSSL. iControl reported back to me, saying that it doesn’t use OpenSSL. At press time, Zonoff wasn’t available for comment.

(Update: Zonoff also uses OpenSSL, but the company confirmed to ReadWrite that it has updated affected servers with the most recent software, thereby patching the vulnerability.)

Myth #3: Hackers Can Use It To Remote Control Your Phones


By all indications so far, a hacker can’t tunnel in directly using Heartbleed and take over control of your smartphone. Again, what’s at stake is the data stored in its memory, at least for those devices that haven't been patched with the latest version of OpenSSL.

Even if it was possible, iPhones and most Androids are immune to Heartbleed, with one big exception—Android 4.1.1. Google, however, says patches will go out to cover this version of its mobile operating system. Overall, the fact that iOS and Android are largely unaffected must come as a relief, particularly given recent iOS security concerns on other fronts.

Of course, the apps these phones run might be another story. BlackBerry acknowledged that BBM for iOS and Android, for example, is vulnerable to Heartbleed. Attackers still wouldn't be able to get into the device memory itself using it, but they might be able to listen in on insecure chats in progress. (Update: Blackberry says it is readying a BBM update to address Heartbleed.)

Myth #4: Windows XP Users Are Screwed Because Microsoft Abandoned Them

Completely false. Sure, the timing is bad. Microsoft said it won't be supporting Windows XP just as Heartbleed panic set out across the land. But the tech company does not use OpenSSL.

That’s great news for the loads of PCs out there that still use the 14-year-old Windows operating system—which, at press time, made up more than a quarter of all running desktops. Because if it affected them, they'd be stranded with Heartbleed with no hope of a security update.

See also: Goodnight, Windows XP: Microsoft Terminates A Surprisingly Durable Operating System
People running XP, indeed all Windows users, get the company’s own encryption component called Secure Channel (aka SChannel), and it's not susceptible to this particular bug. However, it’s worth noting that XP users won’t get any further software support or updates for SChannel either.

The exceptions are Windows Azure users running Linux in Microsoft's cloud service. These distributions rely on OpenSSL, so Microsoft urges these users to contact the distribution providers for the updated software. As for Mac OS X, Apple has officially declared it is not vulnerable to Heartbleed.

Myth #5: All Of Our Banks Are Open For Heartbleeding


The security flaw is serious, but it can't pry open the virtual vaults at our top banks. In fact, American Banker, a news site for bank technologies, reports that no major banks are susceptible.

These companies have all announced that they don’t use OpenSSL, so they aren’t at risk:

Bank of America
Capital One Financial
JPMorgan Chase
Citigroup
TD Bank
U.S. Bancorp
Wells Fargo
PNC Financial Services Group

Of course, there are many more banks and credit unions out there, which is why the Federal Financial Institutions Examination Council (FFIEC) urged "financial institutions to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability."

Furthermore, CNET’s check of high-trafficked websites shows that PayPal is not vulnerable to Heartbleed either. Neither are these major retailers, where people may store debit or credit card information:

Amazon.com
eBay
Groupon
Target
TripAdvisor
Walmart
(Looks like Target learned a thing or two from its major security breach late last year.)

So no, the Heartbleed glitch doesn't throw open the doors of these banks and major stores, at least not directly. However, just because these sites and accounts aren’t subject to these hacks, it doesn’t mean that data is entirely safe. (See below.)

Myth #6: My ____ Site/Service Wasn’t At Risk Or Issued A Patch! I’m Safe Now.

Not quite. Heartbleed is insidious because it leaves no trace. That means there’s no way to tell if your information was stolen previously from a site or service that has now fixed it.

As for places that weren’t vulnerable to begin with, your accounts there may still be at risk, if that login information was stored or sent somewhere that was breached.

Here’s what it boils down to: You’ll want to change passwords everywhere, except on affected sites or services that haven’t patched the hole yet. But be sure to do it once they’ve updated their software. You'll also want to check your credit, account statements and online activity to make sure no unauthorized entries appear.

Myth #7 (Or is it....Muahahaha): NSA Has Been Using Heartbleed To Spy On Us


Citing unnamed sources, Bloomberg accused the National Security Agency of knowing about Heartbleed and keeping it quiet. But that's not all. The agency wasn’t simply aware of the bug, says the report—it allegedly exploited the flaw for two years, using it to spy on Americans.

In light of the PRISM revelations, it’s all too easy to believe. Even before Bloomberg's accusation, suspicions were high that the NSA was involved, with plenty of tweets flooding Twitter questioning the agency's knowledge. It was as if a chorus of "Of course the NSA's involved" rang throughout the Web.

