Change your passwords - Heartbleed hack widespread

Discussion in 'User Submitted News' started by T-hug, Apr 10, 2014.

  1. T-hug
    OP

    T-hug Always like this.

    pip Chief Editor
    9,099
    4,270
    Oct 24, 2002
    England
    [​IMG]





    :arrow:Source 1
    :arrow:Source 2
     


  2. Taleweaver

    Taleweaver Storywriter

    Member
    5,567
    1,619
    Dec 23, 2009
    Belgium
    Belgium
    I've heard this on the radio this morning. Ironically, the public exposure is more harmful than the actual error (though admitted, it is a grave one). This bug is found by the security maintenance; there have been no known attacks as of yet. But of course, with information spreading like wildfire, it'll only be a matter of time before exploits will be written (assuming the security maintenance was the first to have discovered the hack possible exploit, and not some malicious guy or firm).

    Unfortunately, news kind of skims over the fact and goes directly into panic mode. From what I read, the bug comes down to there being a possible way to get 64k of random memory data from the server. That data may contain garbage, it may contain useful information. As such, it'll take some time to send sufficient requests, puzzle the pieces together and make something useful of of it.

    The main threat is in how widespread openSSL is. It's pretty much a standard, and it's pretty likely you have heard of affected companies. Just check this list for the major ones.
    The idea of changing your passwords...it's not bad advice, but the real work needs to be done on the other side. Your company, web host or whatever really needs to update their stuff NOW (or rather: two or three days ago, when it was first made public).


    Oh, and: obligatory Test your server here link.
     
    Satangel likes this.
  3. CompassNorth

    CompassNorth Denko (´・ω・`)

    Member
    501
    171
    Oct 18, 2011
    United States
    Seattle, WA
    Why are people saying this is a hack? It's an exploit.
     
    filfat likes this.
  4. Patxinco

    Patxinco Riding a Shooting Star

    Member
    662
    265
    Apr 18, 2011
    From what i can understand, the bug allows to get a limited information on the sending data to the affected site, not?
    If it's like this, the worst thing you could do is change your password, cause you're sending the actual and the new password at the same time, and the best thing could be not entering the sites that still have not patched the bug.
    When the bug is patched, then it's time to change passwords, but now is just making them easiest.

    Correct me if i'm wrong, thanks ^^
     
    tbgtbg likes this.
  5. Tomy Sakazaki

    Tomy Sakazaki GBAtemp Advanced Fan

    Member
    766
    207
    Oct 23, 2006
    Brazil
    Problem is that the encryption keys are always loaded in the RAM of the servers that handles the login process on sites, so when you find it (it's not a matter of if, because crackers can make tools to auto search it) you can essentially turn encrypted user data into easy accessible and ready to read data.

    Major problem is, that changing the passwords won't matter if you do it without checking each site.
    And there are cases - with major sites/portals/forums that actually use various servers to balance bandwidth and service usage - that those simple checking tools won't give accurate status on the system security, because the server and port used to access the end user contents may be different from those that handle the login system.
    But essentially the thing is, create various strong passwords, use some on them only on bigger sites that are known for trying to patch ASAP those problems (let's say google, microsoft, yahoo and bigger branded shopping sites), some passwords for "medium" sites (that are big bussiness but you don't know if they patch security flaws, like news portals, AOL like sites - in Brazil I can say Terra, UOL, iG and similars) and some for small sites or those with unknown status at security matters, like small forums and content sharing sites.
    And this is a tip to use all the time, not only when a major flaw is found and then shared to public.
     
    tbgtbg likes this.
  6. Taleweaver

    Taleweaver Storywriter

    Member
    5,567
    1,619
    Dec 23, 2009
    Belgium
    Belgium
    :shy: You're right. I was a bit too fast in typing that.
    To be completely correct, it's a possible exploit. The code in itself isn't making an error and in a way, security isn't even compromised...it's just that a single line of code accidentally returns "garbage" data to the requester rather than clean zeroes (the assumed data is normally directly overwritten...but just because it should be overwritten doesn't mean that it actually happens).
     
  7. BORTZ

    BORTZ "Another stunning Van Gogh"

    Supervisor
    11,590
    14,222
    Dec 2, 2007
    United States
    Pittsburgh
    EZ-Megaman likes this.
  8. Bladexdsl

    Bladexdsl ZOMG my posts...it's over 9000!!!

