Jump to content
Manx Forums, Live Chat, Blogs & Classifieds for the Isle of Man
Truth Seeker

The Heartbleed Hit List: The Passwords You Need to Change Right Now

Recommended Posts

The Heartbleed Bug affects web sites that use OpenSSL software to encrypt internet data on their servers. Just to confuse us SSL is now called TLS, but how can we protect ourselves if passwords have been hacked. The chances of this are small, but mashable.com have made a list of affected sites, and have a helpful video explaining this bug. BTW Manx Forums does not seem to use Secure Logins on its site, so if you see a post from Thomas Jefferson telling us to trust government because it's doing a great job, it's probably fake.

 

The Heartbleed Hit List: The Passwords You Need to Change Right Now. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

  • Like 1

Share this post


Link to post
Share on other sites

I should add if you get a Email telling you change your passwords DON'T click on the embedded link, it may be a Phishing email scam. Just go to the web site as you normally do.

Share this post


Link to post
Share on other sites

Lastpass is dead useful for this. It told me which to change and when to change them (i.e whether to bother yet based on age of certs)

Also checks known lists of leaks for your usernames/email addresses and will alert them.

Share this post


Link to post
Share on other sites

Lots of the media were saying to change passwords immediately.

 

Most tech / security people say wait until the affected site has fixed the hole.

Share this post


Link to post
Share on other sites

It shouldn't affect too many people, as I am sure you all use the likes of lastpast and have a unique password for every website you have....

Share this post


Link to post
Share on other sites

It shouldn't affect too many people, as I am sure you all use the likes of lastpast and have a unique password for every website you have....

And most people will be connecting using sessions rather than passwords. When's the last time anyone entered their passy into mf?

Share this post


Link to post
Share on other sites

 

 

 

 

It shouldn't affect too many people, as I am sure you all use the likes of lastpast and have a unique password for every website you have....

And most people will be connecting using sessions rather than passwords. When's the last time anyone entered their passy into mf?

Slim am I right in saying Manx Forums has no SSL or TLS? So all logins and posts are not encrypted on here. You seem to know more about this stuff than most.

 

 

Heartbleed vulnerable websites on the Alexa top 10000 https://gist.github.com/dberkholz/10169691

Edited by Truth Seeker

Share this post


Link to post
Share on other sites

 

 

 

 

 

It shouldn't affect too many people, as I am sure you all use the likes of lastpast and have a unique password for every website you have....

And most people will be connecting using sessions rather than passwords. When's the last time anyone entered their passy into mf?

Slim am I right in saying Manx Forums has no SSL or TLS? So all logins and posts are not encrypted on here. You seem to know more about this stuff than most.

 

 

Heartbleed vulnerable websites on the Alexa top 10000 https://gist.github.com/dberkholz/10169691

 

Slim, I login every time funnily enough! lol

 

Correct, although the passwords are partially encrypted with a php algorithm usually, so they still need decrypting.

 

Thanks

Tony

Share this post


Link to post
Share on other sites

Slim am I right in saying Manx Forums has no SSL or TLS? So all logins and posts are not encrypted on here. You seem to know more about this stuff than most.

That's correct, if there's no certificate, the login is plain text.

Share this post


Link to post
Share on other sites

Affected sites are being advised to revoke existing SSL certificates and issue new. Since existing certificates can potentially be decrypted from previously logged traffic. i.e. even after the fix.

 

But many users do not have their OS / browsers set up to check for revoked certificates anyhow.

Share this post


Link to post
Share on other sites

 

 

Slim am I right in saying Manx Forums has no SSL or TLS? So all logins and posts are not encrypted on here. You seem to know more about this stuff than most.

That's correct, if there's no certificate, the login is plain text.

Ok thanks for the clarification, not much point in changing the Manx Forums password then.

Share this post


Link to post
Share on other sites

Ok thanks for the clarification, not much point in changing the Manx Forums password then.

 

If it's web server was vulnernerable to heartbleed there would still be a need. Sniffing http isn't trivial, you still need to be able to sniff the connection somehow where heartbleed allows anyone to get 64k out of the server which might contain your passwords or sessions.

Share this post


Link to post
Share on other sites

Statement by the Commissioner of the Canada Revenue Agency on the Heartbleed bug

 

"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed. The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach."

 

http://www.cra-arc.gc.ca/gncy/sttmnt2-eng.html

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...