Ship of Fools: Heartbleed.

Thread: Heartbleed. Board: Oblivion / Ship of Fools.

To visit this thread, use this URL:
http://forum.ship-of-fools.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=70;t=027049

Posted by luvanddaisies (# 5761) on :

Heartbleed
Do we all need to change all our online passwords (or at least soonish, once security patches have been sewn on ).

Is it something that was inevitable, maybe caused by the big websites relying on a little group of part-time programmers rather than spending money on it ?

How much do we need to worry? What's caused it?
Are there interesting technical things about it?

I know virtually nothing about the Heartbleed security flaw. I'm interested to know more, and I'm pretty sure there'll be people here who do, and who have opinions on how to protect oneself (and how websites could have protected themselves) against it, and what could have been done to prevent it.

Is it the end of the world, or a minor blip?
Was it inevitable or could nobody have predicted it?
Should everyone be changing their passwords now, in a week or so, or not bother?

Posted by Taliesin (# 14017) on :

Chris Evans said change your password, so I did.

Guess I'll change them again next week...
So tempted to just give up on internet.

Posted by Higgs Bosun (# 16582) on :

Bruce Schneier, who knows a thing or two about computers and security says that

quote:
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

Attacks on affected systems are undetectable. While the attacker cannot deliberately target information - the attack gives access to some random chunk of computer memory - those who have tried it on their systems have found passwords and encryption keys being returned. The flaw has been around for a couple of years, and we just don't know if malicious folk have known about it for any time before it was reported at the start of this week.

Of course, after Snowden, there are those who will say this is an NSA plant.

Change your passwords? Probably a good idea (when the service has been fixed - test it here)

I write as someone who works for a software company which has OpenSSL in its products, and has been working hard for the last few days to get updated versions of our software out to customers.

One advantage of open source software like OpenSSL is that such bugs do get out in the open. If something like this was found by a proprietary vendor, they would have tried to keep it quiet. As a result we would have been vulnerable and not known it.

Posted by Jay-Emm (# 11411) on :

quote:
Originally posted by luvanddaisies:
Are there interesting technical things about it?

A pretty picture (in the style of your sewing patches) of what actually goes on*

Imagine we're pen pals, but rather disconnected. To check we're still alive we've agreed for me to send letters to you (the heartbeat), you put them to one side and when you're ready you send them back.
"Hello, L&D, I've sent you 3 pages of letters"
"[page 1] what I did in my hols"
"[page 2] about childrens 13452 A** gcse's"
"[page 3] etc.. "
(I'm not fully sure what the benefit of the extra pages is, it might be so that the other messages don't stand out)

The problem arises if I my message doesn't add up, and you aren't careful where you put my pages.
"Hello, L&D, I've sent you 5 pages of letters"
"[page 1]"
"Your bank statement" (whoops, you shouldn't have sent that)

Not sure about the implications on our level, if it was a total accident (which as your article points out is quite likely) it depends if bad guys have managed to find this first and how long they've had (the reports suggest it hasn't taken long to get valuable data from e.g. yahoo, so really any time is bad news). Now definitely companies need to get fixing last week...but I don't think we'll ever know if it really was a 11.

If it was deliberate (which needn't be the intention of the person who actually committed it, he had supervisors) then someone's had the full two years, plus other bad guys may have done the first.

I suspect after waiting, once having changed the passwords and being vigilant. The problem isn't really ours. But don't really know.

*assuming the accounts I've read elsewhere are accurate,

Posted by *Leon* (# 3377) on :

Jay-Emm: Brilliant description of the issue
(But here's an explnation with pictures for people who like pictures

This is a good time to suggest that people use things like lastpass. It lets you keep track of very strong and completely unmemorable passwords. I strongly recommend it.

luvanddaisies:
A lot of the people working on OpenSSL are in fact working for big companies and being paid to work on OpenSSL. Basically a lot of companies need a real OpenSSL expert, and the best way of getting someone who really knows their stuff is to pay someone to work on it. They can also look for bugs themselves instead of relying on the people who write it; in this case the bug was found by a Google employee who doesn't work on OpenSSL (but there are Google employees who do work on OpenSSL) This model seems to work, in that it creates a better product than you can get by directly buying software.

It's inevitable that things like this will happen because humans make mistakes. This is a bad one, but I'd still say that OpenSSL is usually the best security package for most applications. The advice 'Use OpenSSL and trust it' will still solve far more problems than it creates.

