Heartbleed Vulnerability

[Skiprr]

Upfront, let me note that this does not affect the Forum, so no worries there.

However, if you haven't seen the news about this during the past day or two, I wanted to bring it to your attention because it has the potential to impact a lot of the websites you may use. The snapshot: Heartbleed (officially CVE-2014-0160) is a recently-discovered security vulnerability in OpenSSL encryption, which is used by millions of websites to protect sensitive data like passwords or credit card information. SSL encryption is the most common way to pass those sensitive data from your computer to a website; you'll typically see "https" in your browser's address bar instead of "http" when SSL is enabled. OpenSSL is one of the most-frequently employed SSL encryption methodologies.

Essentially, this vulnerability can allow anyone to monitor webserver transactions as if the information was not encrypted, and capture things like passwords, email and physical addresses, bank account information, and credit card data.

You will likely want to change all your passwords at any sites with which you exchange any financial information. However, you may also need to change those passwords more than once. Major commercial sites like Amazon have already patched the issue, so changing your password there right now would be effective. But sites that don't have such large, dedicated IT security staff--for example, smaller retailers and regional banks--may not have yet applied the fix. So until they rectify the problem on their servers, changing your password would be ineffective; the new password is still exposed.

Below are some links so you can get up to speed on Heartbleed. First, though, my strongest piece of personal advice is never to use the same password on multiple sites. It's a pain; I know. But this new security flaw clearly illustrates the reason: if you use the same password for your Bank of America account as you do for "ABC Aftermarket Gun Grips," this SSL security vulnerability could yield your password from the small retailer and potentially be used to exploit your personal bank account, even though BofA has patched their systems to protect against the flaw. Also, as much as everyone hates it, use strong passwords...passwords as strong as the servers will allow. If the website permits special characters like #!~*^ and the like, use them. Never, ever, use a simple password that can be easily discovered using brute-force algorithms.

• http://heartbleed.com/
• http://www.usatoday.com/story/tech/2014 ... s/7501033/
• http://www.thewire.com/technology/2014/ ... et/360366/
• http://www.cnet.com/news/how-to-protect ... bleed-bug/

[Jumping Frog]

First, though, my strongest piece of personal advice is never to use the same password on multiple sites. It's a pain; I know. But this new security flaw clearly illustrates the reason: if you use the same password for your Bank of America account as you do for "ABC Aftermarket Gun Grips," this SSL security vulnerability could yield your password from the small retailer and potentially be used to exploit your personal bank account, even though BofA has patched their systems to protect against the flaw. Also, as much as everyone hates it, use strong passwords...passwords as strong as the servers will allow. If the website permits special characters like #!~*^ and the like, use them. Never, ever, use a simple password that can be easily discovered using brute-force algorithms.

Following this train of thought, I also use a secure password management system called "LastPass".

Basically, I have one long password using upper case, lower case, numerals and special characters to open my LastPass. That decrypts my password storage "vault" that stores all the user names and passwords for all the different online systems I use. LastPass can be used to generate strong passwords for these sites as I set the password (or change it) on these various sites using rules I define for length and complexity. Using your BofA example, my various banking passwords are 20 random characters utilizing upper case, lower case, numerals and special characters. When I go to a bank, then LastPass enters my credentials for me. There is no way I can remember those kinds of passwords, and I am not going to scribble them down on a piece of paper or keep them in a text file on my desktop.

Thanks for the Heartbleed information. LastPass will make going to all my websites and changing all my passwords very simple.

If people are going to go change their password everywhere, this is also a good time to move to a secure password solution like LastPass. I chose LastPass because PCMag had it as a recent "Editors Choice" and CNet also was very positive. There are other solutions out there as well, but I wasn't going to get into analysis/paralysis.

[TomsTXCHL]

LastPass will make going to all my websites and changing all my passwords very simple.

I get heartburn about the "Create an account with your email address and a strong master password - the last password you have to remember" aspect i.e. what if somehow your LastPass master password is compromised. Then all of your passwords become available at one time.

I use KeePass myself which requires that I log-on to each and every secure website manually. It too has a "master password" that I have to remember and protect, but by contrast my KeePass database is only on my local computers. I'm a little paranoid about trusting everything to a single company/website.

But I will read-up on it more and see what the reviews have to say. EDIT: I just read the PCMag account and it's pretty compelling, though in my naturally-paranoid state I'm not sure that even if my Master Password is not known to the Company that it's also therefore not known to the NSA .

Lots of cool features including sharing with spouse. I will have to check next about any iOS compatibility for our cellphones.

Thanks for mentioning this JF. I did already this morning check every one of my banking websites for the Heartbleed problem and they're all clean-or-fixed.

[jimlongley]

My wife is forever forgetting her passwords - she hasn't been on Facebook in months - so I might see about one of those for her.

[Charles L. Cotton]

Thanks for posting this Skiprr!

Chas.

[92f-fan]

The heartbleed vulnerability has only been known for a short time
If you have not logged in to a site in the past 30 days or so your password couldn't have been put at risk by this flaw.

Proactively changing passwords at this juncture MAY put you at more risk than doing nothing.
The fixes JUST came out in the last few days. Not every system has been updated and fixed yet.
Many datacenters literally have thousands or tens of thousands of servers to patch. That will take a while.
Logging into a site that you rarely use to change your password could expose the the old and new passwords, if the site hasnt yet implemented the fix.

