thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
[personal profile] thorfinn
Please Share Around: So, you may or may not have heard about "Heartbleed". A significant proportion[1], possibly 2/3rds of all "secure" web servers out there are currently essentially insecure (could be snooped on by anyone on the Internet), and this may have been the case since Mar 2012. The bug was publically announced on 7th of April 2014.

Right now, before you log in to any secure website (has the little lock icon), you should go here: http://filippo.io/Heartbleed

and enter the website name without the http or https bit, to check if the service is vulnerable.

If that doesn't work, try: https://lastpass.com/heartbleed (but that reports a lot of false "maybe"s, so it's not as useful).

If that still doesn't work, for an even more full on SSL test, go here: https://www.ssllabs.com/ssltest/index.html

If the service is reported as vulnerable - DO NOT LOG IN. Go and register a support complaint with that website, point them at http://filippo.io/Heartbleed and http://heartbleed.com/ and wait until they fix the problem. If you do log in and use the website, be aware that your login details (and anything else you send to/from that site) can be stolen by anyone on the Internet. Literally. It is that bad a bug.

Problematically, if you use smartphone apps that connect to a secure service at the back end, many of them may well be vulnerable, but you have no way of knowing. If you know what their website is, go test that, as they may be using the same service to provide their website.

Reliable secure service providers are starting to notify their customers of the situation and recommend changing your password.

If you know a service has been vulnerable to this bug, it is very much in your interest to change your password the moment it is fixed. Now is the time to find a password keeper application to randomly generate new unique passwords for every single site you log in to and store them for you. If you're an Apple only person, the iCloud Keychain is quite good (I'm told) and free, otherwise I highly recommend 1Password ( https://agilebits.com/onepassword ). There are other options for secure password keepers, if people who use other good ones wish to mention them in comments, please feel free.

If you have too many sites to check them all, you might want to prioritise. Here's [personal profile] skud on why You don’t need to change all your passwords.

You can take this one very seriously - Bruce Schneier, pretty much the top person regarding computer security, says '"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.' - https://www.schneier.com/blog/archives/2014/04/heartbleed.html

ETA: A "big sites" hitlist of who you *should* change your passwords with: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

[1] ETA: Something like 6-10% of all sites, judging by this scan - Here's a list of 627 sites that were vulnerable on 8th April: https://github.com/musalbas/heartbleed-masstest/blob/b72a87558bfe37cd40327ec8b72386a2a2b99c69/README.md#627-of-the-top-10000-sites-appeared-vulnerable-on-april-8-1600-utc

(no subject)

Date: 2014-04-10 05:57 (UTC)
rbarclay: (Default)
From: [personal profile] rbarclay
FYI, 'ork did a scan over a whole ccTLD, and found that around 1/3 of SSL-enabled websites were vulnerable - probably depends on how the market is working in a specific area (large hosters etc,).
Some usual suspects are doing /0 scans over the whole IPv4 space, but those are still ongoing AFAIK.

(no subject)

Date: 2014-04-10 14:32 (UTC)
rbarclay: (Default)
From: [personal profile] rbarclay
Biggest up to now. http://xkcd.com/1353/ - first panel.

And I guesstimate we'll feel the heartbleeding love for the next couple years in the usual long tail.

(no subject)

Date: 2014-04-11 19:54 (UTC)
rbarclay: (Default)
From: [personal profile] rbarclay
No month, not even a week. 'ork's been doing mass scans (everything geolocated in .at) since Wednesday, at least one local consulting gig started doing the same yesterday (currently ~4% of all https-running IP-addresses in Austria is vulnerable, BTW). At least 3 global outfits are doing /0 scans, plus at least 2 German universities.
A large-ish gov IT-supplier has seen a couple hundred attempts just today, only a handful of which are from said research/consulting companies.
And even my whimpy detector (based on http://www.securityfocus.com/archive/1/531779 ), which just has a /25+/26 routed to it has been seeing ~300 hits since yesterday - sources so distributed through the world that it's very likely to be botnet-based.

I conclude that this is already in mass use. I'm just waiting for the folks setting up proper honeypots to speak up as to usable numbers.

April 2015

S M T W T F S
   1234
567891011
12131415 161718
19202122232425
2627282930  

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags