|
|
Heartbleed Bug: Public urged to reset all passwords
|
|
|
|
Addicted to MacNN
Join Date: Feb 2008
Location: Standing on the shoulders of giants
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Seconded. Steve Gibson is flipping out, too. This is the real deal.
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Jun 2000
Location: California
Status:
Offline
|
|
It does little good to change a pass, until you know the site in question is no longer vulnerable, and has obtained a new SSL cert. Run a site of interest past one of the diagnostic pages, which checks for the bug. Then load an https page from your site, and check the cert. See if it was issued within the last week.
We plan to post a forum Announcement in a day or two. We updated all servers to the latest OpenSSL last night, but I think we were using 0.9.8 before, which isn't vulnerable. And I was waiting to see if we've gotten a fresh SSL cert.
Once each site is fixed, and has new cert, absolutely change your pass. Use a random one, and don't use the same pass anywhere else.
Most of the password exploits grab passes (or crack hashed passwords), then try to use your username / pass on every banking site and web store. If you reuse passwords, expect your accounts to be cleaned out, or to find out you've sent some big-screen TVs to another continent.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2000
Location: Union County, NJ
Status:
Offline
|
|
Yeah, this "change your password now" is BS unless the patch is done. I pointed that out to quite a few people.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by reader50
It does little good to change a pass, until you know the site in question is no longer vulnerable, and has obtained a new SSL cert. Run a site of interest past one of the diagnostic pages, which checks for the bug. Then load an https page from your site, and check the cert. See if it was issued within the last week.
We plan to post a forum Announcement in a day or two. We updated all servers to the latest OpenSSL last night, but I think we were using 0.9.8 before, which isn't vulnerable. And I was waiting to see if we've gotten a fresh SSL cert.
Once each site is fixed, and has new cert, absolutely change your pass. Use a random one, and don't use the same pass anywhere else.
Most of the password exploits grab passes (or crack hashed passwords), then try to use your username / pass on every banking site and web store. If you reuse passwords, expect your accounts to be cleaned out, or to find out you've sent some big-screen TVs to another continent.
Where are you reading that you need a new cert? Everything I've read said that you need to update OpenSSL, libssl, and all packages that were compiled against it and/or use it (there are usually several)
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Jun 2000
Location: California
Status:
Offline
|
|
You haven't been reading enough then. Check this Ars story, scroll down to the "(Private) keys to the kingdom" section at the end.
One of the bug characteristics is the ability to do a 64 KB memory dump from a vulnerable server. Then examine the contents for plaintext keys. The SSL private key can easily turn up in one of those dumps, which can be done over and over to obtain different snapshots.
Since the attack vector looks legit, and doesn't produce bug-specific log entries, there is no penalty to repeating the attack. And no way to prove an attack has not happened in the past. If you've ever run a vulnerable version of OpenSSL, the only way to be certain your private key is still private, is to get a new cert. And revoke the old one.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status:
Offline
|
|
Would using multi-factor authentication protect you against heartbleed?
|
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
|
|
|
|
|
|
|
|
Administrator
Join Date: Jun 2000
Location: California
Status:
Offline
|
|
@besson - Cloudflare has confirmed theft of private SSL keys via heartbleed.
@SSharon - the server has to know all the authentication factors in order to authenticate users. Since heartbleed does random 64K memory dumps from the server, it's hard to rule anything out. Maybe the server could store hashed responses only, or use different servers for each authentication factor. But secure web servers aren't usually set up that way. With the bug identified and fixed, now you just patch it, and get fresh SSL keys. Revoke the old of course.
I've posted an announcement here, recommending forum members change passwords. Since it's all but impossible to rule out a breach.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
One question:
If I'm using two factor authentication with a site (like Google) that was deemed vulnerable, and my password for that site was unique (not used on other sites), I should be ok, right ?
-t
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
You should be OK for other sites' security because of the one compromised site (assuming that all your other sites are secure). But if it really is Google (or something else on the same scale) you could have a huge amount of personal information exposed - which could concievably be used to compromise other sites. Your "ancestry dod com" stuff could be used to "recover" passwords by the intruder knowing your great aunt's maiden name, and other such mayhem.
There is no way to know what sites are actually compromised - for us or them in some cases. And there's no way to know what external services sites may have used that came from compromised servers. It's just safer to change all your passwords now. I'm not only changing all my passwords, I'm setting up an "irregular schedule" for changing them in the future. One site I use not-so-regularly requires a new password every 60 days (it's financial so that's not too extreme), but banks, credit card sites, etc. don't require that, so I'm essentially scheduling it myself. And it's irregular because there's a tiny chance that an "every 90 days" plan could be compromised by an intruder who knew the schedule and contacted a site right after my planned update and asked for a "forgotten password" reset because new passwords are easier to lose or forget than older ones.
