Heartbleed PSA

Comments and discussion on any and all topics.
User avatar
Darkfoxx
Site Admin
Posts: 9655
Joined: Mon Jul 02, 2007 7:09 pm
Location: Alexandria, VA
Contact:

Heartbleed PSA

Postby Darkfoxx » Thu Apr 10, 2014 1:17 pm

Just wanted to pass this along to you guys. Not sure if you're aware, but one of the biggest exploits (codename: Heartbleed) in recent times was found this past week with OpenSSL. Audits have revealed that the vulnerability was active for at least five months before it was discovered and published. This piece of software is responsible for the "https://" you see in your address bar when visiting a secure site.

I've been fixing vulnerable servers at work and my boss and I came across this list of sites that are still vulnerable.

https://github.com/musalbas/heartbleed- ... op1000.txt

If you use one of those sites (and even ones that are no longer vulnerable...like Google, Facebook, etc) you should change your password.

Just FYI. Knowledge is power...and all that. :thumbsup:
Gaming:
Image
Workstation:
Image

User avatar
Jif
Jimmy Jams
Posts: 6896
Joined: Mon Feb 25, 2008 12:49 am

Re: Heartbleed PSA

Postby Jif » Thu Apr 10, 2014 2:11 pm

Darkfoxx wrote:Just wanted to pass this along to you guys. Not sure if you're aware, but one of the biggest exploits (codename: Heartbleed) in recent times was found this past week with OpenSSL. Audits have revealed that the vulnerability was active for at least five months before it was discovered and published. This piece of software is responsible for the "https://" you see in your address bar when visiting a secure site.

I've been fixing vulnerable servers at work and my boss and I came across this list of sites that are still vulnerable.

https://github.com/musalbas/heartbleed- ... op1000.txt

If you use one of those sites (and even ones that are no longer vulnerable...like Google, Facebook, etc) you should change your password.

Just FYI. Knowledge is power...and all that. :thumbsup:

thats basically every password i've ever created

User avatar
Darkfoxx
Site Admin
Posts: 9655
Joined: Mon Jul 02, 2007 7:09 pm
Location: Alexandria, VA
Contact:

Re: Heartbleed PSA

Postby Darkfoxx » Thu Apr 10, 2014 3:18 pm

Jif wrote:thats basically every password i've ever created

Yup.
Gaming:
Image
Workstation:
Image

User avatar
Harness
Da Bumble
Posts: 2069
Joined: Mon Dec 10, 2007 6:13 pm

Re: Heartbleed PSA

Postby Harness » Thu Apr 10, 2014 4:22 pm

So it's stealing passwords from home PC's or from servers?
I type a bunch of shit then people go fuk themselves

User avatar
Jif
Jimmy Jams
Posts: 6896
Joined: Mon Feb 25, 2008 12:49 am

Re: Heartbleed PSA

Postby Jif » Fri Apr 11, 2014 8:52 am

Harness wrote:So it's stealing passwords from home PC's or from servers?

I havent done any research on this at all, but if it targets SSL i think it would mean it could see your usernames and passwords during your initial logon to the site. Whenever you see a website with https:// in the address, it uses encryption to protect your connection to the server so others can't steal your logon credentials.If there was a major exploit, it would mean something along that chain was vulnerable and a virus or something else could potentially see plain text usernames and passwords.

i've actually been meaning to change my google passwords for a little bit now. man this is gonna be painful... my google account is the basis of my entire online existence and i'm logged in or have it authorized in probably 30 places.

User avatar
Jif
Jimmy Jams
Posts: 6896
Joined: Mon Feb 25, 2008 12:49 am

Re: Heartbleed PSA

Postby Jif » Fri Apr 11, 2014 8:59 am

FYI i see Steamcommunity.com in that list as vulnerable. does that mean our steam accounts themselves may be compromised?

User avatar
Jif
Jimmy Jams
Posts: 6896
Joined: Mon Feb 25, 2008 12:49 am

Re: Heartbleed PSA

Postby Jif » Fri Apr 11, 2014 9:35 am

http://heartbleed.com/
great reference that answers most questions.

just spoke to a friend who's a programmer for Chase. He said it's been defcon V all week.
Last edited by Jif on Fri Apr 11, 2014 9:49 am, edited 1 time in total.

User avatar
Darkfoxx
Site Admin
Posts: 9655
Joined: Mon Jul 02, 2007 7:09 pm
Location: Alexandria, VA
Contact:

Re: Heartbleed PSA

Postby Darkfoxx » Fri Apr 11, 2014 9:41 am

Harness wrote:So it's stealing passwords from home PC's or from servers?

Anything that you have a password/account for that's accessible via the Internet. That's the best way to explain it. Been dealing with this all week...

