Time to change your passwords (... or not)

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Thu Apr 10, 2014 8:59 pm

It's important to keep in mind that a lot of the Comercial Web Servers (WebLogic and IIS at the very least) do NOT use the OpenSSL libraries. This problem affects mostly WebServers like Apache, or Web Application Servers such as Tomcat (not too sure about Jboss, which is another popular Web Application Server).

Most financial institutions I know(down here at least) don't use Apache or Tomcat or Jboss.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Thu Apr 10, 2014 8:59 pm

squ1d wrote:Bahaha Sigma ... I'm blaming your Clouds for everything in the future!! Why can't you make your Clouds more better???



:cuss: :cuss: :cuss:
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby The Supreme Canuck » Thu Apr 10, 2014 9:31 pm

You know, after having done some research on available password managers, I think I might take Morrolan's suggestion on LastPass. Looks like they hold your encrypted data, but never see the keys - encryption/decryption takes place locally, always.

Hm. Morrolan, is the paid version worth it? I think I'll give the free version a spin, and if I like it I'd consider upgrading.
User avatar
The Supreme Canuck
 
Posts: 808
Joined: Mon Jun 10, 2013 9:27 pm
Location: Ottawa

Re: Time to change your passwords (... or not)

Postby Morrolan » Fri Apr 11, 2014 1:21 am

unless you have multiple computers and platforms you want to use it across, stick to the free version. you can always decide to upgrade later.
i used the free version for about a year and decided to upgrade at the end of last year. i now use it to keep my passwords across android, iOS and Windows 7 and 8.1 machines. changing a password on one applies it to all immediately.

i think the misunderstanding about their vulnerability came from the fact that while they use SSL, they have multiple additional layers of encryption that most others (including McAfee and Intel) don't.

i just read that Facebook and Google are also affected, as well as many US Banks. my bank luckily is not.
"We don't let them have ideas. Why would we let them have guns?" Stalin
User avatar
Morrolan
 
Posts: 227
Joined: Fri May 31, 2013 1:09 am

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Fri Apr 11, 2014 1:59 am

Facebook and Google affected? it's a given. They tend to favor Open Source stuff (which means that even if they don't use Apache/Tomcat, they most probably use OpenSSL for their custom software.

A lot of US Banks? wow, I guess they use Apache a lot.

Here's plenty of geeky info on who's affected..


Surprise! Apache is one of the most vulnerable web servers, however the "Heartbeat Extension" (the OPTIONAL component that has the vulnerability) is not enabled in most of them.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Cyborg Girl » Fri Apr 11, 2014 2:45 am

@squid: umm... sorry about that, I guess I overreached there. I don't design software for a living, so yeah, chances are you know more about this than I do.
User avatar
Cyborg Girl
Boy Genius
 
Posts: 2138
Joined: Mon May 27, 2013 2:54 am

Re: Time to change your passwords (... or not)

Postby The Supreme Canuck » Fri Apr 11, 2014 3:00 am

Thanks, Morrolan, I think I'll do just that. I've installed the free version, and I like what I see so far. I may upgrade down the line, as you say.
User avatar
The Supreme Canuck
 
Posts: 808
Joined: Mon Jun 10, 2013 9:27 pm
Location: Ottawa

Re: Time to change your passwords (... or not)

Postby FZR1KG » Fri Apr 11, 2014 3:30 am

Hey squid, just wanted to point out that I make money solely on software at the moment.
I designed the hardware but I only get paid for the firmware I wrote. :P
Hardware designs/upgrades are just a free part of the service.
How times have changed. lol
FZR1KG
 

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Fri Apr 11, 2014 5:33 am

Shouldn't you be playing Popeye the Sailor Man? :P
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Fri Apr 11, 2014 5:44 am

And here ladies and gents is one the most expensive software bugs in history.

Ariane Flight 501

Two words: SHIT HAPPENS.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Morrolan » Fri Apr 11, 2014 9:49 am

Sigma_Orionis wrote:And here ladies and gents is one the most expensive software bugs in history.

Ariane Flight 501

Two words: SHIT HAPPENS.


pretty fireworks, though a bit costly.
You do not have the required permissions to view the files attached to this post.
"We don't let them have ideas. Why would we let them have guns?" Stalin
User avatar
Morrolan
 
Posts: 227
Joined: Fri May 31, 2013 1:09 am

Re: Time to change your passwords (... or not)

Postby FZR1KG » Fri Apr 11, 2014 5:09 pm

What's an overflow between friends?
FZR1KG
 

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Fri Apr 11, 2014 5:17 pm

US$ 370 Million and lots of change :P
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby The Supreme Canuck » Sat Apr 12, 2014 9:21 pm

Well, I've got to say, I really do quite like LastPass. I think I will shell out for the paid version so I can use it on my iPad. Thanks again for that, Morrolan - good suggestion.
User avatar
The Supreme Canuck
 
Posts: 808
Joined: Mon Jun 10, 2013 9:27 pm
Location: Ottawa

Re: Time to change your passwords (... or not)

Postby Morrolan » Mon Apr 14, 2014 3:42 am

The Supreme Canuck wrote:Well, I've got to say, I really do quite like LastPass. I think I will shell out for the paid version so I can use it on my iPad. Thanks again for that, Morrolan - good suggestion.


you're welcome, mate...
"We don't let them have ideas. Why would we let them have guns?" Stalin
User avatar
Morrolan
 
Posts: 227
Joined: Fri May 31, 2013 1:09 am

Re: Time to change your passwords (... or not)

Postby squ1d » Mon Apr 14, 2014 10:32 am

HELLO CAN ANYONE STILL HEAR ME?

