Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Community > MacNN Lounge > Heartbleed Bug: Public urged to reset all passwords

Heartbleed Bug: Public urged to reset all passwords
Thread Tools
mattyb
Addicted to MacNN
Join Date: Feb 2008
Location: Standing on the shoulders of giants
Status: Offline
Reply With Quote
Apr 9, 2014, 03:16 PM
 
BBC News - Heartbleed Bug: Public urged to reset all passwords

If Bruce Schneier says its a catastrophe, I listen.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 9, 2014, 04:58 PM
 
Seconded. Steve Gibson is flipping out, too. This is the real deal.
     
reader50
Administrator
Join Date: Jun 2000
Location: California
Status: Online
Reply With Quote
Apr 9, 2014, 06:00 PM
 
It does little good to change a pass, until you know the site in question is no longer vulnerable, and has obtained a new SSL cert. Run a site of interest past one of the diagnostic pages, which checks for the bug. Then load an https page from your site, and check the cert. See if it was issued within the last week.

We plan to post a forum Announcement in a day or two. We updated all servers to the latest OpenSSL last night, but I think we were using 0.9.8 before, which isn't vulnerable. And I was waiting to see if we've gotten a fresh SSL cert.

Once each site is fixed, and has new cert, absolutely change your pass. Use a random one, and don't use the same pass anywhere else.

Most of the password exploits grab passes (or crack hashed passwords), then try to use your username / pass on every banking site and web store. If you reuse passwords, expect your accounts to be cleaned out, or to find out you've sent some big-screen TVs to another continent.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 9, 2014, 06:01 PM
 
Excellent point.
     
starman
Clinically Insane
Join Date: Jun 2000
Location: Union County, NJ
Status: Offline
Reply With Quote
Apr 10, 2014, 01:41 AM
 
Yeah, this "change your password now" is BS unless the patch is done. I pointed that out to quite a few people.

Home - Twitter - Sig Wall-Retired - Flickr
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Apr 10, 2014, 03:14 AM
 
Originally Posted by reader50 View Post
It does little good to change a pass, until you know the site in question is no longer vulnerable, and has obtained a new SSL cert. Run a site of interest past one of the diagnostic pages, which checks for the bug. Then load an https page from your site, and check the cert. See if it was issued within the last week.

We plan to post a forum Announcement in a day or two. We updated all servers to the latest OpenSSL last night, but I think we were using 0.9.8 before, which isn't vulnerable. And I was waiting to see if we've gotten a fresh SSL cert.

Once each site is fixed, and has new cert, absolutely change your pass. Use a random one, and don't use the same pass anywhere else.

Most of the password exploits grab passes (or crack hashed passwords), then try to use your username / pass on every banking site and web store. If you reuse passwords, expect your accounts to be cleaned out, or to find out you've sent some big-screen TVs to another continent.


Where are you reading that you need a new cert? Everything I've read said that you need to update OpenSSL, libssl, and all packages that were compiled against it and/or use it (there are usually several)
     
reader50
Administrator
Join Date: Jun 2000
Location: California
Status: Online
Reply With Quote
Apr 10, 2014, 04:14 AM
 
You haven't been reading enough then. Check this Ars story, scroll down to the "(Private) keys to the kingdom" section at the end.

One of the bug characteristics is the ability to do a 64 KB memory dump from a vulnerable server. Then examine the contents for plaintext keys. The SSL private key can easily turn up in one of those dumps, which can be done over and over to obtain different snapshots.

Since the attack vector looks legit, and doesn't produce bug-specific log entries, there is no penalty to repeating the attack. And no way to prove an attack has not happened in the past. If you've ever run a vulnerable version of OpenSSL, the only way to be certain your private key is still private, is to get a new cert. And revoke the old one.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Apr 10, 2014, 04:36 AM
 
Thanks!
     
andi*pandi
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status: Offline
Reply With Quote
Apr 10, 2014, 11:05 AM
 
mashable has compiled a handy list of sites that have been checked/cleared/failed:

The Heartbleed Hit List: The Passwords You Need to Change Right Now

not every site out there, but the biggies.

