Heartbleed

[mwonow]

Other folks here are probably already aware of Heartbleed, but I just learned of it today, and thought I'd pass it on. Essentially, it's a server-side problem with OpenSSL which can enable hackers to access names, passwords and other info. Here's a description: http://heartbleed.com/
Much more frighteningly, here's a list of vulnerable sites, which includes five that I'm likely to use within the course of any year: https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
 
If you're a server admin, you probably want to make sure that you're using a safe version of OpenSSL. If you are simply a user (like me), you don't have a ton of options, outside of changing passwords on those sites, and on any other sites where you might be using a password common to the sites listed as vulnerable...

 

[MakMan44]

Just heard about this tonight. Thanks for the list, good to know what to avoid. 

 

[Blacken]

This thread might have made sense eight hours ago, but every site worth caring about on this list has already been patched.

It's a pain in the ass, and people should go change their passwords once a site has been confirmed to be not dead, but few enough people will that it'll all just recede.

 

[InsideTheParker]

So, if a site has been declared not vulnerable according to this list, is it unnecessary to change one's password for that site?

 

[HriniakPosterChild]

A site declared not vulnerable according to that list might have had been vulnerable moments before the list was created.
 
To be safe, assume any information you stored on any site using https was never secure.
 
Yes, it sucks.

 

[uncannymanny]

Yeah this is real scary stuff. How in the world is stackexchange vulnerable? Of every site on this list, you'd think they'd be one of the first to patch.

 

[Blacken]

To be safe, assume any information you stored on any site using https was never secure.

Yup.

Nobody will though. Because that's hard. :buddy:

 

[uncannymanny]

Bravo to them on their branding though. Outstanding logo.

 

[Blacken]

Yeah this is real scary stuff. How in the world is stackexchange vulnerable? Of every site on this list, you'd think they'd be one of the first to patch.

Because...they didn't know, their HAProxy boxes didn't have distro patches, and they don't really have sensitive data? (OpenID keys are whatever, you just nuke them and force a re-auth.) We have boxes we haven't patched, because they're still running our old SSL cert (to be invalidated tomorrow) due to some technical issues with updating them off of 10.04. They're not meaningfully sensitive, they run SSL for auth rather than encryption and the opportunity cost of maybe munging some statistical-noise data is much lower than trying to manage machines with home-rolled OpenSSL.

Oh, and your browser probably doesn't pay attention to CRLs, so it's not like it saves you from MitM. Your phone browser also probably uses OpenSSL and can be hit with heartbleed, too. So this is still a thing.)

 

[MakMan44]

So Blacken, how does it work if you use something like Twitter or FaceBook to sign in on one of those sites? Change that as well?

 

[uncannymanny]

Because...they didn't know, their HAProxy boxes didn't have distro patches, and they don't really have sensitive data? (OpenID keys are whatever, you just nuke them and force a re-auth.) We have boxes we haven't patched, because they're still running our old SSL cert (to be invalidated tomorrow) due to some technical issues with updating them off of 10.04. They're not meaningfully sensitive, they run SSL for auth rather than encryption and the opportunity cost of maybe munging some statistical-noise data is much lower than trying to manage machines with home-rolled OpenSSL.

Oh, and your browser probably doesn't pay attention to CRLs, so it's not like it saves you from MitM. Your phone browser also probably uses OpenSSL and can be hit with heartbleed, too. So this is still a thing.)

Well emails and passwords that are certainly used by their users for other sites and services would qualify as sensitive, no? But, it was more of a surprise that a developer site with a portal called serverexchange wouldn't be patched in general regardless.

 

[HriniakPosterChild]

Yup.

Nobody will though. Because that's hard. :buddy:

 
Harder than waking up one day and having your Vanguard balance be $0.00?
 
Just call me "nobody," I guess.

 

[Blacken]

So Blacken, how does it work if you use something like Twitter or FaceBook to sign in on one of those sites? Change that as well?

They should have invalidated you. If they didn't, you should.

Well emails and passwords that are certainly used by their users for other sites and services would qualify as sensitive, no?

SE doesn't use fat cookies and 95% of its audience uses OAuth (or OpenID, whichever one they're using for data).

But it was more of a surprise that a developer site with a portal called serverexchange wouldn't be patched in general regardless.

There was no patch until midday yesterday. There was a workaround that came with a nontrivial likelihood of hosing your shit because you'd be recompiling with different flags and OpenSSL doesn't even have a working test suite.

 

[Blacken]

Harder than waking up one day and having your Vanguard balance be $0.00?
 
Just call me "nobody," I guess.

I changed all mine too, nobody.

 

[HriniakPosterChild]

 

[Blacken]

English majors.

 

[HriniakPosterChild]

Well emails and passwords that are certainly used by their users for other sites and services would qualify as sensitive, no? But, it was more of a surprise that a developer site with a portal called serverexchange wouldn't be patched in general regardless.

 
If you use the same password on multiple sites, you aren't part of the solution, you're part of the problem. But you should have known that six months ago after Adobe left 150m passwords out for the taking.

 

[MakMan44]

They should have invalidated you. If they didn't, you should.
 

Sorry, what?

 

[HriniakPosterChild]

English majors.

 
Hey, paper doesn't crash.  (I won't make that claim about clay tablets.)

 

[uncannymanny]

 
If you use the same password on multiple sites, you aren't part of the solution, you're part of the problem. But you should have known that six months ago after Adobe left 150m passwords out for the taking.

While true, it's unfortunately an unrealistic expectation and definitely not one that sites should make about their users.

