Change your passwords - Heartbleed hack widespread

T-hug

T-hug

Always like this.
OP
Former Staff
Level 24
Joined
Oct 24, 2002
Messages
10,589
Trophies
3
Location
England
Website
GBAtemp.net
XP
15,368
_74129634_blee.png


The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
Click to expand...

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Click to expand...

:arrow:Source 1
:arrow:Source 2
 
Taleweaver

Taleweaver

Storywriter
Member
Level 19
Joined
Dec 23, 2009
Messages
8,689
Trophies
2
Age
43
Location
Belgium
XP
8,084
Country
Belgium
I've heard this on the radio this morning. Ironically, the public exposure is more harmful than the actual error (though admitted, it is a grave one). This bug is found by the security maintenance; there have been no known attacks as of yet. But of course, with information spreading like wildfire, it'll only be a matter of time before exploits will be written (assuming the security maintenance was the first to have discovered the hack possible exploit, and not some malicious guy or firm).

Unfortunately, news kind of skims over the fact and goes directly into panic mode. From what I read, the bug comes down to there being a possible way to get 64k of random memory data from the server. That data may contain garbage, it may contain useful information. As such, it'll take some time to send sufficient requests, puzzle the pieces together and make something useful of of it.

The main threat is in how widespread openSSL is. It's pretty much a standard, and it's pretty likely you have heard of affected companies. Just check this list for the major ones.
The idea of changing your passwords...it's not bad advice, but the real work needs to be done on the other side. Your company, web host or whatever really needs to update their stuff NOW (or rather: two or three days ago, when it was first made public).


Oh, and: obligatory Test your server here link.
 
  • Like
Reactions: Satangel
Patxinco

Patxinco

Riding a Shooting Star
Member
Level 10
Joined
Apr 18, 2011
Messages
847
Trophies
1
XP
2,228
Country
Spain
From what i can understand, the bug allows to get a limited information on the sending data to the affected site, not?
If it's like this, the worst thing you could do is change your password, cause you're sending the actual and the new password at the same time, and the best thing could be not entering the sites that still have not patched the bug.
When the bug is patched, then it's time to change passwords, but now is just making them easiest.

Correct me if i'm wrong, thanks ^^
 
  • Like
Reactions: tbgtbg
T

Tomy Sakazaki

Well-Known Member
Member
Level 6
Joined
Oct 23, 2006
Messages
880
Trophies
0
Website
Visit site
XP
812
Country
Brazil
Patxinco said:
From what i can understand, the bug allows to get a limited information on the sending data to the affected site, not?
If it's like this, the worst thing you could do is change your password, cause you're sending the actual and the new password at the same time, and the best thing could be not entering the sites that still have not patched the bug.
When the bug is patched, then it's time to change passwords, but now is just making them easiest.

Correct me if i'm wrong, thanks ^^
Click to expand...

Problem is that the encryption keys are always loaded in the RAM of the servers that handles the login process on sites, so when you find it (it's not a matter of if, because crackers can make tools to auto search it) you can essentially turn encrypted user data into easy accessible and ready to read data.

Major problem is, that changing the passwords won't matter if you do it without checking each site.
And there are cases - with major sites/portals/forums that actually use various servers to balance bandwidth and service usage - that those simple checking tools won't give accurate status on the system security, because the server and port used to access the end user contents may be different from those that handle the login system.
But essentially the thing is, create various strong passwords, use some on them only on bigger sites that are known for trying to patch ASAP those problems (let's say google, microsoft, yahoo and bigger branded shopping sites), some passwords for "medium" sites (that are big bussiness but you don't know if they patch security flaws, like news portals, AOL like sites - in Brazil I can say Terra, UOL, iG and similars) and some for small sites or those with unknown status at security matters, like small forums and content sharing sites.
And this is a tip to use all the time, not only when a major flaw is found and then shared to public.
 
  • Like
Reactions: tbgtbg
Taleweaver

Taleweaver

Storywriter
Member
Level 19
Joined
Dec 23, 2009
Messages
8,689
Trophies
2
Age
43
Location
Belgium
XP
8,084
Country
Belgium
CompassNorth said:
Why are people saying this is a hack? It's an exploit.
Click to expand...
:shy: You're right. I was a bit too fast in typing that.
To be completely correct, it's a possible exploit. The code in itself isn't making an error and in a way, security isn't even compromised...it's just that a single line of code accidentally returns "garbage" data to the requester rather than clean zeroes (the assumed data is normally directly overwritten...but just because it should be overwritten doesn't mean that it actually happens).
 
Bladexdsl

Bladexdsl

fanboys triggered 9k+
Member
Level 22
Joined
Nov 17, 2008
Messages
21,109
Trophies
2
Location
Queensland
XP
12,168
Country
Australia
yeah seen this on the news too once again they make it out to be the most serious dangerous thing on the planet when it really isn't. anyway i'm sure my isp and web server have already started fixing the problem...if there ever was one so i'm not worried :P
 
Taleweaver

Taleweaver

Storywriter
Member
Level 19
Joined
Dec 23, 2009
Messages
8,689
Trophies
2
Age
43
Location
Belgium
XP
8,084
Country
Belgium
Ugh...just saw the headlines of today's newspaper. I don't often say this, but THE NEWS IS WRONG!

From 'De Morgen' (today's edition)

Computervirus heartbleed belaagt u
'Grootste internetlek ooit' onderschept al twee jaar uw gegevens
Sites als google, facebook, yahoo en amazon werden door lek getroffen

Translated...
Computer virus heartbleed ensnares you
'Largest internet leak ever' intercepts your data for two years
Sites like google, facebook, yahoo and amazon were hit by the leak.


Uhm...yeah. No. Blatant fearmongering. It's not a virus, it's not certain any data was intercepted to begin with and "hit by" the leak isn't the same as "affected" (and no, that's not a translation issue). The error is as if a back door to your assumed safe castle was open. They make it look like that back door was used and EVERYTHING from inside was stolen, robbed, taken away and looted at the same time.
The article itself is clearly written with only minimal influence of someone who knows anything of IT.
 
Clydefrosch

Clydefrosch

Well-Known Member
Member
Level 14
Joined
Jan 2, 2009
Messages
6,020
Trophies
2
XP
4,613
Country
Germany
yeah, you know what will happen in the next few weeks? millions of people will end up not being able to get into their accounts because they hastily and in panic, changed passwords and dont remember what they switched too.
 
  • Like
Reactions: Sterling
Celice

Celice

Well-Known Member
Member
Level 5
Joined
Jan 1, 2008
Messages
1,920
Trophies
1
XP
628
Country
United States
My only interested concern is that various U.S. banks have their online site come up as vulnerable on the server test. Which then leads me to think of the fact that these banking websites also constantly try to get their users to pay bills via this service, or to purchase whatever, or things of that sort. There is also the possibility to get more personal information out of these websites. Verification for such information is generally the same password used to login.

So I can see how in some examples, someone might be able to get into John's online banking account via this heartbleed thing, and then setup some auto pay for bills that are not John, or to make several purchases that are not John's. And part of me thinks that if this were done, that it would be done using John's credentials, and so the bank in question would shun responsibility.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Zippo says Sonic heroes remake might happed

Hacking Gaming Homebrew Homebrew app  SUYU Discord get deleted

Rumor  Switch 2 Official Name Could Have Been Revealed by Youtube

Hero Shooter GUNDAM EVOLUTION revived in private server project following End of Service

"Apple has lifted its restriction on retro game emulators on the iOS App Store"

Mario Maker 1 Deemed 100% after Final Level revealed to be hacked

Pokemon Fan Game Community Site, Relic Castle, has been DMCA'd

Mig switch flashcard clones are coming

General chit-chat
Help Users
    Black_Manta_8bit @ Black_Manta_8bit: Oh @RedColoredStars yeah thats sad :sad: i feel it.