Question: Is the Heartbleed Bug a serious issue?

bamachile · Apr 16, 2014

Any of you guys know much about the Heartbleed Bug?

It looks impressive, but I am wary of hyperbole in journalism.

Here's a list of affected passwords if you want.

Thanks in advance for your input.

mittman · Apr 16, 2014

Yes it is very serious. What is most important is verifying your web servers or devices that have web servers built in to them and use SSL are not built using the affected OpenSSL library. It is relatively simple to exploit, even easier to determine if the server/web farm is vulnerable, and all of the information needed to build an exploit is easily attainable.

chanson78 · Apr 16, 2014

mittman said:
Yes it is very serious. What is most important is verifying your web servers or devices that have web servers built in to them and use SSL are not built using the affected OpenSSL library. It is relatively simple to exploit, even easier to determine if the server/web farm is vulnerable, and all of the information needed to build an exploit is easily attainable.

Hopefully the services you connect to are patching their issues. One thing people should do is take this as a healthy wakeup call to recognize personal password policy. Using something like a password manager, not using the same password for all of your logins, changing your passwords, ensuring you have strong passwords, etc, are all things many people don't think is important.

Here is a good article that might be of use.

http://www.cnet.com/how-to/the-guide-to-password-security-and-why-you-should-care/

mittman · Apr 16, 2014

chanson78 said:
Hopefully the services you connect to are patching their issues. One thing people should do is take this as a healthy wakeup call to recognize personal password policy. Using something like a password manager, not using the same password for all of your logins, changing your passwords, ensuring you have strong passwords, etc, are all things many people don't think is important.

Here is a good article that might be of use.

http://www.cnet.com/how-to/the-guide-to-password-security-and-why-you-should-care/

I agree. My point of view was more form a host and provider than from a consumer of a service. There are a lot of devices have web server interfaces in them now that use SSL and that particular library. I spent a good deal of time last night upgrading firmware in routers that were affected.

TIDE-HSV · Apr 16, 2014

I've not worried too much about the big boys. I've always thought the real problem will lie with the smaller to medium-sized websites, many of which farm out their IT. For example, my wife bought something from a small website, directing that her information not be saved. The next time she returned to it, she saw her credit card number being auto-filled. She complained via email. The response clearly showed that the CS girl who replied hadn't the slightest idea of what Liz was saying or what she (CS) was doing...

mittman · Apr 18, 2014

One other thing to consider. If you have been told by an internet service you use that they have patched their systems and you need to change your password, make sure they have a new certificate first. If the certificate is not changed, and the vulnerability was exploited, changing the password now makes no difference if the key for the old certificate has been obtained.

gmart74 · Apr 18, 2014

Whenever things like this happen, you will get tons of emails telling you to click this link to reset your password for a site. Do not ever click the link to access your website. That is the easiest way for someone to spoof the site and steal your password.

example:
you get an email from bank of america to click on a link to reset your password. close that email, open up your brower, and physically type in www.bankofamerica.com and then login and reset.

2003TIDE · Apr 18, 2014

TIDE-HSV said:
I've always thought the real problem will lie with the smaller to medium-sized websites, many of which farm out their IT. .

This really isn't the case here. OpenSSL is widely used on sites small and large. I haven't seen very many banking institutions, but if you can get into Facebook and email of a person you are really a couple of steps away from being able to log into a person's bank account. I'd be willing to wager at least 90% of people reuse passwords. Box.com and Dropbox were hit too. How many people you think keep financial related documents there?

Again we are talking about Facebook, Google, Amazon (for AWS. These are big IT companies.

mittman · Apr 18, 2014

2003TIDE said:
This really isn't the case here. OpenSSL is widely used on sites small and large. I haven't seen very many banking institutions, but if you can get into Facebook and email of a person you are really a couple of steps away from being able to log into a person's bank account. I'd be willing to wager at least 90% of people reuse passwords. Box.com and Dropbox were hit too. How many people you think keep financial related documents there?

Again we are talking about Facebook, Google, Amazon (for AWS. These are big IT companies.

The big guys will get patched fast, the little guys not so much.

A lot tend to just let them run without patching, and do not have the IT knowledge to patch, or the motivation to spend the money. The fact that it affected the cheapest system one could use for a web farm (or an embedded system on a device for that matter) puts it right in that wheel house. There are tons of LAMP implementations that use OpenSSL library for the secure side. At least a 3rd of sites on the internet by some that measure it were affected.

Search

Question: Is the Heartbleed Bug a serious issue?

bamachile

Hall of Fame

mittman

All-American

chanson78

All-American

mittman

All-American

TIDE-HSV

Senior Administrator

mittman

All-American

gmart74

Hall of Fame

2003TIDE

Hall of Fame

mittman

All-American

New Posts

Latest threads

TideFans.shop - NEW Stuff!