Paranoid about computer security? ME? NO! I'm paranoid about all security. I just have the most training and experience with computer security. And on that note, I recommend not just changing passwords but incorporating a large chunk of randomness in your new passwords. I use this random password generator to create bunches of very long passwords. But since there's no way to know whether that site itself is secure, I do some "post processing." For example, you can break up the output into groups of 5 characters, and then mix and match groups to create as long a password as you want. Save the output to a removable device (I have a 1GB USB stick I do this with) and lock that puppy up when you're not using it. And I highly recommend saving the password stuff in a font that makes it abundantly clear what characters are "one" and which ones are "lower case L." Trust me, it'll save wear and tear on your stomach lining! ;D
(
Last edited by ghporter; Apr 14, 2014 at 06:34 AM.
)
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Oh, and I thought xkcd's explanation of how the bug works was very enlightening:
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Administrator
Join Date: Jun 2000
Location: California
Status:
Offline
|
|
I don't recommend getting a block of random passes from a site. The NSA has admitted recording all the traffic they can. They even record and keep encrypted (https) traffic, in case they can later break it. Instead, generate your passes entirely locally.
I use RPG myself. Exclude a few characters that look alike, set other parameters as you wish. And its free.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status:
Offline
|
|
Originally Posted by ghporter
There is no way to know what sites are actually compromised - for us or them in some cases. And there's no way to know what external services sites may have used that came from compromised servers. It's just safer to change all your passwords now. I'm not only changing all my passwords, I'm setting up an "irregular schedule" for changing them in the future. One site I use not-so-regularly requires a new password every 60 days (it's financial so that's not too extreme), but banks, credit card sites, etc. don't require that, so I'm essentially scheduling it myself. And it's irregular because there's a tiny chance that an "every 90 days" plan could be compromised by an intruder who knew the schedule and contacted a site right after my planned update and asked for a "forgotten password" reset because new passwords are easier to lose or forget than older ones.
Paranoid about computer security? ME? NO! I'm paranoid about all security. I just have the most training and experience with computer security. And on that note, I recommend not just changing passwords but incorporating a large chunk of randomness in your new passwords. I use this random password generator to create bunches of very long passwords. But since there's no way to know whether that site itself is secure, I do some "post processing." For example, you can break up the output into groups of 5 characters, and then mix and match groups to create as long a password as you want. Save the output to a removable device (I have a 1GB USB stick I do this with) and lock that puppy up when you're not using it. And I highly recommend saving the password stuff in a font that makes it abundantly clear what characters are "one" and which ones are "lower case L." Trust me, it'll save wear and tear on your stomach lining! ;D
Glenn, I know your post makes sense, but frankly I glazed over somewhere around 90 day schedule. This seems like overkill for anything that isn't toptopsecret, and then, keeping track of all those passwords becomes an issue.
I've just started using 1password, and I like it, but I also still like to use my own system for passwords. If I need to log into anything using a device I don't have 1password installed on (vacation, emergency), there's no way I'll remember a 16digit random alphabet soup.
I just changed a work gmail password. Then I wrote the password on a sticky note and walked it over to the other person who uses that account. Secure!
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Yeah, my grand rotation scheme is overkill for a single password, and it's probably overkill for most people's online presence overall. But I did say I was paranoid about security, right?
I guess I got going on passwords and just didn't stop. Sorry.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Feb 2008
Location: Standing on the shoulders of giants
Status:
Offline
|
|
Originally Posted by andi*pandi
I just changed a work gmail password. Then I wrote the password on a sticky note and walked it over to the other person who uses that account. Secure!
Stuck to the monitor or underneath the keyboard?
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status:
Offline
|
|
In an envelope, of course.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
What is the scenario where you need a work gmail account, have access to the cubicle down the way, but don't have access to 1pass?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Here's a 1pass tip.
Have exactly one email account with a password you can remember.
Send yourself a copy of your 1pass keychain for storage on that email server.
There's no reason to keep this up to date. The only up to date password you need is your DropBox, so you can get to your real keychain in an emergency.
Only update that email copy when you change your DropBox password. For me, that's once a year, if that.
If I'm not mistaken, you can download 1pass on any computer for free for read purposes, so you can even access all your passwords on any given computer.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status:
Offline
|
|
Originally Posted by subego
What is the scenario where you need a work gmail account, have access to the cubicle down the way, but don't have access to 1pass?
Two different scenarios. I'm not giving my work colleagues my 1pass. I have that gmail saved in 1pass, along with 2 others. I really like 1pass for remembering rarely used passwords, and it has cut down on my "remind me my password" emails. However, I still like using the memorable sentence strategy over 1lk3kg8lw94qk2z .
The being away from 1password scenario is more along the lines of: on vacation, I suddenly remember that a bill needs to be paid ASAP, or I've spent too much money on souvenirs and have to transfer some money from savings to checking. I have no laptop, my cell has no service, so stop into kinko's or rent-a-mac. They don't let you download software. If my bank password was only in 1pass, how would I pay this bill? By phone?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
You don't need cell service. It's stored locally on your phone. It only needs service for syncing.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by subego
Here's a 1pass tip.
I'm not sure I get it.
Why wouldn't I just remember my Dropbox password.
Then I can download (via web) the current 1PW file on any computer.
Voila.
-t
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
The whole point of 1pass is not to have to remember my DropBox password.
I only remember two. My 1pass, and my master email account. I could make that three, but I can't see the reason.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|