But the NSA flatly denies it. The agency said it didn't use the security hole—in fact, it claimed to be completely ignorant of the bug's existence prior to the announcement going out.

There's no way to know if the NSA is being honest with its denial; the agency's credibility isn't exactly at an all-time high. But there’s no hard proof that it has actually exploited Heartbleed for surveillance. So, for now anyway, it's going in the "myth" pile.

See also: NSA Accused Of Exploiting Heartbleed For At Least Two Years,
But Agency Denies

It's difficult to imagine any federal authority or agency not being aware of such a serious security weakness that affects so many. But it's not totally impossible. Just ask the Canada Revenue Agency. That government branch, which also used OpenSSL, had to shut down parts of its website temporarily because it was found to be vulnerable to Heartbleed as well. This just weeks before the Canadian tax deadline, to boot.
EarlyMon likes this.
SolApathy is online now  
Last edited by SolApathy; April 17th, 2014 at 02:06 PM.
Reply With Quote
The Following 4 Users Say Thank You to SolApathy For This Useful Post:
Clementine_3 (April 17th, 2014), DonB (April 17th, 2014), El Presidente (April 21st, 2014), MoodyBlues (April 17th, 2014)
sponsored links
Old April 17th, 2014, 03:12 PM   #21 (permalink)
- Crazy peacock person -
Thread Author (OP)
 
MoodyBlues's Avatar
 
Join Date: Jan 2011
Location: /home/LosAngeles
Posts: 3,268
 
Device(s): Kindle Fire HD 8.9" (rooted), Motorola Atrix 2, Motorola Atrix 4G (retired), Motorola Bravo (retired
Carrier: AT&T

Thanks: 1,075
Thanked 1,538 Times in 944 Posts
Default

Regarding "Myth #2: The Bug Only Affects Websites"--when I ran the Android app El Presidente posted, it showed, among other things, that Candy Crush Saga uses OpenSSL.
MoodyBlues is offline  
Reply With Quote
Old April 17th, 2014, 04:52 PM   #22 (permalink)
Cleverness is not wisdom
 
SolApathy's Avatar
 
Join Date: Jun 2010
Location: Ohio
Gender: Male
Posts: 1,362
 
Device(s): EVO LTE | HTC M7 | HTC M8- ViperROM |
Carrier: Sprint-Rooted

Thanks: 408
Thanked 836 Times in 460 Posts
Default

Quote:
Originally Posted by MoodyBlues View Post
Regarding "Myth #2: The Bug Only Affects Websites"--when I ran the Android app El Presidente posted, it showed, among other things, that Candy Crush Saga uses OpenSSL.
Yah, it's because the games access web pages on the back-end of the app, not the game itself. The problem is some of these games are coded very badly, especially when it comes to selling content. It's actually pretty scary. I avoid any in-app purchases for that reason...not to mention most in-app purchases are a joke imo
SolApathy is online now  
Last edited by SolApathy; April 17th, 2014 at 05:02 PM.
Reply With Quote
Old April 17th, 2014, 09:43 PM   #23 (permalink)
New Member
 
Join Date: Apr 2014
Posts: 2
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 1 Time in 1 Post
Default

I would change all passwords just to be sure.
drakey is offline  
Reply With Quote
Old April 18th, 2014, 07:45 AM   #24 (permalink)
Senior Member
 
Clementine_3's Avatar
 
Join Date: Nov 2009
Location: Down in the park where the Machmen meet the machines and play 'kill by numbers'
Posts: 2,459
 
Device(s): Moto X developer edition
Carrier: Over-priced stooopid Verizon

Thanks: 520
Thanked 707 Times in 580 Posts
Default

Quote:
Originally Posted by drakey View Post
I would change all passwords just to be sure.
No sense changing them until you are sure that the related site has been patched or was never affected to begin with
Clementine_3 is online now  
Reply With Quote
Old April 18th, 2014, 02:42 PM   #25 (permalink)
- Crazy peacock person -
Thread Author (OP)
 
MoodyBlues's Avatar
 
Join Date: Jan 2011
Location: /home/LosAngeles
Posts: 3,268
 
Device(s): Kindle Fire HD 8.9" (rooted), Motorola Atrix 2, Motorola Atrix 4G (retired), Motorola Bravo (retired
Carrier: AT&T

Thanks: 1,075
Thanked 1,538 Times in 944 Posts
Default

Quote:
Originally Posted by MoebusNet View Post
I've checked my Rezound for the default browser, Chrome & Dolphin. None of them check or can be set (to my knowledge) to check for an expired security certificate on a website that could be affected by the Heartbleed bug.

