Shop OBEX P1 Docs P2 Docs Learn Events
Heartbleed bug - Passwords You Need to Change Right Now — Parallax Forums

Heartbleed bug - Passwords You Need to Change Right Now

Ron CzapalaRon Czapala Posts: 2,418
edited 2014-04-14 00:56 in General Discussion
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
http://www.usatoday.com/story/tech/2014/04/11/heartbleed-cisco-juniper/7589759/'
The Heartbleed security flaw that exposes a vulnerability in encryption has reportedly extended its reach beyond Web services.

The Wall Street Journal reports some network products created by Cisco and Juniper contain the flaw. The vulnerability affects products such as routers and firewalls.

In an update published Thursday, Cisco says multiple products incorporate OpenSSL, a variation of the Secure Sockets Layer (SSL) protocol used to encrypt sensitive data.

A spokesperson for Juniper tells the Journal updating equipment to patch up the security hole could take some time.

Heartbleed is a flaw that would allow anyone to read the memory of servers running OpenSSL, which leaves information such as usernames, passwords and credit card data exposed.

Comments

  • Ron CzapalaRon Czapala Posts: 2,418
    edited 2014-04-11 12:16
    CNET - Check which sites have been patched

    http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
  • CuriousOneCuriousOne Posts: 931
    edited 2014-04-11 12:20
    I really miss the "sweet" days of CodeRed/Nimda/CIH.95 and so on :)
  • Heater.Heater. Posts: 21,230
    edited 2014-04-11 12:47
    Meh, I haven't changed my password for 15 years. Never got hacked. Why are you putting your CC number out there anyway?

    Hey, CodeRed was great, When some machine hit my Apache server at home because of it I could fetch the details from the Apache logs and then get access to the poor saps computer.

    Whilst we are here people might like this presentation from a Mikko Hypponen about the history of computer exploits and where we are going. http://www.youtube.com/watch?v=s2g9lgYrYJM
  • RDL2004RDL2004 Posts: 2,554
    edited 2014-04-11 12:55
    Awesome, of all the sites listed at that mashable.com link I only use three and none of them were affected.
  • Ron CzapalaRon Czapala Posts: 2,418
    edited 2014-04-11 13:04
    http://en.wikipedia.org/wiki/Heartbleed
    By reading an arbitrary block of the web server's memory, attackers might receive sensitive data, compromising the security of the server and its users. Vulnerable data include the server's private master key,[15][17] which would enable attackers to decrypt current or stored traffic via passive man-in-the-middle attack (if perfect forward secrecy is not used by the server and client), or active man-in-the-middle if perfect forward secrecy is used. The attacker cannot control which data is returned, as the server responds with a random chunk of its own memory.

    The bug might also reveal unencrypted parts of users' requests and responses, including any form post data in users' requests, session cookies and passwords, which might allow attackers to hijack the identity of another user of the service.

    [19] At its disclosure, some 17% or half a million of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to an attack.

    [20] The Electronic Frontier Foundation,[21] Ars Technica,[22] and Bruce Schneier[23] all deemed the Heartbleed bug "catastrophic."

    Forbes cybersecurity columnist, Joseph Steinberg, described the bug as potentially "the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet."[24]
  • xanaduxanadu Posts: 3,347
    edited 2014-04-11 13:50
    Let's not forget a very popular open source VPN - https://community.openvpn.net/openvpn/wiki/heartbleed
  • Heater.Heater. Posts: 21,230
    edited 2014-04-11 14:05
    Well, if you want to be worried read this description of OpenSSL. https://www.peereboom.us/assl/assl/html/openssl.html

    Of course you can also look at the source code yourself. http://www.openssl.org/source/

    Then ask yourself "Why am I putting my CC number on the net?"
  • LoopyBytelooseLoopyByteloose Posts: 12,537
    edited 2014-04-13 10:58
    Yeah, it seems the NSA has hacked OpenSSL for ages... just one of the reasons that Mr.Snowden resides in Russia these days.

    The NSA actually had the gall to provide a random number generator that was in no way random. I am beginning to suspect that the whole idea that computers cannot generate perfect random numbers was a myth created by the NSA to snoop the world. Can the Propeller generate truly random numbers via the jitter in counters or something?

