Heartbleed bug

[Phigure]

seriously
wouldn't a smart bug track attempted password changes?

btw, thought this thread was about the ebola outbreak
(which could be way more serious)

well any decently operated site will have been patched by now so they wouldnt be able to see changed passwords

the real threat is more along the lines of what ronzlo mentioned, the fact that the private keys to SSL certificates (the cryptographic proof that ensures you're communicating with a certain website/service) have essentially been laying out in the open to anyone who knew about this exploit. because of how this bug works, it's impossible to know if they've been compromised, which means that literally every website running openSSL needs to have their old certificates revoked and reissued. if they arent revoked, anyone with the certificates can do a man-in-the-middle attack and listen in and even modify the data being transferred

even if they arent revoked, if someone has been saving this encrypted traffic (let's say, the NSA), they can use the private keys to decrypt all this past traffic


pretty much the biggest security bug in the last decade, if not ever

[mks]

what i do is i just add an extra number so: password, password1, password2, etc hacker would never guess to add that extra #

You're joking right?

The single best thing that you can do is to make your passwords longer. The longer the password is, the harder it is to crack. For instance, something as simple as password3 could be cracked in seconds using rainbow tables and dictionary attacks.

The next best thing after password length is password complexity. Use a combination of upper and lower case letters, numbers and symbols. Do not use words from the dictionary. Try to think of passphrases for your passwords to help you to remember them.

[_ronzlo_]

Encryption Is Our Best Bet for a Secure Web, and Now It's Bleeding

Encryption is rightly touted as the best way to stay secure and private online. In a world where the NSA has developed powerful tools of attack that jeopardize digital privacy to the fullest extent imaginable (and then some), encryption is essential for scrambling messages to prevent—or at least deter—prying eyes from snooping.

During a talk at the planet’s mecca for cool brands and cool bands, SXSW, Edward Snowden reiterated that “encryption does work,” adding: “We need to not think of encryption as an arcane, dark art, but as basic protection for the digital world.”

That’s not to say that encryption is a surefire win, because there are a multitude of ways that even encrypted communications can be compromised. In fact, Snowden called for stronger encryption in that very same SXSW keynote. So while the goal is to make encryption as easy to use as possible, keeping up with best practices that make encryption effective in a changing cyber-landscape currently requires a fairly nerdy level of attention. Especially in light of recent events.

For example, the computer security community was shaken up last year when revelations of NSA backdoors into popular encryption standards began to make headlines. A company called RSA, that had long been an industry-standard for encryption services, was paid $10 million dollars to essentially break their own software—in a clandestine way that only the NSA would be privy to. And, as Reuters reported last month, that backdoor is biggerthan anyone had previously imagined.

But beyond clandestine government backdoors, there are bugs within encryption protocols—just like any other type of software. Enter the Heartbleed bug, which has made a large swath of the internet vulnerable in a big way, by eroding the reliability of a widely-used encryption standard called OpenSSL. This bug has apparently existed within the platform for two years.

Now, if you’re not up on encryption standards and their respective popularity, Meghan Neal wrote an excellent primer on the Heartbleed bug for our sister site Motherboard, where she puts the size of this technical clusterfuck into perspective: “A recent survey from the internet security firm Netcraft showed that 66 percent of websites run on the open source web servers Apache and Nginx, which use OpenSSL by default.”

To learn more about Heartbleed’s impact on the internet, I reached out to Christopher Parsons, a postdoctoral fellow at the Citizen Lab, which is an “interdisciplinary laboratory” at the University of Toronto that primarily studies and investigates “Information and Communication Technologies (ICTs), human rights, and global security.”

In an email, Chris told me: “Heartbleed is a significant vulnerability because a vast number of services rely on OpenSSL to secure client-server communications. In effect, the vulnerability would let someone query a server and extract highly sensitive information (e.g. password/logins, private decryption keys, and other sensitive information stored in a server's memory) without it being evident to the administrator of the server. The result is that Heartbleed gives third-parties a way to access highly sensitive information without administrators' or service-users' knowledge or awareness.”