I just checked chase, bank of america with this tool, and they seem clear.

http://filippo.io/Heartbleed/
     
SSharon
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status: Offline
Reply With Quote
Apr 12, 2014, 11:24 PM
 
Would using multi-factor authentication protect you against heartbleed?
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
     
reader50
Administrator
Join Date: Jun 2000
Location: California
Status: Online
Reply With Quote
Apr 13, 2014, 12:00 AM
 
@besson - Cloudflare has confirmed theft of private SSL keys via heartbleed.

@SSharon - the server has to know all the authentication factors in order to authenticate users. Since heartbleed does random 64K memory dumps from the server, it's hard to rule anything out. Maybe the server could store hashed responses only, or use different servers for each authentication factor. But secure web servers aren't usually set up that way. With the bug identified and fixed, now you just patch it, and get fresh SSL keys. Revoke the old of course.

I've posted an announcement here, recommending forum members change passwords. Since it's all but impossible to rule out a breach.
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Apr 13, 2014, 03:18 PM
 
One question:

If I'm using two factor authentication with a site (like Google) that was deemed vulnerable, and my password for that site was unique (not used on other sites), I should be ok, right ?

-t
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Apr 14, 2014, 06:17 AM
 
You should be OK for other sites' security because of the one compromised site (assuming that all your other sites are secure). But if it really is Google (or something else on the same scale) you could have a huge amount of personal information exposed - which could concievably be used to compromise other sites. Your "ancestry dod com" stuff could be used to "recover" passwords by the intruder knowing your great aunt's maiden name, and other such mayhem.

There is no way to know what sites are actually compromised - for us or them in some cases. And there's no way to know what external services sites may have used that came from compromised servers. It's just safer to change all your passwords now. I'm not only changing all my passwords, I'm setting up an "irregular schedule" for changing them in the future. One site I use not-so-regularly requires a new password every 60 days (it's financial so that's not too extreme), but banks, credit card sites, etc. don't require that, so I'm essentially scheduling it myself. And it's irregular because there's a tiny chance that an "every 90 days" plan could be compromised by an intruder who knew the schedule and contacted a site right after my planned update and asked for a "forgotten password" reset because new passwords are easier to lose or forget than older ones.

Paranoid about computer security? ME? NO! I'm paranoid about all security. I just have the most training and experience with computer security. And on that note, I recommend not just changing passwords but incorporating a large chunk of randomness in your new passwords. I use this random password generator to create bunches of very long passwords. But since there's no way to know whether that site itself is secure, I do some "post processing." For example, you can break up the output into groups of 5 characters, and then mix and match groups to create as long a password as you want. Save the output to a removable device (I have a 1GB USB stick I do this with) and lock that puppy up when you're not using it. And I highly recommend saving the password stuff in a font that makes it abundantly clear what characters are "one" and which ones are "lower case L." Trust me, it'll save wear and tear on your stomach lining! ;D
( Last edited by ghporter; Apr 14, 2014 at 06:34 AM. )

Glenn -----OTR/L, MOT, Tx
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Apr 14, 2014, 06:37 AM
 
Oh, and I thought xkcd's explanation of how the bug works was very enlightening:

Glenn -----OTR/L, MOT, Tx
     
reader50
Administrator
Join Date: Jun 2000
Location: California
Status: Online
Reply With Quote
Apr 14, 2014, 01:00 PM
 
I don't recommend getting a block of random passes from a site. The NSA has admitted recording all the traffic they can. They even record and keep encrypted (https) traffic, in case they can later break it. Instead, generate your passes entirely locally.

I use RPG myself. Exclude a few characters that look alike, set other parameters as you wish. And its free.
     
andi*pandi
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status: Offline
Reply With Quote
Apr 14, 2014, 02:15 PM
 
Originally Posted by ghporter View Post
There is no way to know what sites are actually compromised - for us or them in some cases. And there's no way to know what external services sites may have used that came from compromised servers. It's just safer to change all your passwords now. I'm not only changing all my passwords, I'm setting up an "irregular schedule" for changing them in the future. One site I use not-so-regularly requires a new password every 60 days (it's financial so that's not too extreme), but banks, credit card sites, etc. don't require that, so I'm essentially scheduling it myself. And it's irregular because there's a tiny chance that an "every 90 days" plan could be compromised by an intruder who knew the schedule and contacted a site right after my planned update and asked for a "forgotten password" reset because new passwords are easier to lose or forget than older ones.