    Member
    16,113
    3,786
    Nov 17, 2008
    Australia
    Queensland
    yeah seen this on the news too once again they make it out to be the most serious dangerous thing on the planet when it really isn't. anyway i'm sure my isp and web server have already started fixing the problem...if there ever was one so i'm not worried :P
     
  9. Gh0sti

    Gh0sti iOS Guru

    Member
    1,326
    49
    Aug 19, 2009
    United States
    Inside you, all around you
    Theres no point in updating passwords until the website has close off the exploit until the website updates their servers with this patch theres no point updating your passwords
     
  10. Taleweaver

    Taleweaver Storywriter

    Member
    5,567
    1,619
    Dec 23, 2009
    Belgium
    Belgium
    Ugh...just saw the headlines of today's newspaper. I don't often say this, but THE NEWS IS WRONG!

    From 'De Morgen' (today's edition)

    Computervirus heartbleed belaagt u
    'Grootste internetlek ooit' onderschept al twee jaar uw gegevens
    Sites als google, facebook, yahoo en amazon werden door lek getroffen

    Translated...
    Computer virus heartbleed ensnares you
    'Largest internet leak ever' intercepts your data for two years
    Sites like google, facebook, yahoo and amazon were hit by the leak.


    Uhm...yeah. No. Blatant fearmongering. It's not a virus, it's not certain any data was intercepted to begin with and "hit by" the leak isn't the same as "affected" (and no, that's not a translation issue). The error is as if a back door to your assumed safe castle was open. They make it look like that back door was used and EVERYTHING from inside was stolen, robbed, taken away and looted at the same time.
    The article itself is clearly written with only minimal influence of someone who knows anything of IT.
     
  11. FireGrey

    FireGrey Undercover Admin

    Member
    3,920
    909
    Apr 13, 2010
    If this has been a problem since new years eve 2011, why is it such a big deal now, when everyone is patching it?
     
  12. Arras

    Arras GBAtemp Guru

    Member
    5,858
    2,673
    Sep 14, 2010
    Netherlands
    Because people know about it now. It has gone unnoticed for ages.
     
  13. Tom Bombadildo

    Tom Bombadildo Honk!

    pip Contributor
    GBAtemp Patron
    Tom Bombadildo is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    10,553
    10,485
    Jul 11, 2009
    United States
    I forgot
  14. Bladexdsl

    Bladexdsl ZOMG my posts...it's over 9000!!!

    Member
    16,113
    3,786
    Nov 17, 2008
    Australia
    Queensland
  15. Clydefrosch

    Clydefrosch GBAtemp Psycho!

    Member
    4,114
    1,167
    Jan 2, 2009
    Gambia, The
    yeah, you know what will happen in the next few weeks? millions of people will end up not being able to get into their accounts because they hastily and in panic, changed passwords and dont remember what they switched too.
     
    Sterling likes this.
  16. joelv6

    joelv6 Neku

    Member
    121
    17
    Jan 24, 2013
    United States
    CA
    no bueno about the ssl things

    i remember that google wasnt effected but yahoo is
     
  17. Celice

    Celice GBAtemp Advanced Maniac

    Member
    1,916
    354
    Jan 1, 2008
    United States
    My only interested concern is that various U.S. banks have their online site come up as vulnerable on the server test. Which then leads me to think of the fact that these banking websites also constantly try to get their users to pay bills via this service, or to purchase whatever, or things of that sort. There is also the possibility to get more personal information out of these websites. Verification for such information is generally the same password used to login.

    So I can see how in some examples, someone might be able to get into John's online banking account via this heartbleed thing, and then setup some auto pay for bills that are not John, or to make several purchases that are not John's. And part of me thinks that if this were done, that it would be done using John's credentials, and so the bank in question would shun responsibility.
     
  18. Taleweaver

    Taleweaver Storywriter

    Member
    5,567
    1,619
    Dec 23, 2009
    Belgium
    Belgium
    It probably deserves mentioning that this bug "just" allows the interception of data. So banks using a token system with changing numbers every X seconds are still reasonably safe.

    Sorry...both google and yahoo were affected. :(
     
  19. Ashtonx

    Ashtonx n0l1f3

    Member
    511
    137
    Oct 31, 2013
    Poland
    apparently it also affects client side. android 4.1.1 is confirmed to be affected
     
  20. pwsincd

    pwsincd Garage Flower

    Member
    3,319
    1,711
    Dec 4, 2011
    Manchester UK
    I dont know if theres any thing linked between this and my recent psn hack , some fecks had £60 out of my wallet somehow. but psn seemed to know about it .