Only Firefox (so far) seems to check for an expired or invalid security certificate on websites.

Prove it to yourself:

https://revoked.grc.com/

This web site was intentionally designed to have an invalid security certificate and should refuse to load (you'll get an error message).

If it successfully loads, you'll see a message telling you that your browser isn't checking for invalid security certificates.

I confirmed this behavior on my Hisense Sero 7 Pro also.
Thanks for posting this info; I'm adding it to the Heartbleed bug thread.
MoodyBlues is offline  
Reply With Quote
Old April 18th, 2014, 02:52 PM   #26 (permalink)
♡ Spidey Sense !! ♡ ™
 
DonB's Avatar
 
Join Date: Nov 2009
Location: 18th Hole Of the Golf Course
Gender: Male
Posts: 18,626
 
Device(s): Moto X 16 GB Cricket Wireless®/ Stock Galaxy Note 10.1 ®
Carrier: Crickets Wireless ®

Thanks: 6,674
Thanked 7,080 Times in 4,173 Posts
Default

Quote:
Originally Posted by MoebusNet View Post
I've checked my Rezound for the default browser, Chrome & Dolphin. None of them check or can be set (to my knowledge) to check for an expired security certificate on a website that could be affected by the Heartbleed bug.

Only Firefox (so far) seems to check for an expired or invalid security certificate on websites.

Prove it to yourself:

https://revoked.grc.com/

This web site was intentionally designed to have an invalid security certificate and should refuse to load (you'll get an error message).

If it successfully loads, you'll see a message telling you that your browser isn't checking for invalid security certificates.

I confirmed this behavior on my Hisense Sero 7 Pro also.
Merged your thread here since there is already discussion about it here
DonB is online now  
Reply With Quote
Old April 19th, 2014, 01:05 PM   #27 (permalink)
Member
 
Joelgp83's Avatar
 
Join Date: Jul 2012
Location: California
Posts: 428
 
Device(s): Samsung Galaxy Prevail (CM7 beta5)
Carrier: Not Provided

Thanks: 56
Thanked 150 Times in 123 Posts
Default

XKCD has an illustration of how the bug works, if anyone's curious.
Joelgp83 is online now  
Reply With Quote
The Following User Says Thank You to Joelgp83 For This Useful Post:
SolApathy (April 23rd, 2014)
Old April 21st, 2014, 10:53 PM   #28 (permalink)
Member
 
Join Date: Apr 2013
Posts: 209
 
Device(s):
Carrier: Virgin Mobile

Thanks: 51
Thanked 31 Times in 27 Posts
Default Heart bleed?!!

Should we be worried? I just did some research about it and Google seems to be handling it. I was just wondering what everybodys opinion on it is.
JHell is online now  
Reply With Quote
Old April 21st, 2014, 11:00 PM   #29 (permalink)
Beware The Milky Pirate!
 
El Presidente's Avatar
 
Join Date: Jan 2011
Location: Scotland
Posts: 27,270
 
Device(s): Xperia Z1, Nexus 7 3G, HTC One X, SGS3 Mini
Carrier: EE

Thanks: 14,350
Thanked 16,351 Times in 8,750 Posts
Default

Quote:
Originally Posted by JHell View Post
Should we be worried? I just did some research about it and Google seems to be handling it. I was just wondering what everybodys opinion on it is.
Merged this in with our existing heartbleed thread in the lounge.
El Presidente is online now  
Reply With Quote
Old April 22nd, 2014, 11:09 PM   #30 (permalink)
- Crazy peacock person -
Thread Author (OP)
 
MoodyBlues's Avatar
 
Join Date: Jan 2011
Location: /home/LosAngeles
Posts: 3,268
 
Device(s): Kindle Fire HD 8.9" (rooted), Motorola Atrix 2, Motorola Atrix 4G (retired), Motorola Bravo (retired
Carrier: AT&T

Thanks: 1,075
Thanked 1,538 Times in 944 Posts
Default

Quote:
Originally Posted by JHell View Post
Should we be worried? I just did some research about it and Google seems to be handling it. I was just wondering what everybodys opinion on it is.
Hopefully, everyone is taking it very seriously! And following the links that I've added to the OP.
MoodyBlues is offline  
Reply With Quote
The Following User Says Thank You to MoodyBlues For This Useful Post:
SolApathy (April 23rd, 2014)
sponsored links
Reply
Tags
bug, certificate, heartbleed, passwords, privacy breach, security


Go Back   Android Forums > Android Forums Community > The Lounge
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 02:18 PM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.