Author Topic: Heartbleed Bug (Read 3566 times)

MoGro17 · « **on:** April 10, 2014, 04:20:23 PM »

I'm wondering why there is no discussion from the techies here about the heartbleed bug. (I've seen some places call it a bug and others call it a virus.) Call it what you will, A LOT of websites used OpenSSL for encryption and it seems that the "secure" info has really been accessible to bad people all this time.

MoGro17 · « **Reply #1 on:** April 10, 2014, 04:25:42 PM »

This link kinda helps explain what happened and what it means.
p.s. also known as "heart bleed".

http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

Also, This link takes you to the official, technical description of the bug.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Achas Veachas · « **Reply #2 on:** April 11, 2014, 12:25:31 AM »

DanH · « **Reply #3 on:** April 11, 2014, 01:37:49 AM »

Good article:
http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/

yitzf · « **Reply #4 on:** April 11, 2014, 02:02:14 AM »

Was mentioned here

Quote from: whYME on April 09, 2014, 12:57:27 AM

http://bits.blogs.nytimes.com/2014/04/08/flaw-found-in-key-method-for-protecting-data-on-the-internet/

But deserves its own thread nevertheless.

yitzf · « **Reply #5 on:** April 11, 2014, 02:24:11 AM »

Explained very well in this video (8:30 min)

HT: Krebs

AnonymousUser · « **Reply #6 on:** April 11, 2014, 09:35:07 AM »

Or a little shorter here: http://xkcd.com/1354/

Achas Veachas · « **Reply #7 on:** April 11, 2014, 09:45:27 AM »

Quote from: AnonymousUser on April 11, 2014, 09:35:07 AM

Or a little shorter here: http://xkcd.com/1354/

Beat me to it

MoGro17 · « **Reply #8 on:** April 11, 2014, 10:38:16 AM »

so we're all just sitting tight until we know that the leak has been sealed and then we change all our passwords and CC #s?

TOR says to stay away from the internet for a while, so....

AnonymousUser · « **Reply #9 on:** April 11, 2014, 10:38:17 AM »

Quote from: Achas Veachas on April 11, 2014, 09:45:27 AM

Beat me to it

LOL. What percentage of DDF do you think reads xkcd?

MoGro17 · « **Reply #10 on:** April 11, 2014, 10:39:20 AM »

p.s. TOR = The Onion Router

Google it.

AnonymousUser · « **Reply #11 on:** April 11, 2014, 10:57:58 AM »

Quote from: MoGro17 on April 11, 2014, 10:38:16 AM

so we're all just sitting tight until we know that the leak has been sealed and then we change all our passwords and CC #s?

TOR says to stay away from the internet for a while, so....

Take a look at this article: This List Reveals the Heartbleed-Affected Passwords to Change Now.

Here is an article written by one of the Wunderlist engineers about how they dealt with the issue. Highly technical, but interesting nonetheless.

Achas Veachas · « **Reply #12 on:** April 11, 2014, 11:39:35 AM »

Quote from: AnonymousUser on April 11, 2014, 10:38:17 AM

LOL. What percentage of DDF do you think reads xkcd?

There are a few, I'm really religious about it

But if you search you should find the big offenders...

yitzf · « **Reply #13 on:** April 11, 2014, 12:25:45 PM »

If you have LastPass you can go to your vault and on the left side click on security check, and it will give you a list of your websites that are affected, and which ones you should change passwords now and which ones you should wait.

I only had six sites affected out of over 200.

Moshe123 · « **Reply #14 on:** April 11, 2014, 03:09:33 PM »

And the government says hahahaha....

http://mobile.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

sky121 · « **Reply #15 on:** April 11, 2014, 05:08:16 PM »

Is there anything to do about it at the moment or are we all just waiting for a patch from Google?

Joe4007 · « **Reply #16 on:** April 11, 2014, 05:16:00 PM »

Quote from: sky121 on April 11, 2014, 05:08:16 PM

Is there anything to do about it at the moment or are we all just waiting for a patch from Google?

According to that list, Google already has a patch.

sky121 · « **Reply #17 on:** April 11, 2014, 05:17:06 PM »

Quote from: Joe4007 on April 11, 2014, 05:16:00 PM

According to that list, Google already has a patch.

Sorry, I meant from Android. A patch for our phones.

Joe4007 · « **Reply #18 on:** April 11, 2014, 05:20:23 PM »

Quote from: sky121 on April 11, 2014, 05:17:06 PM

Sorry, I meant from Android. A patch for our phones.

Not sure I'm following. Where is your phone connected to via open SSL that you would need a patch?

sky121 · « **Reply #19 on:** April 11, 2014, 05:20:52 PM »

It seems like many sites have patched their sites. How come they haven't recommended for their users to change their passwords?