OpieRadio Logo
Anthony Cumia Show Logo
Jim Norton Logo

URGENT! Critical SSL Vulnerability

Discussion in 'Board Information' started by zagman76, Apr 9, 2014.

  1. zagman76

    zagman76 Wackbagger, Geek, Administrator
    Wackbag Staff

    Joined:
    Nov 18, 2004
    Messages:
    12,473
    Likes Received:
    490
    Ok - this is my 4th time today writing a post like this, and unfortunately you are getting the super-abridged version.

    Please read these articles which explain what the vulnerability are and just how bad this bug is:
    http://arstechnica.com/security/201...opens-two-thirds-of-the-web-to-eavesdropping/

    http://arstechnica.com/security/201...-yahoo-mail-passwords-russian-roulette-style/

    and for good measure:
    http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

    This is not a "bla bla, bla, it'll be OK" type of problem. This is a real problem with a proven exploit. In fact, the best thing to do would literally be to stay off of the internet for a few days until it settles a little bit.

    While we all have a good time here and joke around and such, I take your security while visiting the site very seriously.

    As soon as I saw the vulnerability, I patched our server and as of right now, I have re-issued our SSL certificate with the patched version of OpenSSL (the cryptographic software which handles SSL Certificates), so we are no longer vulnerable.

    If you are interested in such things, and look at the details of our SSL certificate, you should no longer trust any wackbag.com certificate that claims to be valid before:
    The valid certificate has a serial number of:
    and SHA1 & MD5 Hashes of:
    Right now, the best piece of advice (aside from avoiding the internet) would be to change your password on any site that you consider to be important (banking, credit cards, email, to name a few). As always, it is strongly recommended that you do not re-use the same password across multiple sites, as a password compromise in one site can then be exploited to gain access to all the others.

    One tool that does a superb job at managing and maintaining multiple, secure passwords is a web-browser extension called LastPass. This works with all web browsers, is free, and can remember all of the various passwords you may have for different websites. It will even suggest and generate stronger passwords if it detects that your current passwords are too weak. It does this without actually seeing your passwords.

    For an additional layer of security, many sites offer two-factor authentication which, when enrolled, would send you a SMS every time you attempt to log into the site.

    :edit: correcting language in regards to which cert is valid and which is not.
     
    #1 zagman76, Apr 9, 2014
    Last edited: Apr 9, 2014
    ianbobo, Morty, Chino Kapone and 10 others like this.
  2. fletcher

    fletcher Darkness always says hello.
    Donator

    Joined:
    Feb 20, 2006
    Messages:
    59,552
    Likes Received:
    19,765
    zagman76 likes this.
  3. Ballbuster1

    Ballbuster1 You chose poorly.
    Wackbag Staff

    Joined:
    Aug 26, 2002
    Messages:
    96,424
    Likes Received:
    13,423
    I was reading a few articles on this earlier.

    Guess I need to get a few sheets of paper out and start
    changing passwords. Thanks zag.
     
  4. Creasy Bear

    Creasy Bear gorgeousness and gorgeousity made flesh

    Joined:
    Mar 10, 2006
    Messages:
    41,810
    Likes Received:
    27,363
    Aaaaaaahh! I got the cyberAIDS in my pee hole!!! Get it off! Get it off me!

    Save me, zagman! Get the cyberAIDS out of my pee hole!
     
  5. HandPanzer

    HandPanzer θάνατος

    Joined:
    May 30, 2013
    Messages:
    42,431
    Likes Received:
    37,719
    Bobo's cyber penetration goes much deeper than his sexual penetration ever could. I just hope we can recover from this.
     
    Neckbeard likes this.
  6. whiskeyguy

    whiskeyguy PR representative for Drunk Whiskeyguy.

    Joined:
    Jan 12, 2010
    Messages:
    34,099
    Likes Received:
    19,382
    Would it make sense to change our passwords now, or wait a few days until companies can patch their systems?

    Two of my old Yahoo email accounts were hacked in the last month... I think it's time to delete them and just consolidate all my email to gmail.
     
    Neckbeard likes this.
  7. zagman76

    zagman76 Wackbagger, Geek, Administrator
    Wackbag Staff

    Joined:
    Nov 18, 2004
    Messages:
    12,473
    Likes Received:
    490
    That's the tricky part... you want to be secure, yet if you change your password today and the website was originally vulnerable but hasn't fixed their shit, then an attacker can use any potentially captured data, decrypt the data and use that against you.

    These types of situations have a lot of moving parts, so the "right way" may be different for different people and different web-sites. In addition, it's not like 'Bank of America' is going to come out and say "Oh, by the way, we're vulnerable to this super-critical web attack! Please don't attack us until we update!"

    I would say:
    Enable MFA (multi-factor authentication) where available
    Change your password immediately
    Wait a week or so (or until the website announces that they have been fixed)... then change your password again.
     
