Heartbleed Bug - reset your passwords - especially banking

[sdw]

http://www.bbc.com/news/technology-26954540

9 April 2014 Last updated at 10:34 ET


Heartbleed Bug: Public urged to reset all passwords
By Leo Kelion Technology desk editor

Several tech firms are urging people to change all their passwords after the discovery of a major security flaw.

The Yahoo blogging platform Tumblr has advised the public to "change your passwords everywhere - especially your high-security services like email, file storage and banking".

Security advisers have given similar warnings about the Heartbleed Bug.

It follows news that a product used to safeguard data could be compromised to allow eavesdropping.

OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.
Continue reading the main story
“Start Quote

On the scale of one to 10, this is an 11”

Bruce Schneier Security technologist

If an organisation employs OpenSSL, users see a padlock icon in their web browser - although this can also be triggered by rival products.

Those affected include Canada's tax collecting agency, which halted online services "to safeguard the integrity of the information we hold".
Copied keys

Google Security and Codenomicon - a Finnish security company - revealed on Monday that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code.

They said that if attackers made copies of these keys they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.

It is not known whether the exploit had been used before the revelation, since doing so would not leave a trail - unless the hackers published their haul online.

"If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested," said Ari Takanen, Codenomicon's chief technology officer.

"In that sense it's a good idea to change the passwords on all the updated web portals."

Other security experts have been shocked by the revelation

"Catastrophic is the right word. On the scale of one to 10, this is an 11," blogged Bruce Schneier.

The BBC understands that Google warned a select number of organisations about the issue before making it public, so they could update their equipment to a new version of OpenSSL released at the start of the week.

However, it appears that Yahoo was not included on this list and tech site Cnet has reported that some people were able to obtain usernames and passwords from the company before it was able to apply the fix.

"Our team has successfully made the appropriate corrections across the main Yahoo properties - Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr - and we are working to implement the fix across the rest of our sites right now," said a spokeswoman for the company.

New passwords

NCC Group - a cybersecurity company that advises many members of the FTSE 250 - described the situation as "grave".

"The level of knowledge now needed to exploit this vulnerability is substantially less than it was 36 hours ago," the company's associate director Ollie Whitehouse told the BBC.

"Someone with a moderate level of technical skills running their own scripts - the Raspberry Pi generation - would probably be able to launch attacks successfully and gain sensitive information.

"As long as service providers have patched their software it would now be a prudent step for the public to update their passwords."

Several securityfirms andindependent developershave published online tests to help the public discover if the services are still exposed.

However, there is no simple way to find out if they were vulnerable before.

Organisations that used Microsoft's Internet Information Services (IIS) web server software would not have been affected.

But Codenomicon has noted that more than 66% of the net's active sites rely on the open source alternatives Apache and Nginx, which do use OpenSSL.

Even so, some of these sites would have also employed a feature called "perfect forward secrecy" that would have limited the number of their communications that could have been hacked.

 

[vancity_cowboy]

don't bother changing your passwords until your email provider or bank has assured you that they have installed the 'fix' software for the Heartbeat program

yahoo has already installed it so yes, change your password now. but wait for the rest, otherwise the new password is just as vulnerable as the old one

following is an excerpt from the cbc report:

How can I protect myself?
Ari Takanen, chief technology officer for Codenomicon, advises you to wait for an official statement from the internet services you use (indicating that they have fixed the bug) and follow their guidelines.

Typically, that will involve things like changing your password. That is something you may have to do across many —services you use.

However, steps like that are useless until the security hole has been fixed for the affected services.

"Changing before the service is patched could expose the new password," said a spokesperson for Google, who also noted that passwords do not need to be changed for Google services because of its early implementation of a bug fix.

In the meantime, a number of sites have have been set up where you can check if the web services you're using are vulnerable, including this one, set up by Italian security researcher Filippo Valsorda.
■Visit the Heartbleed test site

You might want to stay away from sites identified as "vulnerable" for now.

Security experts also recommend as a general rule that you use strong passwords that are different for different internet services and that you change them regularly.

http://www.cbc.ca/news/technology/heartbleed-web-security-bug-what-you-need-to-know-1.2603988

 

[sdw]

None of us changes our passwords often enough. When there is a known vulnerability, it is well to put some stumbling blocks in the thieves path.

I just had to find a way to use the cartoon

 

[Robert Upndown]

Do not change any passwords until you have checked if the site has been fixed. You can check your site here
http://lastpass.com/heartbleed/

 

[badbadboy]

Do not change any passwords until you have checked if the site has been fixed. You can check your site here
http://lastpass.com/heartbleed/

Thanks for that link, it has saved me going through all my passwords until those sites make their updates.


Site: My Bank
Server software: Apache
Vulnerable: Very likely (known use OpenSSL)
SSL Certificate: Unsafe (created 8 months ago at Jul 31 00:00:00 2013 GMT)
Assessment: Wait for the site to update before changing your password

 

[Lo-ki]

Both my banks have dealt with it already. Neither were affected.

Loki

 

[peter putter]

Thanks for that link, it has saved me going through all my passwords until those sites make their updates.


Site: My Bank
Server software: Apache
Vulnerable: Very likely (known use OpenSSL)
SSL Certificate: Unsafe (created 8 months ago at Jul 31 00:00:00 2013 GMT)
Assessment: Wait for the site to update before changing your password

I got the same result (date of SSL cert slightly different); my bank posted this

***** (Bank name)has multiple levels of security in place, including encryption, to keep your banking information safe and secure. *******’s Online and Mobile Banking services have not been affected by the Heartbleed issue. You can continue to use *****'s websites with confidence for your everyday banking.

 

[sdw]

How the American Government "protects" you. Is the "Heartbeed Bug" one of NSA's back doors?

http://www.bloomberg.com/news/2014-...e-used-heartbleed-bug-exposing-consumers.html

NSA Said to Exploit Heartbleed Bug for Intelligence for Years
By Michael Riley Apr 11, 2014 11:58 AM PT

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.

http://www.wired.com/2014/04/heartbleedslesson/

 

[retriever]

Do not change any passwords until you have checked if the site has been fixed. You can check your site here
http://lastpass.com/heartbleed/

Correct. You'll just have to change it again after a site fixes the problem. Also don't panic as this bug has been around for years.

 

[green]

Canadian banks use a different encryption protocol and were not affected.

 

[sdw]

The CRA has revealed that the reason that they closed their site was hackers had exploited the Heartbleed bug and stolen the information for individuals and businesses. They are saying 900 individuals and an unknown number of businesses.

Getting the SIN also means that the hacker has address, birthdate and banking information.

http://www.cbc.ca/news/business/heartbleed-bug-900-sins-stolen-from-revenue-canada-1.2609192