FWIS3

[Sigma_Orionis]

It's important to keep in mind that a lot of the Comercial Web Servers (WebLogic and IIS at the very least) do NOT use the OpenSSL libraries. This problem affects mostly WebServers like Apache, or Web Application Servers such as Tomcat (not too sure about Jboss, which is another popular Web Application Server).

Most financial institutions I know(down here at least) don't use Apache or Tomcat or Jboss.

[Sigma_Orionis]

Bahaha Sigma ... I'm blaming your Clouds for everything in the future!! Why can't you make your Clouds more better???

[The Supreme Canuck]

You know, after having done some research on available password managers, I think I might take Morrolan's suggestion on LastPass. Looks like they hold your encrypted data, but never see the keys - encryption/decryption takes place locally, always.

Hm. Morrolan, is the paid version worth it? I think I'll give the free version a spin, and if I like it I'd consider upgrading.

[Morrolan]

unless you have multiple computers and platforms you want to use it across, stick to the free version. you can always decide to upgrade later.
i used the free version for about a year and decided to upgrade at the end of last year. i now use it to keep my passwords across android, iOS and Windows 7 and 8.1 machines. changing a password on one applies it to all immediately.

i think the misunderstanding about their vulnerability came from the fact that while they use SSL, they have multiple additional layers of encryption that most others (including McAfee and Intel) don't.

i just read that Facebook and Google are also affected, as well as many US Banks. my bank luckily is not.

[Sigma_Orionis]

Facebook and Google affected? it's a given. They tend to favor Open Source stuff (which means that even if they don't use Apache/Tomcat, they most probably use OpenSSL for their custom software.

A lot of US Banks? wow, I guess they use Apache a lot.

Here's plenty of geeky info on who's affected..


Surprise! Apache is one of the most vulnerable web servers, however the "Heartbeat Extension" (the OPTIONAL component that has the vulnerability) is not enabled in most of them.

[Cyborg Girl]

@squid: umm... sorry about that, I guess I overreached there. I don't design software for a living, so yeah, chances are you know more about this than I do.

[The Supreme Canuck]

Thanks, Morrolan, I think I'll do just that. I've installed the free version, and I like what I see so far. I may upgrade down the line, as you say.

[FZR1KG]

Hey squid, just wanted to point out that I make money solely on software at the moment.
I designed the hardware but I only get paid for the firmware I wrote.
Hardware designs/upgrades are just a free part of the service.
How times have changed. lol

[Sigma_Orionis]

Shouldn't you be playing Popeye the Sailor Man?

[Sigma_Orionis]

And here ladies and gents is one the most expensive software bugs in history.

Ariane Flight 501

Two words: SHIT HAPPENS.

[Morrolan]

And here ladies and gents is one the most expensive software bugs in history.

Ariane Flight 501

Two words: SHIT HAPPENS.

pretty fireworks, though a bit costly.

[FZR1KG]

What's an overflow between friends?

[Sigma_Orionis]

US$ 370 Million and lots of change

[The Supreme Canuck]

Well, I've got to say, I really do quite like LastPass. I think I will shell out for the paid version so I can use it on my iPad. Thanks again for that, Morrolan - good suggestion.

[Morrolan]

Well, I've got to say, I really do quite like LastPass. I think I will shell out for the paid version so I can use it on my iPad. Thanks again for that, Morrolan - good suggestion.

you're welcome, mate...

[squ1d]

HELLO CAN ANYONE STILL HEAR ME?

IS THE INTERNETS STILL HERE?

[Sigma_Orionis]

This is an Automated Ping Reply from your Local ISP

Nope, nobody here, the Internet is gone, nobody will use it because you and your fellow code monkeys screwed the pooch with the heart-bleed bug.

[SciFiFisher]

That's OK. I keep seeing advertisements to invest in the next big thing that will spell the demise of the internet anyway. It's on it's way out.

[Swift]

This is an Automated Ping Reply from your Local ISP

Nope, nobody here, the Internet is gone, nobody will use it because you and your fellow code monkeys screwed the pooch with the heart-bleed bug.

Now I have this image of a monkey having sex with a dog.

Oh wait, that's just the normal spam e-mails I get.

[Sigma_Orionis]

Those should be pretty twisted viagra adverts.....

That's OK. I keep seeing advertisements to invest in the next big thing that will spell the demise of the internet anyway. It's on it's way out.

Let me guess, the same ads that tell you to invest in Venezuela Government Bonds......

[Sigma_Orionis]

Well, Schneier is pissed off about it

He speculates about the damned bug being placed on purpose,

At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.

If he had said it was done on purpose by the NSA or whomever without any hard proof, it would have been the last time I would have read stuff written by him, reputation and credentials or not.

So, yeah: SHIT HAPPENS. Yeah: it was a major fuckup. And yeah: it happened at the worst time possible, when everyone is paranoid about security after Snowden spilled the beans on the NSA's antics.

It sucks, but so does life.

ETA, more from my favorite IT security Curmudgeon on Heartbleed

The skinny is:

- It's hard to compromise a server with Heartbleed, but of course it's possible
- Some Security Geeks at Cloudflare figured that it would be pretty hard, almost impossible to do so, so they issued a challenge.
- 9 hours later, two people managed to win the challenge.
- The people who managed to compromise the server for the challenge sent a huge amount of requests to it. So, one could infer than anyone trying to compromise a server with Heartbleed will get flagged as a DDOS Offender before they can get anything useful out of it.

So, no script kiddies are going to compromise all half a million vulnerable servers, but a determined attacker will. Not all that much of a relief though cause people looking for credit card info to steal tend to be determined.

And by the looks of it everyone is busy patching servers.

[The Supreme Canuck]

Hey, want to hear something fun? The Canada Revenue Agency's (Canadian IRS) servers were breached as a result of the bug. Social Insurance Numbers (Canadian SSNs) were stolen. And that's bad, since in Canada, unlike in the US, those are private information - you don't put them on everything willy-nilly. With that number, identity theft is easy.

Worse, it may not just be SINs that were stolen.

Great.

[Sigma_Orionis]

Not only the CRA but a British site called Mumsnet as well.

Odd, if the Cloudflare folks are right, it would have taken a lot of https requests to do so, in the order of 100.000. One of the winners of the CloudFlare challenge sent about 2.5 million requests before getting the info that proved he was a winner.

[Sigma_Orionis]

Now Heartbleed & Co are unfortunate but this is pretty stupid.

LaCie warns of suspected credit card data breach


Nope, no James Bond type Zero Day Exploits, no Secret Government Service pulling the strings of the Shadow Government, just plain old stupidity.

Experts said it was unusual for such a problem to go unnoticed for so long.

"It is a major breach," Ron Austin, senior lecturer in computer security at Birmingham City University, told the BBC.

"LaCie is a fairly big company and you would question their information security policies.

And NO it wasn't due to Heartbleed, it was due to using a vulnerable version of Adobe's Cold Fusion

And to make it even worse, they had to be told by the Evil FBI.

The statement said that LaCie was alerted to the problem by the FBI on 19 March.

However, security blogger Brian Krebs had warned the company earlier that month that its site might have had credit card data stolen by a criminal gang exploiting vulnerabilities in Adobe's ColdFusion web application development software.

[The Supreme Canuck]

Huh. They arrested the guy who stole the information from the CRA. That was fast. Apparently they knew who it was before the weekend, and kept the whole mess hushed up until they could nab him. Don't fuck with the Mounties, I guess. Geez...