    All my financial sites that I visit have already said that they are aware of Heartbleed and defended against it.

    Other than that, putting your credit card into any purchase on the web seems to always be a bit of a risk. Know who you buy from or know how your credit card provider will act if you have a problem. Mine is pretty good about me popping up in odd South-east Asian countries and buying a Starbucks latte or wanted to use and ATM, and then suddenly saying that I found something that I didn't buy.

    Try testing your major credit card services in Thailand. The results will reveal how secure you really are. Then try the Philippenes. Adventure is the name of the game. A bar in Hong Kong is a challenge too.
  • Heater.Heater. Posts: 21,230
    edited 2014-04-13 11:56
    Loopy,
    I am beginning to suspect that the whole idea that computers cannot generate perfect random numbers was a myth created by the NSA to snoop the world. Can the Propeller generate truly random numbers via the jitter in counters or something?
    Be serious. Computers are conceptually Turing Machines. Turing Machines cannot generate random numbers.

    Never mind the fact that you cannot even define "perfect random numbers" so how would you know when you have generated them?

    Yes the Prop can make random numbers from it's PLLs. The PLL's are not a computer in any normally accepted meaning of the word.

    My boss travels a lot. Having been stung by money disappearing from the account after various visits to odd parts of the world he always gets a new credit card before each trip. With a limit set on it. We should treat the net the same way.
  • LoopyBytelooseLoopyByteloose Posts: 12,537
    edited 2014-04-13 12:30
    Computers may 'conceptually' be Turing Machines. But in reality they are what they are. So a PLL can generate a random number for encryption.

    The NSA provided something referred to as an 'elliptical random number generator'. Seems to me an ellipse is just going to come around on itself like a circle. A bit of legerdomain by the spooks that love to snoop.

    Yep, credit cards in tourist venues are just fair game. In fact, they really are fair game just about everywhere.. so I have just one.

    Most of my passwords are to junk services, so I tie them all to one email account and when I forget them, I just request another. My financial stuff is all very tightly under wraps. I won't even install my home computer to be recognized as a safe computer with them.. nothing is safe if someone breaks in and walks away with the computer.

    BTW, Turing machines seem to have infinite memory. There is no infinity on a real computer. The numbers are limited by bits and then rollover. Does infinity rollover?
  • Heater.Heater. Posts: 21,230
    edited 2014-04-13 13:05
    Loopy,

    OK. Let's put this another way. An algorithm, aka, program cannot be written for a Turing machine that will generate random numbers. Of course an algorithm can take as input some physical measurement which happens to be random and give you that as a result. That's hardly the same thing now is it.

    I know nothing about "eliptic random numbers", I'm pretty sure the math behind it is far removed from what you and I think of a normal ellipse. Of course you are right, all pseudo random number generator algorithms come back on themselves.

    Does Infinty rollover?

    My Turing Machine simulator here says no:
    > (1.0 / 0.0)
Infinity
>  (1.0 / 0.0) + 1
Infinity
>

    Isn't JavaScript great! Mind you it got the result in finite time so I'm a bit suspicious.

    My other Turing machine simulator said "don't even try it":
    >>> (1.0 / 0.0) + 1
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ZeroDivisionError: float division by zero
    Python is pretty crappy that way.
  • LoopyBytelooseLoopyByteloose Posts: 12,537
    edited 2014-04-14 00:46
    Well, your Turing machine simulator is not a true Turing machine... so we may never know.... (irony intended)

    You are mixing conceptual idealism with actual reality to suit yourself. There is no such thing physically as a true Turing machine.

    In today's news. it seems that 10% of the Android phones and pads have version 4.1.1 out there... Heartbleed can hack these.

    I suspect the worse thing that one can do is to agregate all your passwords into one database. All the major OSes seem to offer this with encryption as a means to help out those of use that have too many to actually recall easily. The result is that hackers find no one, but many if they succeed.
  • Heater.Heater. Posts: 21,230
    edited 2014-04-14 00:56
    Well I did say "Turing Machine simulator "and I did offer the output of two of them thus demonstrating how not completely Turing they are.

    I also mentioned that the JavaScript version managed to add 1 to infinity in a finite amount of time time, which seems unlikely to be possible for a real Turing machine.

    No mixing of conceptual idealism and reality here.
Sign In or Register to comment.