This, of course, is a major problem. Security aficionados have run mass sweeps of websites to determine just how vulnerable the internet has become as a result of Heartbleed, and some of your favourite online haunts may well be affected; this includes RedTube, Yahoo, OkCupid, Imgur, and Flickr. But not Facebook, Amazon, YouTube, or Wikipedia. So if you plan on paying for a premium subscription at either RedTube or OkCupid this week, perhaps you should hold off until these sites get their shit together; but feel free to order a bunch of books and stock up your farm in Farmville, with purple cows and orchid fields, or whatever it is that people buy in that game.

Imaginary Farmville accessories aside, if you’re a Canadian who felt like doing your taxes online this year, well, Heartbleed has other plans for you. Yesterday the Canadian Revenue Association announced that it would be shutting down all of their public, secure sites until they can figure out what to do with their new friend: the gaping security hole. Right in the middle of the tax season, too. Good going, Heartbleed!

Chris Parsons nearly predicted the CRA’s vulnerability just before they decided to shut down their tax websites, while some of his colleagues and followers criticized the Canadian Cyber Incident Response Centre (CCIRC) for not alerting the public sooner, when it was already obvious the CRA was using a vulnerable version of SSL. Chris discussed the potential ramifications of the CRA’s Heartbleed vulnerability with me:

“A significant amount of highly sensitive tax-related personal information is passed through CRA's online service gateways. A third-party could have, potentially, accessed logins and passwords of Canadians or the private keys of CRA's services. The former set of information would let that party log into CRA and impersonate the person in question. The latter set of data could let the third-party decrypt previously captured client-server information and, as a result, decode not just passwords and logins but also the tax data that individuals provided to CRA.”

It’s not clear if anyone was able to exploit the CRA’s systems before they could shut down entirely, but so far there have been no reports of taxpayer information being jeopardized or stolen. According to the CRA, this problem will be fixed “over the weekend,” and has graciously vowed to not penalize taxpayers for this interruption. As for how they can patch the hole in the their system, it’s a simple process that comes with some fine print pertaining to user security. In Chris’s words:

“In most cases it should be relatively straightforward: update to the most recent version of OpenSSL, revoke old certificates, and regenerate new public keys with newly issued certificates. However, this doesn't resolve the problem of someone using the previously captured private keys to decrypt traffic they have previously intercepted, nor does it solve the problem of a third-party having captured users' logins and passwords. It also doesn't fix the problem of a third-party capturing other sensitive information that may have been temporarily placed in the server's memory.”

Since this bug has been kicking around in OpenSSL for two years, there is an enormous amount of confidential data that has been “encrypted,” yet vulnerable, and sent through the internet’s many tubes. If a malicious party has been privy to Heartbleed for any amount of time, then there’s nothing anyone can do, retroactively, about any nefarious data collection or interception that may have taken place. So if the NSA, for example, has an archive of traffic and data that was encrypted with OpenSSL spanning the past two years—stored in one of their data centres—then it’s now open season for all of that presumed-to-be-protected information (assuming they didn’t already know about Heartbleed).

But that’s the big, scary, the U.S. government is watching you angle. For the average user, you should maybe worry about hackers busting into your OkCupid or Imgur account and matching that password with your Facebook or Gmail. If you’re a one-password type of person, then this is a real concern. Chris suggests that “users would be advised to change their logins across sites; first they should change logins/passwords on *non-affected* sites that share credentials with affected sites. Next, once vulnerable sites and services are patched, they should change their passwords on those vulnerable sites.“

As you can probably tell by now, a bug as big as Heartbleed causes a ripple effect of broken trust online. The bug has dented the integrity of OpenSSL, and when you consider that alongside news stories about NSA backdoors in RSA encryption, which are still stinging cryptography enthusiasts the world over, it’s evident that even some of our most complex and robust encryption standards are vulnerable to massive exploits... and the consequences of that are a bit unnerving.

Ultimately, shake-ups like this tend to make tech companies wisen up a bit. After all, even though Yahoo was vulnerable to Heartbleed when the bug was announced, they claim to have already patched everything up, and are making moves to have their free webmail service completely encrypted. Granted, it’s hard to trust a company that let Heartbleed fuck their whole game up—but at least they’re trying to combat the seismic forces of government surveillance and pervasive encryption bugs with large-scale encryption.

