IMPORTANT: Heartbleed bug and password vulnerability

Last Updated:

  1. MoodyBlues

    MoodyBlues - Crazy peacock person -

    (Posting this here rather than Computers so people who don't normally visit C&IT will see it.)

    There's a very serious bug out there that can compromise the privacy/security of your Internet passwords. It's a problem in OpenSSL, and while a fix has been issued, you can't assume at this point that every site you visit [that uses OpenSSL] has applied the fix, nor can you assume that your password info wasn't compromised before the bug was discovered.

    Here's an article about it in the LA Times, and here's a site dedicated to the issue.

    Here's a list on GitHub showing popular sites and their vulnerability status. (Thanks to Clementine_3 for providing this link.)

    Here's a link where you can check a specific server for vulnerabilities. (Thanks to girolez for providing this link.)

    This list from Mashable lets you know which passwords you should change right now. (Thanks to kman9637 for providing this link.)

    Here's an Android app that lets you check to see if any of your installed apps are vulnerable. (Thanks to El Presidente for posting this link.)

    This site was set up to allow checking your browser's ability to detect invalid certificates. (Thanks to MoebusNet for posting this link.)

    From the LA Times article:

  2. out of ideas

    out of ideas Well-Known Member

  3. SiempreTuna

    SiempreTuna Well-Known Member

    Thanks, Moody and Out of Ideas

    I saw a story about that this morning .. just not entirely sure what to do with the information :confused:
  4. pastafarian

    pastafarian Pâtes avec votre foie Moderator

    A lot of passwords may have been compromised, so this may be a good time to change your site passwords. This is particularly true if you recycle passwords between sites. Consider using a password manager like Lastpass too. On that subject and because I use Lastpass, they have a tool for users that will check all passwords and tell you if any are vulnerable to heartbleed. I wouldn't be surprised if other password managers are doing similar.
    Steven58, Granite1 and MoodyBlues like this.
  5. MoodyBlues

    MoodyBlues - Crazy peacock person -

    Start changing your passwords. :)

    There are a number of ways to approach this, such as actually finding out which sites use OpenSSL and then changing passwords accordingly, OR just plunge in and start changing your passwords. Start with the sites you visit most or rely on most, and work your way down.
  6. Clementine_3

    Clementine_3 Well-Known Member

    BGR did a quick little write-up but what I found most helpful was the link to GitHub, they listed some of the bigger vulnerable sites.
    out of ideas and MoodyBlues like this.
  7. MoodyBlues

    MoodyBlues - Crazy peacock person -

    Thanks, Clementine! That GitHub list is great. Everyone should take a look at it.
  8. girolez

    girolez Often Off Piste Guide

    D-U-R-X and MoodyBlues like this.
  9. saptech

    saptech Well-Known Member

    Using the above link, when I put in, it comes back with this info.

    So are we okay with this?
  10. SiempreTuna

    SiempreTuna Well-Known Member

    The vulnerability also affects clients, potentially including phones and tablets.

    The Google site states:

    Basically, if you're running 4.1.1 it may be worth contacting your phone manufacturer, otherwise your phone / tablet should be OK - though obviously, the servers you connect to may not.

    Having read a bit more on this, it occurs to me that you BEFORE you change your password on an affected site, you might want to ensure they've fixed the bug. If not, you'd potentially be exposing your new and old passwords to a watcher who didn't have the old one :eek:

    Hopefully, a google search will find notifications from websites regarding their fix status - a collation of vendor notifications can be found here.

    Apparently there are tools that claim to identify which sites are at risk - I think by looking at the webserver they're running. Not sure if this can tell you when the sites have been patched.
    MoodyBlues likes this.
  11. MoodyBlues

    MoodyBlues - Crazy peacock person -

    Now I can claim to have been prescient! I wanted to avoid the Heartbleed thing, and THAT'S why I never got around to upgrading any of my Android devices above 4.0.4. :D :laugh: :rofl:

    This is a very good point. The problem I'm seeing is that people contacting sites end up with CSRs who don't even know what they're talking about. Think about the usual outcome of a random call to some place like Bank of America; you call their 800 number and get a menu of choices; none of those choices will take you to an IT-smart, up-to-the-minute informed tech person.
  12. kman9637

    kman9637 Well-Known Member

    Y'all might want to check this infographic by mashable too, it shows what's been compromised, if they patched it and if you should change your passwords
    MoodyBlues and palmtree5 like this.
  13. DonB

    DonB ♡ Spidey Sense !! ♡ ™ Moderator

    Also keep in mind, it is fine to change your passwords, but if the sites visited have not issued a patch, then you are still at risk, until they patch their sites. ;)
    El Presidente and SiempreTuna like this.
  14. El Presidente

    El Presidente Beware The Milky Pirate! Moderator

    SolApathy, Kaat72, girolez and 2 others like this.
  15. MoebusNet

    MoebusNet Active Member

    I've checked my Rezound for the default browser, Chrome & Dolphin. None of them check or can be set (to my knowledge) to check for an expired security certificate on a website that could be affected by the Heartbleed bug.