Jif wrote:FYI i see Steamcommunity.com in that list as vulnerable. does that mean our steam accounts themselves may be compromised?

I would change your PW.
Gaming:
Image
Workstation:
Image

User avatar
Jif
Jimmy Jams
Posts: 6896
Joined: Mon Feb 25, 2008 12:49 am

Re: Heartbleed PSA

Postby Jif » Fri Apr 11, 2014 9:51 am

Darkfoxx wrote:
Harness wrote:So it's stealing passwords from home PC's or from servers?

Anything that you have a password/account for that's accessible via the Internet. That's the best way to explain it. Been dealing with this all week...

Jif wrote:FYI i see Steamcommunity.com in that list as vulnerable. does that mean our steam accounts themselves may be compromised?

I would change your PW.

Steamcommunity.com was still listed as vulnerable. Is there an updated list anywhere? if you change your password before the site patches their OpenSSL, you're putting the fire out before the match is lit.

User avatar
Jif
Jimmy Jams
Posts: 6896
Joined: Mon Feb 25, 2008 12:49 am

Re: Heartbleed PSA

Postby Jif » Fri Apr 11, 2014 10:38 am


User avatar
dun dun dun... chips
Papes
Posts: 3287
Joined: Sat Oct 11, 2008 2:08 pm
Location: WOOOOOO
Contact:

Re: Heartbleed PSA

Postby dun dun dun... chips » Fri Apr 11, 2014 11:35 am

imo, this shouldve been done as hush-hush as possible until the bug is fixed. all this attention before its actually fixed just gives people with black hearts the time to learn and fuck shit up.
shouldve fixed it first, tried to keep it under the radar as much as possible, then after the exploit is done said hey, we just fixed this shit, probably want to change your passwords.
Image

User avatar
Darkfoxx
Site Admin
Posts: 9655
Joined: Mon Jul 02, 2007 7:09 pm
Location: Alexandria, VA
Contact:

Re: Heartbleed PSA

Postby Darkfoxx » Fri Apr 11, 2014 12:29 pm

Jif wrote:Steamcommunity.com was still listed as vulnerable. Is there an updated list anywhere? if you change your password before the site patches their OpenSSL, you're putting the fire out before the match is lit.

That's why I haven't changed it yet :P

dun dun dun... chips wrote:imo, this shouldve been done as hush-hush as possible until the bug is fixed. all this attention before its actually fixed just gives people with black hearts the time to learn and fuck shit up.
shouldve fixed it first, tried to keep it under the radar as much as possible, then after the exploit is done said hey, we just fixed this shit, probably want to change your passwords.

Agreed.

Tin foil hat time... So my boss and I were reading how this could have been related to XP being EOL this week. Something about a former Microsoft exec being the founding member of the group who "exposed" this vulnerability.
Gaming:
Image
Workstation:
Image

User avatar
dun dun dun... chips
Papes
Posts: 3287
Joined: Sat Oct 11, 2008 2:08 pm
Location: WOOOOOO
Contact:

Re: Heartbleed PSA

Postby dun dun dun... chips » Fri Apr 11, 2014 1:26 pm

Darkfoxx wrote:Tin foil hat time... So my boss and I were reading how this could have been related to XP being EOL this week. Something about a former Microsoft exec being the founding member of the group who "exposed" this vulnerability.

tell me more. youve piqued my curiosity.
Image

User avatar
Jif
Jimmy Jams
Posts: 6896
Joined: Mon Feb 25, 2008 12:49 am

Re: Heartbleed PSA

Postby Jif » Fri Apr 11, 2014 2:36 pm

dun dun dun... chips wrote:
Darkfoxx wrote:Tin foil hat time... So my boss and I were reading how this could have been related to XP being EOL this week. Something about a former Microsoft exec being the founding member of the group who "exposed" this vulnerability.

tell me more. youve piqued my curiosity.

I also read that one of Google's Security guys found it, too. Google has had this patched since before it was widely exposed. I changed my google and facbook passwords this morning. Ill wait for valve to update steam, but im not overly worried since they have the steam authentication system in place.

User avatar
Harness
Da Bumble
Posts: 2069
Joined: Mon Dec 10, 2007 6:13 pm

Re: Heartbleed PSA

Postby Harness » Fri Apr 11, 2014 8:08 pm

Jif wrote:http://heartbleed.com/
great reference that answers most questions.

just spoke to a friend who's a programmer for Chase. He said it's been defcon V all week.



Defcon 5 would mean no imitate threat. Defcon 1 would be nuclear war is upon us.
I type a bunch of shit then people go fuk themselves


Return to “General Discussion”

Who is online

Users browsing this forum: No registered users and 1 guest