Separate names with a comma.
Discussion in 'User Submitted News' started by T-hug, Apr 10, 2014.
I've heard this on the radio this morning. Ironically, the public exposure is more harmful than the actual error (though admitted, it is a grave one). This bug is found by the security maintenance; there have been no known attacks as of yet. But of course, with information spreading like wildfire, it'll only be a matter of time before exploits will be written (assuming the security maintenance was the first to have discovered the hack possible exploit, and not some malicious guy or firm).
Unfortunately, news kind of skims over the fact and goes directly into panic mode. From what I read, the bug comes down to there being a possible way to get 64k of random memory data from the server. That data may contain garbage, it may contain useful information. As such, it'll take some time to send sufficient requests, puzzle the pieces together and make something useful of of it.
The main threat is in how widespread openSSL is. It's pretty much a standard, and it's pretty likely you have heard of affected companies. Just check this list for the major ones.
The idea of changing your passwords...it's not bad advice, but the real work needs to be done on the other side. Your company, web host or whatever really needs to update their stuff NOW (or rather: two or three days ago, when it was first made public).
Oh, and: obligatory Test your server here link.
Why are people saying this is a hack? It's an exploit.
From what i can understand, the bug allows to get a limited information on the sending data to the affected site, not?
If it's like this, the worst thing you could do is change your password, cause you're sending the actual and the new password at the same time, and the best thing could be not entering the sites that still have not patched the bug.
When the bug is patched, then it's time to change passwords, but now is just making them easiest.
Correct me if i'm wrong, thanks ^^
Problem is that the encryption keys are always loaded in the RAM of the servers that handles the login process on sites, so when you find it (it's not a matter of if, because crackers can make tools to auto search it) you can essentially turn encrypted user data into easy accessible and ready to read data.
Major problem is, that changing the passwords won't matter if you do it without checking each site.
And there are cases - with major sites/portals/forums that actually use various servers to balance bandwidth and service usage - that those simple checking tools won't give accurate status on the system security, because the server and port used to access the end user contents may be different from those that handle the login system.
But essentially the thing is, create various strong passwords, use some on them only on bigger sites that are known for trying to patch ASAP those problems (let's say google, microsoft, yahoo and bigger branded shopping sites), some passwords for "medium" sites (that are big bussiness but you don't know if they patch security flaws, like news portals, AOL like sites - in Brazil I can say Terra, UOL, iG and similars) and some for small sites or those with unknown status at security matters, like small forums and content sharing sites.
And this is a tip to use all the time, not only when a major flaw is found and then shared to public.
You're right. I was a bit too fast in typing that.
To be completely correct, it's a possible exploit. The code in itself isn't making an error and in a way, security isn't even compromised...it's just that a single line of code accidentally returns "garbage" data to the requester rather than clean zeroes (the assumed data is normally directly overwritten...but just because it should be overwritten doesn't mean that it actually happens).
Can we merge the threads, we had this posted on Tuesday.
...or maybe not, the responses in the other thread are not that helpful lol
yeah seen this on the news too once again they make it out to be the most serious dangerous thing on the planet when it really isn't. anyway i'm sure my isp and web server have already started fixing the problem...if there ever was one so i'm not worried
Theres no point in updating passwords until the website has close off the exploit until the website updates their servers with this patch theres no point updating your passwords
Ugh...just saw the headlines of today's newspaper. I don't often say this, but THE NEWS IS WRONG!
From 'De Morgen' (today's edition)
Computervirus heartbleed belaagt u
'Grootste internetlek ooit' onderschept al twee jaar uw gegevens
Sites als google, facebook, yahoo en amazon werden door lek getroffen
Computer virus heartbleed ensnares you
'Largest internet leak ever' intercepts your data for two years
Sites like google, facebook, yahoo and amazon were hit by the leak.
Uhm...yeah. No. Blatant fearmongering. It's not a virus, it's not certain any data was intercepted to begin with and "hit by" the leak isn't the same as "affected" (and no, that's not a translation issue). The error is as if a back door to your assumed safe castle was open. They make it look like that back door was used and EVERYTHING from inside was stolen, robbed, taken away and looted at the same time.
The article itself is clearly written with only minimal influence of someone who knows anything of IT.
If this has been a problem since new years eve 2011, why is it such a big deal now, when everyone is patching it?
Because people know about it now. It has gone unnoticed for ages.
too late pal this thread has more replies
yeah, you know what will happen in the next few weeks? millions of people will end up not being able to get into their accounts because they hastily and in panic, changed passwords and dont remember what they switched too.
no bueno about the ssl things
i remember that google wasnt effected but yahoo is
My only interested concern is that various U.S. banks have their online site come up as vulnerable on the server test. Which then leads me to think of the fact that these banking websites also constantly try to get their users to pay bills via this service, or to purchase whatever, or things of that sort. There is also the possibility to get more personal information out of these websites. Verification for such information is generally the same password used to login.
So I can see how in some examples, someone might be able to get into John's online banking account via this heartbleed thing, and then setup some auto pay for bills that are not John, or to make several purchases that are not John's. And part of me thinks that if this were done, that it would be done using John's credentials, and so the bank in question would shun responsibility.
It probably deserves mentioning that this bug "just" allows the interception of data. So banks using a token system with changing numbers every X seconds are still reasonably safe.
Sorry...both google and yahoo were affected.
apparently it also affects client side. android 4.1.1 is confirmed to be affected
I dont know if theres any thing linked between this and my recent psn hack , some fecks had £60 out of my wallet somehow. but psn seemed to know about it .