    Only Firefox (so far) seems to check for an expired or invalid security certificate on websites.

    Prove it to yourself:

    This web site was intentionally designed to have an invalid security certificate and should refuse to load (you'll get an error message).

    If it successfully loads, you'll see a message telling you that your browser isn't checking for invalid security certificates.

    I confirmed this behavior on my Hisense Sero 7 Pro also.

    Attached Files:

    MoodyBlues, PiscesCloud and mikedt like this.
  16. John Bean

    John Bean Happy Wanderer

    Interesting. Chrome on desktop does of course refuse to connect but Chrome on Android ignores the revoked certificate and just gets on with it.

    Black mark to the Android team on that one :-(
    mikedt likes this.
  17. zuben el genub

    zuben el genub Well-Known Member

    Pale Moon checks also. It uses most of FX tools.
  18. mikedt

    mikedt 你好 Guide

    Dolphin ignores the revoked cert as well and shows the GRC page. FAIL.

    Opera is ok though and refuses to connect. PASS.
  19. SolApathy

    SolApathy Just another robot Guide

    This is going to take a minute to fix...

    Over 50 million android devices still vulnerable

    Myths debunked...

    The revelation this week shocked the world. And new reports coming out about Heartbleed only seem to inspire more worries, not less. The unfortunate result is a lot of misinformation going around.

    Care to join me in a little debunking session? Here are some of the doozies I heard this week, and why they’re not true.

    Myth #1: Heartbleed Is A Virus

    This OpenSSL bug is not a virus. It's a flaw, a simple coding error in the open-source encryption protocol used by many websites and other servers.

    When it works as it should, OpenSSL helps ensure networked communication is protected from eavesdropping. (One clue that a website may be using it is when there’s a “HTTPS” in the Web address, with the extra “s”—although other forms of security do the same thing.)

    So it’s a bug, a security hole that was accidentally left open, allowing others to surveil a communication or login event, as well as pull confidential data or other records out.

    Myth #2: The Bug Only Affects Websites

    See also: How Codenomicon Found The Heartbleed Bug Now Plaguing The Internet
    Potential security breaches for servers and routers are massive issues, as they allow for the greatest amount of data to leak. And so, websites, online services and network servers tend to get the lion’s share of press. But they’re not the only potential targets.

    The clients that communicate with those servers—i.e. your phones, laptops and other devices used to jump online or connect to other networks—are at risk too due to what’s increasingly being called “reverse Heartbleed.” What that means is that the data stored in your device’s memory could be up for grabs.

    See also: Heartbleed—What's Next? Check Your Clients, Routers, Virtual Machines And VPNs
    “Typically on the client, the memory is allocated just to that process that’s running. So you don’t necessarily get access to all the processes,” David Chartier, CEO of Codenomicon—the Finnish security firm that co-discovered Heartbleed—told ReadWrite. “[But] you can still leak contents of emails, documents and logins.”

    The idea of unauthorized account and systems setting access can be particularly disconcerting for smart home users. I reached out to startups like SmartThings and Revolv, as well as Zonoff—the company powering Staples Connect’s smart home system—and iControl, which supplies the technology for services like Time Warner Cable, ADT, Comcast, Cox, Rogers and others.

    SmartThings and Revolv have both patched the bug by updating their software to the latest version of OpenSSL. iControl reported back to me, saying that it doesn’t use OpenSSL. At press time, Zonoff wasn’t available for comment.

    (Update: Zonoff also uses OpenSSL, but the company confirmed to ReadWrite that it has updated affected servers with the most recent software, thereby patching the vulnerability.)

    Myth #3: Hackers Can Use It To Remote Control Your Phones

    By all indications so far, a hacker can’t tunnel in directly using Heartbleed and take over control of your smartphone. Again, what’s at stake is the data stored in its memory, at least for those devices that haven't been patched with the latest version of OpenSSL.

    Even if it was possible, iPhones and most Androids are immune to Heartbleed, with one big exception—Android 4.1.1. Google, however, says patches will go out to cover this version of its mobile operating system. Overall, the fact that iOS and Android are largely unaffected must come as a relief, particularly given recent iOS security concerns on other fronts.

    Of course, the apps these phones run might be another story. BlackBerry acknowledged that BBM for iOS and Android, for example, is vulnerable to Heartbleed. Attackers still wouldn't be able to get into the device memory itself using it, but they might be able to listen in on insecure chats in progress. (Update: Blackberry says it is readying a BBM update to address Heartbleed.)

    Myth #4: Windows XP Users Are Screwed Because Microsoft Abandoned Them

    Completely false. Sure, the timing is bad. Microsoft said it won't be supporting Windows XP just as Heartbleed panic set out across the land. But the tech company does not use OpenSSL.

    That’s great news for the loads of PCs out there that still use the 14-year-old Windows operating system—which, at press time, made up more than a quarter of all running desktops. Because if it affected them, they'd be stranded with Heartbleed with no hope of a security update.