 

[HriniakPosterChild]

Okay, but the Adobe fiasco should change users' unrealistic expectations about the level of care that sites are taking with their passwords.

 

[Blacken]

While true, it's unfortunately an unrealistic expectation and definitely not one that sites should make about their users.

It's 2014. Password vaults are free and easy to use. At this point I'm pretty sure we have officially reached "fix your behavior or fuck off" levels of ease-of-not-passwording.

 

[uncannymanny]

How many "normal" people would even be aware of that though? I'm pretty sure my parents don't read Mashable or whatever. We just haven't reached the point where enough people understand security on the internet.

 

[Blacken]

I see nontechnical people (and I don't mean nontechnical employees of tech companies) using LastPass or 1Password all the time.

But even if not, I'm past the point of sympathy. Learn or lose. The only people they hurt are themselves.

 

[uncannymanny]

I see nontechnical people (and I don't mean nontechnical employees of tech companies) using LastPass or 1Password all the time.

But even if not, I'm past the point of sympathy. Learn or lose. The only people they hurt are themselves.

I agree with you up to the point where it becomes a company's security policy.

That said I bet many of those people are still storing "password123" in their LastPass.

 

[HriniakPosterChild]

How many "normal" people would even be aware of that though? I'm pretty sure my parents don't read Mashable or whatever. We just haven't reached the point where enough people understand security on the internet.

 
Oh, my father in law was using "golf" for his hotmail password just last year.
 
And then all his friends got an emergency email from him. Seems he was stranded in England, the victim of a horrific robbery, and needed them to wire him some money so he could come home...

 

[canderson]

 
Harder than waking up one day and having your Vanguard balance be $0.00?
 
Just call me "nobody," I guess.

To be fair, Vanguard is not on the list.

/please stay off dear god

 

[HriniakPosterChild]

To be fair, Vanguard is not on the list.

/please stay off dear god

 
What is on the list seems to be giving you a false sense of security.
 
They were using OpenSSL yesterday. They were vulnerable yesterday. IOW, change your damn Vanguard password!!!

 

[SumnerH]

What is on the list seems to be giving you a false sense of security.
 
They were using OpenSSL yesterday. They were vulnerable yesterday. IOW, change your damn Vanguard password!!!

The safest thing to assume is that all sites are compromised, but the fact that they were using OpenSSL yesterday doesn't mean squat--I know of many sites that are still on Ubuntu 10.x, a long-term service release--they're using OpenSSL, but not a recent enough version to be vulnerable to this problem.

 

[HriniakPosterChild]

Point well taken. But I wish that list had never been published.

 

[Spelunker]

Yeah it was great to see that we're on an old enough version of our F5 that we're not exposed. So, yay for people being lazy?

 

[Orange Julia]

So, we should all change all our passwords everywhere--is that the best solution? Not being snarky, truly trying to understand what the solution is because there's a lot of noise out there. Thanks!

 

[uncannymanny]

I'm considering one of these combined with my 1Password:

http://www.yubico.com/products/yubikey-hardware/yubikey/

 

[Trlicek's Whip]

I'm considering one of these combined with my 1Password:

http://www.yubico.com/products/yubikey-hardware/yubikey/

 
I do this with LastPass and am happy with it. 

 

[Hextall]

I use LastPass, and if you do a security check (tools--> security check) they'll list the sites I have in LastPass affected by Heartbleed and what to do (many of them say "Wait" while the sites update their SSL certificates).

 

[SumnerH]

So, we should all change all our passwords everywhere--is that the best solution? Not being snarky, truly trying to understand what the solution is because there's a lot of noise out there. Thanks!

In an ideal world:

Change passwords everywhere, make sure they're all different so that if one site gets hacked they can't use your password to access another site.

 

[uncannymanny]

 
I do this with LastPass and am happy with it. 

Curious to hear any info on ease of use. What if I forget my keys one day? How do I use it on a public machine?

 

[Trlicek's Whip]

It's fairly easy to use; it'd have to be because I'm fairly clueless with technical stuff past the basics. 
 
In my case my work computer is enabled with YubiKey for a 2-step authorization (password + one-time password generated by the YubiKey when activated and in a USB port). I type in a password, then press the button on the YubiKey to generate the OTP for that specific login. It's tiny and virtually indestructible and waterproof; smaller than a club card key on your keychain. 
 
When I log in there is the option underneath that states "if you lose your YubiKey, click here to disable YubiKey Authentication," which sends you an email link to disable it temporarily. Presumably when I log in the next day there's nothing permanently locked out unless/until I request another key. 
 
The YubiKey-LastPass bundle also allows for 5 different key authorizations. 
 
On public browsers you can log into LastPass from their website directly and access your "vault" of stored sites/passwords. I do that so don't need my key. FF and Chrome also have LastPass extensions that let you access passwords, auto-logins, etc. There's also smartphone versions of it (the Android one is fine). 
 
LastPass FAQ with YubiKey-specific FAQ's here = https://lastpass.com/support.php?cmd=getproductfaq&product=other_yubikey

 

[HriniakPosterChild]

In an ideal world:

Change passwords everywhere, make sure they're all different so that if one site gets hacked they can't use your password to access another site.

 
In the real world: start with the sites where you have the most to lose (banks, credit cards, PayPal) and save for the last those where the stakes are lowest (Open Table, SoSH).

 

[HriniakPosterChild]

How it happened, per XKCD:
 

 

[RhaegarTharen]

Edit: nevermind.

 

[AlNipper49]

Apparently the Federal Government has not only known about this for two years and chosen not to alert us to this danger but may have used this bug to spy on us as well.


http://mobile.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html