And the good thing about using something like OpenSSL is that when there's a problem, you find out the details. Here we are on a religious discussion forum, and several people really understand what happened. With proprietary software, what we'd know about the problem would be a short statement cleared by marketing and PR.

Posted by Drifting Star (# 12799) on :

Adding to the questions rather than the answers here I'm afraid.

As soon as I read the news item about Heartbleed I changed all my passwords that were protecting important stuff, on the basis that it's rarely a bad thing to do. I then checked the relevant sites using the filippo test link. Most of the results were inconclusive, but one found a definite problem, and reported back with a sample of the info they had obtained (so clearly I will be changing that password again soon).

However, when I logged onto that site this morning there was a message saying that they take security very seriously, and there was never a threat to any of their customers.

Can this be true?

Posted by *Leon* (# 3377) on :

Drifting star:
Based on what you've said, it's possible that what they say is true. For instance, the front-end server may have been vulnerable, but it's possible that they have good reasons to know that no interesting information was on that server and no interesting servers were vulnerable. For instance,lastpass responded saying that they had been 'vulnerable' but it made no difference in practice.

It's also possible that what they say is not true (either because they've made a mistake, they're being more optimistic than they should be, or because they're lying). But I'd need more information to say with certainty.

I find the statement 'we take security very seriously' less than completely reassuring; it's the sort of thing that a PR person would say, not the sort of ting a cryptographer would say. But it's not cause to panic on its own.

Posted by Drifting Star (# 12799) on :

Thanks *Leon*. They're an organisation I'm inclined to trust, and if they were lying it could be truly catastrophic for them.

Posted by Jay-Emm (# 11411) on :

quote:
Originally posted by *Leon*:
Jay-Emm: Brilliant description of the issue
(But here's an explanation with pictures for people who like pictures

Oh thanks, (in all honesty the technical details I posted had been cribbed from the xkcd forum post discussing the cartoon before (or links from it).
My homely spin is original I think (although it's pretty reusing the Alice&Bob metaphor).

Posted by no prophet (# 15560) on :

I tested every web service I use. Only one failed and it was not a site dealing with financial info.

Posted by no prophet (# 15560) on :

The Programmer Behind Heartbleed Speaks Out: It Was an Accident

quote:
Programmer Robin Seggelmann says he wrote the code for the part of OpenSSL that led to Heartbleed. But it was an accident. He submitted the code to the OpenSSL project and other members reviewed it. Seggelmann later added another piece of code for a new feature, which the members then added. It was this added feature that introduced the bug.

The bug went up in Dec 2011. You can test websites here: heartbleed test

Posted by Crœsos (# 238) on :

quote:
Originally posted by Higgs Bosun:
Of course, after Snowden, there are those who will say this is an NSA plant.

That is not a totally unrealistic concern. For example:

quote:
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

<snip>

The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

The NSA has faced nine months of withering criticism for the breadth of its spying, documented in a rolling series of leaks from Snowden, who was a former agency contractor.

The revelations have created a clearer picture of the two roles, sometimes contradictory, played by the U.S.’s largest spy agency. The NSA protects the computers of the government and critical industry from cyberattacks, while gathering troves of intelligence attacking the computers of others, including terrorist organizations, nuclear smugglers and other governments.

At least part of the NSA's mission is supposed to be protecting American internet users from cyber-attack. At some point you'd think this would occur to them after discovering a massive security vulnerability.

Posted by mousethief (# 953) on :

quote:
Originally posted by Crœsos:
The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter

Warning! Warning! Anonymous source alert. From Bloomberg, who can't possibly have any reason to attack Obama through the NSA, but still.

Posted by JFH (# 14794) on :

quote:
Originally posted by mousethief:

quote:
Originally posted by Crœsos:
The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter
Warning! Warning! Anonymous source alert. From Bloomberg, who can't possibly have any reason to attack Obama through the NSA, but still.

I'm pretty sure that given how non-anonymous sources (Snowden, Manning) have been treated in Obama's America, the days of Ellsbergs and other public sources are over for now.

Posted by bib (# 13074) on :

I was having problems with emails in that for about one week I received no emails even though I was expecting them. Took my computer to the computer hospital and they found some low life had hacked into my email set up with an instruction to only deliver emails to my inbox if they included the word 'f...'. Any emails sent to me in this period are now lost forever. The technician felt that this was part of the heartbleed attack. I have now made everything much more secure with a very strong password.

Posted by Mad Geo (# 2939) on :

"Do we all need to change all our online passwords?"

Yes. IT security experts are saying this was an 11 on a 10 scale.

But more importantly, one should do it anyway, fairly regularly, and use a hard password. One that involves letters, numbers, caps, and special characters. Longer is better.

Posted by Sioni Sais (# 5713) on :

quote:
Originally posted by Mad Geo:
"Do we all need to change all our online passwords?"

Yes. IT security experts are saying this was an 11 on a 10 scale.

But more importantly, one should do it anyway, fairly regularly, and use a hard password. One that involves letters, numbers, caps, and special characters. Longer is better.

In short, the harder it is to remember, the better it is. [Biased]

Posted by Cartmel Veteran (# 7049) on :

If you can remember a password - it's not good enough.

There are plenty of good password programs to help you manage and use passwords. Lastpass is very popular. I use KeePass on my PC and Android devices.

I have hundreds of passwords, all very complex, all different. I couldn't tell you a single one of them. I just have one master password I use to access the KeePass encrypted database.

For those who think this kind of thing is too complex for them - it's easier than having to remember two passwords. If you have to remember at least two passwords now, then make the change to a password program.

Posted by M. (# 3291) on :

I'm completely un-techie, but one thing I've never understood about password keepers is, how are they more secure than other websites/programs?

M.

[ 17. April 2014, 16:20: Message edited by: M. ]

Posted by Cartmel Veteran (# 7049) on :

quote:
Originally posted by M.:
I'm completely un-techie, but one thing I've never understood about password keepers is, how are they more secure than other websites/programs?

M.

There are several reasons.

1, They use very strong encryption. Lots of sites claim to have good security but then store passwords as plain text or very simply encoded forms. A proper password service really locks your passwords up tight.
2, Password programs allow you to use very complicated passwords with punctuation and other features - stuff hard to remember. You'd struggle to remember even one password like this, let alone a different one for every site.
3, They make it easier to use the sites than not using such a program, so you're happy to keep things secure because it is not a burden to you when you sign up to a new site.
4, Some password programs exist offline. I use Keepass, the database is stored on my computer not on a website. Even if someone got the database the encryption is too strong to crack. I do back the database up in Dropbox so it is easily synced to my mobile devices. But I have Dropbox set up with two-factor authentication so it's not possible to break into with just a password - someone would need my phone or email (also having two factor) to get in.

I'm not suggesting there's no way through any of this. But once you've used something simple like Keypass - that stores usernames, passwords, urls, any notes you want to add - it'd be hard to go back. I just need my master password (not used anywhere else) to open Keepass, I then see lists of sites such as

Amazon
BT
Gmail

all I have to do is right-click and choose copy username. Then paste that into a site I want to login to. Then right click for password. Keepass will clear my clipboard after a short period so even if someone tried to use my computer to paste a password it wouldn't be there. It's so simple to use.

The built-in password generator ensures a new, very strong password is created every time I add a new site to the system. It's so easy.

Posted by Cartmel Veteran (# 7049) on :

Just wanted to add that Keepass is completely free. You can download it here.

Posted by Martin PC not & Ship's Biohazard (# 368) on :

I was an Aldingham Animal! Furness.

And yeah, Keepass is very good.

[ 17. April 2014, 21:33: Message edited by: Martin PC not & Ship's Biohazard ]

Posted by Mama Thomas (# 10170) on :

I hate changing passwords. Sort of like saying "I hate diarrhea." No body likes it. Mostly all variants of variants which I can't remember anyway so have to change the whole thing on some sites every time I log in. Some with a capital, some with a number or two or three or a symbol or all the above. I STILL know people who keep them printed and pinned to the wall or in a Word or Pages document.

How on earth do they expect us to keep track of all our passwords and change them all the time?

They are almost as fun as CAPTCHAs.

Posted by Mertseger (# 4534) on :

quote:
Originally posted by Mama Thomas:

They are almost as fun as CAPTCHAs.

And nearly as useful.

Posted by M. (# 3291) on :

Cartmel Veteran, thank you. I even understood some of it!

M.

Posted by Martin PC not & Ship's Biohazard (# 368) on :

I have a simple mnemonic system for a unique password for EVERY environment. Because I have so many. Necessity will do that for you!

Posted by Martin PC not & Ship's Biohazard (# 368) on :

I use Keepass corporately. Passpack too.

Keypass for us techies, Passpack for the rest.

[ 18. April 2014, 09:00: Message edited by: Martin PC not & Ship's Biohazard ]

UBB.classic^TM 6.5.0