If it were me I would wait a few more days.
But do what makes you comfortable.
I have a customer that logs in to all his accounts every day to make sure his stuff is still there. Even on Sat and Sunday when NO transactions happen, he still logs in every day. If you are one of those people, then by all means change your password. But I would change it again in about 2 weeks.

Edit to add quote http://www.zdnet.com/google-aws-rackspa ... TRE17cfd61" onclick="window.open(this.href);return false;
"Yahoo, for example, has advised all Tumblr customers to reset passwords to everything, however security experts have warned it may be best to wait for providers to confirm they've fixed the flaw.

"If you need to change your password on a server that is at risk due to heartbleed, then the new password you choose may be at risk due to heartbleed," Sophos' Asia Pacific head of technology Paul Ducklin said.

"And it's fair to say that there are a lot more people ready to heartbleed your new password right now than there were a week, a month or a year ago when you set the old password up.""

[oohrah]

Here's what I do, taken from a security article recommendation.

I created a complex "prefix" of a mixture of alphanumeric characters, and memorized this, It is not written down anywhere. I use this prefix with a similarly complex "suffix" which is unique to each site where I need a password. All of theses suffixes are written down with the login information for that site. All of my passwords wind up being 12-16 characters, and I never have the browser or anything "save" them.

[rotor]

Here is a link to a site that will test your secure site to see if they are heartbeat secure

https://www.ssllabs.com/ssltest/" onclick="window.open(this.href);return false;

So, if you want to see if your discover card sign in site is secure type in discovercard.com (it is secure)

You are not giving out any data or passwords to ssllabs.

[rotor]

Here's what I do, taken from a security article recommendation.

I created a complex "prefix" of a mixture of alphanumeric characters, and memorized this, It is not written down anywhere. I use this prefix with a similarly complex "suffix" which is unique to each site where I need a password. All of theses suffixes are written down with the login information for that site. All of my passwords wind up being 12-16 characters, and I never have the browser or anything "save" them.

According to what I read that is not a protection for this hearbleed thing. They download your password from the site that you are going to.

[oohrah]

Here's what I do, taken from a security article recommendation.

I created a complex "prefix" of a mixture of alphanumeric characters, and memorized this, It is not written down anywhere. I use this prefix with a similarly complex "suffix" which is unique to each site where I need a password. All of theses suffixes are written down with the login information for that site. All of my passwords wind up being 12-16 characters, and I never have the browser or anything "save" them.

According to what I read that is not a protection for this hearbleed thing. They download your password from the site that you are going to.

True, but all they get is that one password. It is not good anywhere else. People are vulnerable because they use the same email/pw on multiple sites because it is a pain to memorize a bunch of passwords.

[nightmare]

According to what I read that is not a protection for this hearbleed thing. They download your password from the site that you are going to.

It sounds like they use a bug to get around the encryption in the site traffic. If that's right, the bug is serious and makes current connections vulnerable, and maybe recent cache too, but doesn't allow criminals to download a password you used last year. At least that's what it sounds like to me but I would like to hear from someone who works in IT security.

[rotor]

I used the sslabs program to check every site that I go to that keeps any of my financial info. The only site that was not protected was a hospital and the CEO says they will be patched next week. From what I understand, this bug doesn't care what your password is. If your bank internet connection is not secure, then a hacker can get in and transfer your funds out. Doesn't matter what your password is. If the site is not secure now and they patch things then change your password after the patch. But if the site is not secure now, anything on the site can be hacked- not just your account. I am not IT but having had identity stolen recently on a credit card I can tell you that it happens. None of this is because your password is bad. They apparently can bypass your password.

[Skiprr]

The heartbleed vulnerability has only been known for a short time
If you have not logged in to a site in the past 30 days or so your password couldn't have been put at risk by this flaw.

Actually, that's not completely correct. The Heartbleed vulnerability was discovered and made public only a few days ago, but the flaw in OpenSSL has existed for quite some time.

There is no evidence that the flaw was previously exploited; but there is no evidence it wasn't, either.

After being among the thousands who've had debit card exposure the past months, I'm more than a little cautious.

"If you need to change your password on a server that is at risk due to heartbleed, then the new password you choose may be at risk due to heartbleed," Sophos' Asia Pacific head of technology Paul Ducklin said.

"And it's fair to say that there are a lot more people ready to heartbleed your new password right now than there were a week, a month or a year ago when you set the old password up."

Yep. I wholly agree.

What is amazing to me right now is that I'm not receiving Heartbleed notifications from any of my financial institutions. That includes Fidelity, Vanguard, Zions Bank, my mortgage holder, and my credit union.

Is anyone getting info about Heartbleed from their financial accounts?

[oohrah]

Is anyone getting info about Heartbleed from their financial accounts?

USAA reports on their website that they have protected accounts against this.

[apostate]

Probably nothing to worry about but if you haven't filed your income tax return yet, either because you owe money or are a devout procrastinator, this might be a good year to spend four bits to mail a hard copy instead.

From taxgirl at Forbes:
"The software developer, Last Pass, has created an app at that can check sites for vulnerability...
Here’s what it has to say about www.irs.gov:
A server header was not reported, you should assume this site could be vulnerable.