Page 1 of 2

Heartbleed PSA

Posted: Thu Apr 10, 2014 1:17 pm
by Darkfoxx
Just wanted to pass this along to you guys. Not sure if you're aware, but one of the biggest exploits (codename: Heartbleed) in recent times was found this past week with OpenSSL. Audits have revealed that the vulnerability was active for at least five months before it was discovered and published. This piece of software is responsible for the "https://" you see in your address bar when visiting a secure site.

I've been fixing vulnerable servers at work and my boss and I came across this list of sites that are still vulnerable.

https://github.com/musalbas/heartbleed- ... op1000.txt

If you use one of those sites (and even ones that are no longer vulnerable...like Google, Facebook, etc) you should change your password.

Just FYI. Knowledge is power...and all that. :thumbsup:

Re: Heartbleed PSA

Posted: Thu Apr 10, 2014 2:11 pm
by Jif
Darkfoxx wrote:Just wanted to pass this along to you guys. Not sure if you're aware, but one of the biggest exploits (codename: Heartbleed) in recent times was found this past week with OpenSSL. Audits have revealed that the vulnerability was active for at least five months before it was discovered and published. This piece of software is responsible for the "https://" you see in your address bar when visiting a secure site.

I've been fixing vulnerable servers at work and my boss and I came across this list of sites that are still vulnerable.

https://github.com/musalbas/heartbleed- ... op1000.txt

If you use one of those sites (and even ones that are no longer vulnerable...like Google, Facebook, etc) you should change your password.

Just FYI. Knowledge is power...and all that. :thumbsup:

thats basically every password i've ever created

Re: Heartbleed PSA

Posted: Thu Apr 10, 2014 3:18 pm
by Darkfoxx
Jif wrote:thats basically every password i've ever created

Yup.

Re: Heartbleed PSA

Posted: Thu Apr 10, 2014 4:22 pm
by Harness
So it's stealing passwords from home PC's or from servers?

Re: Heartbleed PSA

Posted: Fri Apr 11, 2014 8:52 am
by Jif
Harness wrote:So it's stealing passwords from home PC's or from servers?

I havent done any research on this at all, but if it targets SSL i think it would mean it could see your usernames and passwords during your initial logon to the site. Whenever you see a website with https:// in the address, it uses encryption to protect your connection to the server so others can't steal your logon credentials.If there was a major exploit, it would mean something along that chain was vulnerable and a virus or something else could potentially see plain text usernames and passwords.

i've actually been meaning to change my google passwords for a little bit now. man this is gonna be painful... my google account is the basis of my entire online existence and i'm logged in or have it authorized in probably 30 places.

Re: Heartbleed PSA

Posted: Fri Apr 11, 2014 8:59 am
by Jif
FYI i see Steamcommunity.com in that list as vulnerable. does that mean our steam accounts themselves may be compromised?

Re: Heartbleed PSA

Posted: Fri Apr 11, 2014 9:35 am
by Jif
http://heartbleed.com/
great reference that answers most questions.

just spoke to a friend who's a programmer for Chase. He said it's been defcon V all week.

Re: Heartbleed PSA

Posted: Fri Apr 11, 2014 9:41 am
by Darkfoxx
Harness wrote:So it's stealing passwords from home PC's or from servers?

Anything that you have a password/account for that's accessible via the Internet. That's the best way to explain it. Been dealing with this all week...

Jif wrote:FYI i see Steamcommunity.com in that list as vulnerable. does that mean our steam accounts themselves may be compromised?

I would change your PW.

Re: Heartbleed PSA

Posted: Fri Apr 11, 2014 9:51 am
by Jif
Darkfoxx wrote:
Harness wrote:So it's stealing passwords from home PC's or from servers?

Anything that you have a password/account for that's accessible via the Internet. That's the best way to explain it. Been dealing with this all week...

Jif wrote:FYI i see Steamcommunity.com in that list as vulnerable. does that mean our steam accounts themselves may be compromised?

I would change your PW.

Steamcommunity.com was still listed as vulnerable. Is there an updated list anywhere? if you change your password before the site patches their OpenSSL, you're putting the fire out before the match is lit.

Re: Heartbleed PSA

Posted: Fri Apr 11, 2014 10:38 am
by Jif

Re: Heartbleed PSA

Posted: Fri Apr 11, 2014 11:35 am
by dun dun dun... chips
imo, this shouldve been done as hush-hush as possible until the bug is fixed. all this attention before its actually fixed just gives people with black hearts the time to learn and fuck shit up.
shouldve fixed it first, tried to keep it under the radar as much as possible, then after the exploit is done said hey, we just fixed this shit, probably want to change your passwords.

Re: Heartbleed PSA

Posted: Fri Apr 11, 2014 12:29 pm
by Darkfoxx
Jif wrote:Steamcommunity.com was still listed as vulnerable. Is there an updated list anywhere? if you change your password before the site patches their OpenSSL, you're putting the fire out before the match is lit.

That's why I haven't changed it yet :P

dun dun dun... chips wrote:imo, this shouldve been done as hush-hush as possible until the bug is fixed. all this attention before its actually fixed just gives people with black hearts the time to learn and fuck shit up.
shouldve fixed it first, tried to keep it under the radar as much as possible, then after the exploit is done said hey, we just fixed this shit, probably want to change your passwords.

Agreed.

Tin foil hat time... So my boss and I were reading how this could have been related to XP being EOL this week. Something about a former Microsoft exec being the founding member of the group who "exposed" this vulnerability.

Re: Heartbleed PSA

Posted: Fri Apr 11, 2014 1:26 pm
by dun dun dun... chips
Darkfoxx wrote:Tin foil hat time... So my boss and I were reading how this could have been related to XP being EOL this week. Something about a former Microsoft exec being the founding member of the group who "exposed" this vulnerability.

tell me more. youve piqued my curiosity.

Re: Heartbleed PSA

Posted: Fri Apr 11, 2014 2:36 pm
by Jif
dun dun dun... chips wrote:
Darkfoxx wrote:Tin foil hat time... So my boss and I were reading how this could have been related to XP being EOL this week. Something about a former Microsoft exec being the founding member of the group who "exposed" this vulnerability.

tell me more. youve piqued my curiosity.

I also read that one of Google's Security guys found it, too. Google has had this patched since before it was widely exposed. I changed my google and facbook passwords this morning. Ill wait for valve to update steam, but im not overly worried since they have the steam authentication system in place.

Re: Heartbleed PSA

Posted: Fri Apr 11, 2014 8:08 pm
by Harness
Jif wrote:http://heartbleed.com/
great reference that answers most questions.

just spoke to a friend who's a programmer for Chase. He said it's been defcon V all week.



Defcon 5 would mean no imitate threat. Defcon 1 would be nuclear war is upon us.