Heartbleed bug

[J4MES OX4D 9,982]

Anyone taking this shit seriously? Apparently a major flaw has been discovered by several tech firms stating that passwords could be compromised and we should change all of them on our online accounts  

 

 

 

 

[deterioration 443]

I don't bank, pay bills or save any of my credit card info in my accounts online in preparation of times such as these.

 

Found this site to run URL's through: https://lastpass.com/heartbleed/

[Diddums 4,338]

Meh. Let them rob me. I've got about 50p for them.

Nobody seems to care anyway.

[Dattebayo 446]

I don't have any money.

Let the c*ckbags be disappointed.

[Sennex 1,903]

So this is actually really huge to be honest.

This is the best explanation for how it works.

 

 

It might not seem like its all that big of a deal, but it really is. This site here uses open SSL, most sites use Open SSL. When I say most, the current estimate is upwards of 60% of the worlds websites.

 

Does this mean you need to worry about your banking passwords and online bill payment crap? Truthfully, yes you do. 

Does this mean you need to run out and change all your passwords right now? No it doesn't, and here is why. This is NOT a quick fix, this is a huge endeavor, this is a huge amount of work, and most websites are not being open about how and when they are dealing with this issue.

 

Your best course of action here is to monitor all of your various accounts very closely for the next month. Take action as needed to keep yourself safe.

 

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

 

That is a list of what we know as of yesterday was affected and what the companies are doing about it. Seriously, take the time to research it and see how it impacts you.

 

Again, this is a world wide issue, not just local to the US

 

Lastly, think about the pandora's box that was opened by announcing this. How many blackhatters out there didn't know about this, but as soon as it was announced, decided to jump on it and start scooping up all the data they could because companies are in a panic

[TigerBurge 2,375]

Here's my question,this isn't something new,it's been there for a while? So they already will have your info if they wanted it right? Your banking numbers and such.

[Sennex 1,903]

Here's my question,this isn't something new,it's been there for a while? So they already will have your info if they wanted it right? Your banking numbers and such.

Well, maybe

 

the problem here is guessing how many actually knew about it BEFORE the media posted it everywhere.

[spectre 633]

Maybe this will get people up in arms?

 

 

It is one thing for the NSA to spy on everyone in the world, especially US citizens because all of them are obviously potential "terrorizers" just waiting for their opportunity to blow shit up (except for anything in close proximity to the Boston marathon - those things the NSA promptly filters out), but when the NSA itself is found to have not only known and itself abused the prevalent and widespread Heartbleed bug, but left consumers exposed, then it may be time to finally launch a class action lawsuit against Obama's favorite means to eavesdropping on the entire world.

From Bloomberg:

 

 

NSA SAID TO EXPLOIT HEARTBLEED BUG FOR INTELLIGENCE FOR YEARS

 

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug,

and regularly used it to gather critical intelligence, two people familiar with the matter said.

And the punchline:

 

 

NSA SAID TO HAVE USED HEARTBLEED BUG AND LEFT CONSUMERS EXPOSED

 

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost.

Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.

 

“It flies in the face of the agency’s comments that defense comes first,”

said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer.

“They are going to be completely shredded by the computer security community for this.”

More:

 

 

The potential stems from a flaw in the protocol used to encrypt communications between users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.

 

Questions remain about whether anyone other than the U.S. government might have exploited the flaw before the public disclosure. Sophisticated intelligence agencies in other countries are one possibility. If criminals found the flaw before a fix was published this week, they could have scooped up troves of passwords for online bank accounts, e-commerce sites, and e-mail accounts across the world.

 

Evidence of that is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park, California.

 

The fact that the vulnerability existed in the transmission of ordinary data -- even if it’s the kind of data the vast majority of users are concerned about -- may have been a factor in the decision by NSA officials to keep it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies.

 

“They actually have a process when they find this stuff that goes all the way up to the director” of the agency, Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”

 

Lewis said the NSA has a range of options, including exploiting the vulnerability to gain intelligence for a short period of time and then discreetly contacting software makers or open source researchers to fix it.

Thank you NSA, for once again showing that you are from the government and are there to "help" and of course "protect" everyone.

How much more abuse from the government can the (granted mostly obese) US population take before it finally snaps?

 

 

ah, who am I kidding.

[J4MES OX4D 9,982]

First casualties of the heartbleed bug http://www.bbc.co.uk/news/technology-27028101

[Plumbers Crack 4,055]

So, am I right in saying there's no point in changing your password, etc until the website you're using says it's server has been patched?

 

Also, should we just be worried about the one's where we make financial transactions?

[Sennex 1,903]

So, am I right in saying there's no point in changing your password, etc until the website you're using says it's server has been patched?

 

Also, should we just be worried about the one's where we make financial transactions?

 

Personally, I changed all of mine that I knew were affected by this.

 

Its a huge PITA, but better to be safe than sorry.

[Plumbers Crack 4,055]

What I mean is if you change your password on an unpatched server it's a waste of time?

[Sennex 1,903]

Not really sure what to say here to be honest.

--------------

Does this mean you need to worry about your banking passwords and online bill payment crap? Truthfully, yes you do. 

Does this mean you need to run out and change all your passwords right now? No it doesn't, and here is why. This is NOT a quick fix, this is a huge endeavor, this is a huge amount of work, and most websites are not being open about how and when they are dealing with this issue.

 

Your best course of action here is to monitor all of your various accounts very closely for the next month. Take action as needed to keep yourself safe.

-------------

 

I keep falling back to that as my stance.

 

Most websites are not being really forthcoming on if they are affected or not. There have been two posted lists so far for websites that are being proactive in all this crap. IF you have anything with any of them, then yes change your passwords.

 

If not, then fall back to my post above:

Monitor and change in about 2-3 weeks or so.

 

The big take away here (and honestly after the way a few other companies have been hacked in the last few months, this should be your permanent stance), is to NOT trust any of these companies to protect you or give you information on whats what.

[Plumbers Crack 4,055]

Thanks that's sound and clears it up as much as possible

[Sennex 1,903]

Sorry I couldn't be more help man, its a really shitty situation for everyone to be honest.