IS THE INTERNETS STILL HERE?
squ1d
 
Posts: 679
Joined: Mon May 27, 2013 5:12 pm

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Mon Apr 14, 2014 12:37 pm

This is an Automated Ping Reply from your Local ISP

Nope, nobody here, the Internet is gone, nobody will use it because you and your fellow code monkeys screwed the pooch with the heart-bleed bug.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby SciFiFisher » Mon Apr 14, 2014 6:40 pm

That's OK. I keep seeing advertisements to invest in the next big thing that will spell the demise of the internet anyway. It's on it's way out. :P
"To create more positive results in your life, replace 'if only' with 'next time'." — Author Unknown
"Experience is a hard teacher because she gives the test first, the lesson afterward." — Vernon Law
User avatar
SciFiFisher
Redneck Geek
 
Posts: 4889
Joined: Mon May 27, 2013 5:01 pm
Location: Sacramento CA

Re: Time to change your passwords (... or not)

Postby Swift » Mon Apr 14, 2014 7:51 pm

Sigma_Orionis wrote:This is an Automated Ping Reply from your Local ISP

Nope, nobody here, the Internet is gone, nobody will use it because you and your fellow code monkeys screwed the pooch with the heart-bleed bug.

Now I have this image of a monkey having sex with a dog.

Oh wait, that's just the normal spam e-mails I get.
Never, ever forget: we did this. This is what we can do.

In wilderness is the preservation of the world. - Henry David Thoreau

Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has. - Margaret Mead
User avatar
Swift
 
Posts: 2353
Joined: Wed May 29, 2013 2:40 am
Location: At my keyboard

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Tue Apr 15, 2014 3:05 pm

Those should be pretty twisted viagra adverts.....

SciFiFisher wrote:That's OK. I keep seeing advertisements to invest in the next big thing that will spell the demise of the internet anyway. It's on it's way out. :P


Let me guess, the same ads that tell you to invest in Venezuela Government Bonds......
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Tue Apr 15, 2014 6:10 pm

Well, Schneier is pissed off about it

He speculates about the damned bug being placed on purpose,

At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.


If he had said it was done on purpose by the NSA or whomever without any hard proof, it would have been the last time I would have read stuff written by him, reputation and credentials or not.

So, yeah: SHIT HAPPENS. Yeah: it was a major fuckup. And yeah: it happened at the worst time possible, when everyone is paranoid about security after Snowden spilled the beans on the NSA's antics.

It sucks, but so does life.

ETA, more from my favorite IT security Curmudgeon on Heartbleed

The skinny is:

- It's hard to compromise a server with Heartbleed, but of course it's possible
- Some Security Geeks at Cloudflare figured that it would be pretty hard, almost impossible to do so, so they issued a challenge.
- 9 hours later, two people managed to win the challenge.
- The people who managed to compromise the server for the challenge sent a huge amount of requests to it. So, one could infer than anyone trying to compromise a server with Heartbleed will get flagged as a DDOS Offender before they can get anything useful out of it.

So, no script kiddies are going to compromise all half a million vulnerable servers, but a determined attacker will. Not all that much of a relief though cause people looking for credit card info to steal tend to be determined.

And by the looks of it everyone is busy patching servers.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby The Supreme Canuck » Tue Apr 15, 2014 8:53 pm

Hey, want to hear something fun? The Canada Revenue Agency's (Canadian IRS) servers were breached as a result of the bug. Social Insurance Numbers (Canadian SSNs) were stolen. And that's bad, since in Canada, unlike in the US, those are private information - you don't put them on everything willy-nilly. With that number, identity theft is easy.

Worse, it may not just be SINs that were stolen.

Great.
User avatar
The Supreme Canuck
 
Posts: 808
Joined: Mon Jun 10, 2013 9:27 pm
Location: Ottawa

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Tue Apr 15, 2014 11:15 pm

Not only the CRA but a British site called Mumsnet as well.

Odd, if the Cloudflare folks are right, it would have taken a lot of https requests to do so, in the order of 100.000. One of the winners of the CloudFlare challenge sent about 2.5 million requests before getting the info that proved he was a winner.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Wed Apr 16, 2014 9:47 pm

Now Heartbleed & Co are unfortunate but this is pretty stupid.

LaCie warns of suspected credit card data breach


Nope, no James Bond type Zero Day Exploits, no Secret Government Service pulling the strings of the Shadow Government, just plain old stupidity.

Experts said it was unusual for such a problem to go unnoticed for so long.

"It is a major breach," Ron Austin, senior lecturer in computer security at Birmingham City University, told the BBC.

"LaCie is a fairly big company and you would question their information security policies.


And NO it wasn't due to Heartbleed, it was due to using a vulnerable version of Adobe's Cold Fusion

And to make it even worse, they had to be told by the Evil FBI.

The statement said that LaCie was alerted to the problem by the FBI on 19 March.

However, security blogger Brian Krebs had warned the company earlier that month that its site might have had credit card data stolen by a criminal gang exploiting vulnerabilities in Adobe's ColdFusion web application development software.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby The Supreme Canuck » Thu Apr 17, 2014 12:31 am

Huh. They arrested the guy who stole the information from the CRA. That was fast. Apparently they knew who it was before the weekend, and kept the whole mess hushed up until they could nab him. Don't fuck with the Mounties, I guess. Geez...
User avatar
The Supreme Canuck
 
Posts: 808
Joined: Mon Jun 10, 2013 9:27 pm
Location: Ottawa

PreviousNext

Return to Sci-Tech… and Stuff

Who is online

Users browsing this forum: No registered users and 19 guests