In a world where massive, code-cracking spy agencies appear to have a “catch ‘em all” approach to digital data collection—expecting any sort of privacy online is a fool’s game. But with massive encryption bugs like Heartbleed in the mix, it can be tempting to return to an analog world of handwritten notes and in-person visits—if you’re at all concerned about the security of your information.

That said, even though privacy online may be a total illusion, and keeping your credit card number away from hackers and scam artists can seem like a roulette game, many of the web’s major players avoided the Heartbleed effect. And, it’s not as if Heartbleed broke the internet; it just exposed it even further as being a flawed, unsafe place to store information much of the time, and it makes me wonder, personally, when we’ll discover the next bleeding heart-shaped hole—smack dab in the middle of the internet.

It probably won’t be long.

[RKM]

what i don't get is why they would want to hack my imgur account

[Phigure]

what i don't get is why they would want to hack my imgur account

because they can take your username/password pair from imgur, and the average internet user reuses them across different sites, so they have a statistically good chance of getting access to accounts on other sites that are more valuable

[RKM]

par thought they were after my points

[_ronzlo_]

what i don't get is why they would want to hack my imgur account

bare tits in dere innit.

[hifi]

except that its not a dude sitting at a computer screen typing in your password, anyone competent enough to be doing this sort of attack is going to have code thatll try permutations of your password (capitalize certain letters, add numbers to the end, etc)

i know lol i just wanted to make a l ame joke

[Phigure]

damn well theres enough people who genuinely think so

[rickyarbino]

what i do is i just add an extra number so: password, password1, password2, etc hacker would never guess to add that extra #

You're joking right?

The single best thing that you can do is to make your passwords longer. The longer the password is, the harder it is to crack. For instance, something as simple as password3 could be cracked in seconds using rainbow tables and dictionary attacks.

The next best thing after password length is password complexity. Use a combination of upper and lower case letters, numbers and symbols. Do not use words from the dictionary. Try to think of passphrases for your passwords to help you to remember them.

Nah,
password1, password12, password123 etc

[ehbes]

I'm gonna take my chances that of the billions of people to choose from they don't pick me

[AxeD]

I'm gonna take my chances that of the billions of people to choose from they don't pick me

yoleaux much

[mks]

what i do is i just add an extra number so: password, password1, password2, etc hacker would never guess to add that extra #

You're joking right?

The single best thing that you can do is to make your passwords longer. The longer the password is, the harder it is to crack. For instance, something as simple as password3 could be cracked in seconds using rainbow tables and dictionary attacks.

The next best thing after password length is password complexity. Use a combination of upper and lower case letters, numbers and symbols. Do not use words from the dictionary. Try to think of passphrases for your passwords to help you to remember them.

Nah,
password1, password12, password123 etc

People seriously do this.

SplashData, which makes password management applications, has released its 2013 list of the 25 worst passwords based on files containing millions of stolen passwords posted online in the last year. “123456″ now tops “password,” which normally leads the round-up.

Here’s the full list:

123456
password
12345678
qwerty
abc123
123456789
111111
1234567
iloveyou
adobe123
123123
admin
1234567890
letmein
photoshop
1234
monkey
shadow
sunshine
12345
password1
princess
azerty
trustno1
000000

“123456″ and “123456789″ were a couple of the most popular passwords believed to belong to Adobe users, according to a list published by security consulting firm Stricture Consulting Group in Nov. 2013 after Adobe confirmed a customer data breach a month earlier. That would also explain why “adobe123″ is at number 10 and “photoshop” is at number 15 on SplashData’s 2013 list.

http://newsfeed.time.com/2014/01/20/the ... s-of-2013/

[rickyarbino]

That's why they're great.
They're like the lo-fi of passwords.

[_ronzlo_]

http://lorddoig.svbtle.com/heartbleed-s ... 9-to-death

[Phigure]

http://www.bloomberg.com/news/2014-04-1 ... umers.html

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

OpenSSL 1.0.1 introduced the bug which has been in use since March 2012... which means the pricks basically knew about it as soon as it happened

[_ronzlo_]

[Shum]

Nifty article highlighting OpenSSL

Obama covering the NSAs ass again.