Paranoid about computer security? ME? NO! I'm paranoid about all security. I just have the most training and experience with computer security. And on that note, I recommend not just changing passwords but incorporating a large chunk of randomness in your new passwords. I use this random password generator to create bunches of very long passwords. But since there's no way to know whether that site itself is secure, I do some "post processing." For example, you can break up the output into groups of 5 characters, and then mix and match groups to create as long a password as you want. Save the output to a removable device (I have a 1GB USB stick I do this with) and lock that puppy up when you're not using it. And I highly recommend saving the password stuff in a font that makes it abundantly clear what characters are "one" and which ones are "lower case L." Trust me, it'll save wear and tear on your stomach lining! ;D
Glenn, I know your post makes sense, but frankly I glazed over somewhere around 90 day schedule. This seems like overkill for anything that isn't toptopsecret, and then, keeping track of all those passwords becomes an issue.

I've just started using 1password, and I like it, but I also still like to use my own system for passwords. If I need to log into anything using a device I don't have 1password installed on (vacation, emergency), there's no way I'll remember a 16digit random alphabet soup.

I just changed a work gmail password. Then I wrote the password on a sticky note and walked it over to the other person who uses that account. Secure!
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Apr 14, 2014, 08:10 PM
 
Yeah, my grand rotation scheme is overkill for a single password, and it's probably overkill for most people's online presence overall. But I did say I was paranoid about security, right?

I guess I got going on passwords and just didn't stop. Sorry.

Glenn -----OTR/L, MOT, Tx
     
mattyb  (op)
Addicted to MacNN
Join Date: Feb 2008
Location: Standing on the shoulders of giants
Status: Offline
Reply With Quote
Apr 15, 2014, 07:29 AM
 
Originally Posted by andi*pandi View Post
I just changed a work gmail password. Then I wrote the password on a sticky note and walked it over to the other person who uses that account. Secure!
Stuck to the monitor or underneath the keyboard?
     
andi*pandi
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status: Offline
Reply With Quote
Apr 15, 2014, 08:56 AM
 
In an envelope, of course.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 15, 2014, 01:46 PM
 
What is the scenario where you need a work gmail account, have access to the cubicle down the way, but don't have access to 1pass?
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 15, 2014, 01:51 PM
 
Here's a 1pass tip.

Have exactly one email account with a password you can remember.

Send yourself a copy of your 1pass keychain for storage on that email server.

There's no reason to keep this up to date. The only up to date password you need is your DropBox, so you can get to your real keychain in an emergency.

Only update that email copy when you change your DropBox password. For me, that's once a year, if that.


If I'm not mistaken, you can download 1pass on any computer for free for read purposes, so you can even access all your passwords on any given computer.
     
andi*pandi
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status: Offline
Reply With Quote
Apr 15, 2014, 02:15 PM
 
Originally Posted by subego View Post
What is the scenario where you need a work gmail account, have access to the cubicle down the way, but don't have access to 1pass?
Two different scenarios. I'm not giving my work colleagues my 1pass. I have that gmail saved in 1pass, along with 2 others. I really like 1pass for remembering rarely used passwords, and it has cut down on my "remind me my password" emails. However, I still like using the memorable sentence strategy over 1lk3kg8lw94qk2z .

The being away from 1password scenario is more along the lines of: on vacation, I suddenly remember that a bill needs to be paid ASAP, or I've spent too much money on souvenirs and have to transfer some money from savings to checking. I have no laptop, my cell has no service, so stop into kinko's or rent-a-mac. They don't let you download software. If my bank password was only in 1pass, how would I pay this bill? By phone?
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 15, 2014, 02:45 PM
 
You don't need cell service. It's stored locally on your phone. It only needs service for syncing.
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Apr 15, 2014, 05:20 PM
 
Originally Posted by subego View Post
Here's a 1pass tip.
I'm not sure I get it.

Why wouldn't I just remember my Dropbox password.

Then I can download (via web) the current 1PW file on any computer.

Voila.

-t
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 15, 2014, 05:25 PM
 
The whole point of 1pass is not to have to remember my DropBox password.

I only remember two. My 1pass, and my master email account. I could make that three, but I can't see the reason.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 03:04 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,