Truth Seeker Posted April 11, 2014 Share Posted April 11, 2014 The Heartbleed Bug affects web sites that use OpenSSL software to encrypt internet data on their servers. Just to confuse us SSL is now called TLS, but how can we protect ourselves if passwords have been hacked. The chances of this are small, but mashable.com have made a list of affected sites, and have a helpful video explaining this bug. BTW Manx Forums does not seem to use Secure Logins on its site, so if you see a post from Thomas Jefferson telling us to trust government because it's doing a great job, it's probably fake. The Heartbleed Hit List: The Passwords You Need to Change Right Now. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ Link to comment Share on other sites More sharing options...
Truth Seeker Posted April 11, 2014 Author Share Posted April 11, 2014 I should add if you get a Email telling you change your passwords DON'T click on the embedded link, it may be a Phishing email scam. Just go to the web site as you normally do. Link to comment Share on other sites More sharing options...
AcousticallyChallenged Posted April 11, 2014 Share Posted April 11, 2014 Lastpass is dead useful for this. It told me which to change and when to change them (i.e whether to bother yet based on age of certs) Also checks known lists of leaks for your usernames/email addresses and will alert them. Link to comment Share on other sites More sharing options...
The Old Git Posted April 12, 2014 Share Posted April 12, 2014 Lots of the media were saying to change passwords immediately. Most tech / security people say wait until the affected site has fixed the hole. Link to comment Share on other sites More sharing options...
devil Posted April 12, 2014 Share Posted April 12, 2014 It shouldn't affect too many people, as I am sure you all use the likes of lastpast and have a unique password for every website you have.... Link to comment Share on other sites More sharing options...
Slim Posted April 12, 2014 Share Posted April 12, 2014 It shouldn't affect too many people, as I am sure you all use the likes of lastpast and have a unique password for every website you have....And most people will be connecting using sessions rather than passwords. When's the last time anyone entered their passy into mf? Link to comment Share on other sites More sharing options...
Truth Seeker Posted April 12, 2014 Author Share Posted April 12, 2014 It shouldn't affect too many people, as I am sure you all use the likes of lastpast and have a unique password for every website you have.... And most people will be connecting using sessions rather than passwords. When's the last time anyone entered their passy into mf? Slim am I right in saying Manx Forums has no SSL or TLS? So all logins and posts are not encrypted on here. You seem to know more about this stuff than most. Heartbleed vulnerable websites on the Alexa top 10000 https://gist.github.com/dberkholz/10169691 Link to comment Share on other sites More sharing options...
devil Posted April 12, 2014 Share Posted April 12, 2014 It shouldn't affect too many people, as I am sure you all use the likes of lastpast and have a unique password for every website you have.... And most people will be connecting using sessions rather than passwords. When's the last time anyone entered their passy into mf? Slim am I right in saying Manx Forums has no SSL or TLS? So all logins and posts are not encrypted on here. You seem to know more about this stuff than most. Heartbleed vulnerable websites on the Alexa top 10000 https://gist.github.com/dberkholz/10169691 Slim, I login every time funnily enough! lol Correct, although the passwords are partially encrypted with a php algorithm usually, so they still need decrypting. Thanks Tony Link to comment Share on other sites More sharing options...
Slim Posted April 12, 2014 Share Posted April 12, 2014 Slim am I right in saying Manx Forums has no SSL or TLS? So all logins and posts are not encrypted on here. You seem to know more about this stuff than most.That's correct, if there's no certificate, the login is plain text. Link to comment Share on other sites More sharing options...
pongo Posted April 12, 2014 Share Posted April 12, 2014 Affected sites are being advised to revoke existing SSL certificates and issue new. Since existing certificates can potentially be decrypted from previously logged traffic. i.e. even after the fix. But many users do not have their OS / browsers set up to check for revoked certificates anyhow. Link to comment Share on other sites More sharing options...
Truth Seeker Posted April 12, 2014 Author Share Posted April 12, 2014 Slim am I right in saying Manx Forums has no SSL or TLS? So all logins and posts are not encrypted on here. You seem to know more about this stuff than most. That's correct, if there's no certificate, the login is plain text. Ok thanks for the clarification, not much point in changing the Manx Forums password then. Link to comment Share on other sites More sharing options...
Slim Posted April 12, 2014 Share Posted April 12, 2014 Ok thanks for the clarification, not much point in changing the Manx Forums password then. If it's web server was vulnernerable to heartbleed there would still be a need. Sniffing http isn't trivial, you still need to be able to sniff the connection somehow where heartbleed allows anyone to get 64k out of the server which might contain your passwords or sessions. Link to comment Share on other sites More sharing options...
Truth Seeker Posted April 14, 2014 Author Share Posted April 14, 2014 Statement by the Commissioner of the Canada Revenue Agency on the Heartbleed bug "Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed. The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach." http://www.cra-arc.gc.ca/gncy/sttmnt2-eng.html Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.