    See also: Goodnight, Windows XP: Microsoft Terminates A Surprisingly Durable Operating System
    People running XP, indeed all Windows users, get the company’s own encryption component called Secure Channel (aka SChannel), and it's not susceptible to this particular bug. However, it’s worth noting that XP users won’t get any further software support or updates for SChannel either.

    The exceptions are Windows Azure users running Linux in Microsoft's cloud service. These distributions rely on OpenSSL, so Microsoft urges these users to contact the distribution providers for the updated software. As for Mac OS X, Apple has officially declared it is not vulnerable to Heartbleed.

    Myth #5: All Of Our Banks Are Open For Heartbleeding

    The security flaw is serious, but it can't pry open the virtual vaults at our top banks. In fact, American Banker, a news site for bank technologies, reports that no major banks are susceptible.

    These companies have all announced that they don’t use OpenSSL, so they aren’t at risk:

    Bank of America
    Capital One Financial
    JPMorgan Chase
    TD Bank
    U.S. Bancorp
    Wells Fargo
    PNC Financial Services Group

    Of course, there are many more banks and credit unions out there, which is why the Federal Financial Institutions Examination Council (FFIEC) urged "financial institutions to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability."

    Furthermore, CNET’s check of high-trafficked websites shows that PayPal is not vulnerable to Heartbleed either. Neither are these major retailers, where people may store debit or credit card information:
    (Looks like Target learned a thing or two from its major security breach late last year.)

    So no, the Heartbleed glitch doesn't throw open the doors of these banks and major stores, at least not directly. However, just because these sites and accounts aren’t subject to these hacks, it doesn’t mean that data is entirely safe. (See below.)

    Myth #6: My ____ Site/Service Wasn’t At Risk Or Issued A Patch! I’m Safe Now.

    Not quite. Heartbleed is insidious because it leaves no trace. That means there’s no way to tell if your information was stolen previously from a site or service that has now fixed it.

    As for places that weren’t vulnerable to begin with, your accounts there may still be at risk, if that login information was stored or sent somewhere that was breached.

    Here’s what it boils down to: You’ll want to change passwords everywhere, except on affected sites or services that haven’t patched the hole yet. But be sure to do it once they’ve updated their software. You'll also want to check your credit, account statements and online activity to make sure no unauthorized entries appear.

    Myth #7 (Or is it....Muahahaha): NSA Has Been Using Heartbleed To Spy On Us

    Citing unnamed sources, Bloomberg accused the National Security Agency of knowing about Heartbleed and keeping it quiet. But that's not all. The agency wasn’t simply aware of the bug, says the report—it allegedly exploited the flaw for two years, using it to spy on Americans.

    In light of the PRISM revelations, it’s all too easy to believe. Even before Bloomberg's accusation, suspicions were high that the NSA was involved, with plenty of tweets flooding Twitter questioning the agency's knowledge. It was as if a chorus of "Of course the NSA's involved" rang throughout the Web.

    But the NSA flatly denies it. The agency said it didn't use the security hole—in fact, it claimed to be completely ignorant of the bug's existence prior to the announcement going out.

    There's no way to know if the NSA is being honest with its denial; the agency's credibility isn't exactly at an all-time high. But there’s no hard proof that it has actually exploited Heartbleed for surveillance. So, for now anyway, it's going in the "myth" pile.

    See also: NSA Accused Of Exploiting Heartbleed For At Least Two Years,
    But Agency Denies

    It's difficult to imagine any federal authority or agency not being aware of such a serious security weakness that affects so many. But it's not totally impossible. Just ask the Canada Revenue Agency. That government branch, which also used OpenSSL, had to shut down parts of its website temporarily because it was found to be vulnerable to Heartbleed as well. This just weeks before the Canadian tax deadline, to boot.
  20. MoodyBlues

    MoodyBlues - Crazy peacock person -

    Regarding "Myth #2: The Bug Only Affects Websites"--when I ran the Android app El Presidente posted, it showed, among other things, that Candy Crush Saga uses OpenSSL.
  21. SolApathy

    SolApathy Just another robot Guide

    Yah, it's because the games access web pages on the back-end of the app, not the game itself. The problem is some of these games are coded very badly, especially when it comes to selling content. It's actually pretty scary. I avoid any in-app purchases for that reason...not to mention most in-app purchases are a joke imo
  22. drakey

    drakey New Member

    I would change all passwords just to be sure.
  23. Clementine_3

    Clementine_3 Well-Known Member

    No sense changing them until you are sure that the related site has been patched or was never affected to begin with ;)
  24. MoodyBlues

    MoodyBlues - Crazy peacock person -

    Thanks for posting this info; I'm adding it to the Heartbleed bug thread.
  25. DonB

    DonB ♡ Spidey Sense !! ♡ ™ Moderator

    Merged your thread here since there is already discussion about it here ;)

Share This Page