  8. Creasy Bear

    Creasy Bear gorgeousness and gorgeousity made flesh

    Joined:
    Mar 10, 2006
    Messages:
    41,810
    Likes Received:
    27,363
    I think we all knew that one day Jon The Mop would be back to take his revenge.
     
  9. THE FEZ MAN

    THE FEZ MAN as a matter of fact i dont have 5$

    Joined:
    Aug 23, 2002
    Messages:
    36,523
    Likes Received:
    5,857
    im sure this will fuck me in some way.
     
    Stig likes this.
  10. whiskeyguy

    whiskeyguy PR representative for Drunk Whiskeyguy.

    Joined:
    Jan 12, 2010
    Messages:
    34,099
    Likes Received:
    19,382
    Alright I'll change the passwords to the critical accounts... although I have hundreds of accounts and it takes me hours to reset the passwords... and I just did it two months ago. Ugh.

    Just out of curiosity, how would staying off the internet help? Wouldn't the systems of these sites still be vulnerable, and thus our information at risk, even if we didn't log in?
     
  11. Psychopath

    Psychopath Plata O Plomo

    Joined:
    Dec 28, 2008
    Messages:
    17,619
    Likes Received:
    3,321
    Heartbleed can eat my balls.
     
  12. Absolutely

    Absolutely Self-Heavy

    Joined:
    Jan 25, 2006
    Messages:
    33,556
    Likes Received:
    4,385
    This is all over my head.
    Let's say I don't do any real banking online, and don't have anything of value in any emails. I do use my credit card to buy things online, but what can I do about that...
    What, are people going to start posting as me on Tranny Forums now?
     
    Neckbeard likes this.
  13. Turfmower

    Turfmower Registered User

    Joined:
    Jan 17, 2005
    Messages:
    3,889
    Likes Received:
    427
    What does this mean in non GEEK talk?
     
  14. zagman76

    zagman76 Wackbagger, Geek, Administrator
    Wackbag Staff

    Joined:
    Nov 18, 2004
    Messages:
    12,473
    Likes Received:
    490
    This vuln existed for 2 years. Now that it's been exposed (and patched) - it gives attackers a method to be able to actively attack. So... if you were an attacker now you could start decrypting *live* 'Bank of FrankTheFrowner' data as opposed to the data blob you captured 18 months ago during which time your account password may have changed.

    You can use these sites to test your suspected websites:
    http://filippo.io/Heartbleed/
    https://www.ssllabs.com/ssltest/
    https://lastpass.com/heartbleed/
     
    #14 zagman76, Apr 9, 2014
    Last edited: Apr 9, 2014
    SKEPTIC and whiskeyguy like this.
  15. whiskeyguy

    whiskeyguy PR representative for Drunk Whiskeyguy.

    Joined:
    Jan 12, 2010
    Messages:
    34,099
    Likes Received:
    19,382
    God damn it, I just realized someone has hacked into my Facebook account and has been hitting on fat girls at 2:30 AM on the weekends. Somehow they also sent text messages and made calls to them from my cell.
     
  16. NeonTaster

    NeonTaster ネオンテイスター
    Donator

    Joined:
    Mar 23, 2008
    Messages:
    49,869
    Likes Received:
    17,203
    I just changed everything. What a pain in the ass.
     
  17. zagman76

    zagman76 Wackbagger, Geek, Administrator
    Wackbag Staff

    Joined:
    Nov 18, 2004
    Messages:
    12,473
    Likes Received:
    490
    whiskeyguy likes this.
  18. WadsOfShit

    WadsOfShit Dead to Everyone on Wackbag.

    Joined:
    Oct 10, 2013
    Messages:
    7,023
    Likes Received:
    5,947
    HOLY FUCKING SHIT!
     
    SatansCheerledr likes this.
  19. whiskeyguy

    whiskeyguy PR representative for Drunk Whiskeyguy.

    Joined:
    Jan 12, 2010
    Messages:
    34,099
    Likes Received:
    19,382
    You'll probably have to do it again this weekend, as not all sites are patched yet... either that or maybe not logging in with your new passwords might be safe enough. The bug allows hackers to read the exchange of information (from what I understand), so logging in is where the security threat lies.

    If I'm wrong someone correct me.
     
  20. NeonTaster

    NeonTaster ネオンテイスター
    Donator

    Joined:
    Mar 23, 2008
    Messages:
    49,869
    Likes Received:
    17,203
    The biggies all did, I'm sure. I just went off of this list that says which websites you should change your password in. I assume if they tell you to it means it's already patched.

    http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-Tw-main-link
     
    Mike Campbell, SKEPTIC and zagman76 like this.
  21. whiskeyguy

    whiskeyguy PR representative for Drunk Whiskeyguy.

    Joined:
    Jan 12, 2010
    Messages:
    34,099
    Likes Received:
    19,382
    Another question maybe you can shed some light on... all these sites (Google, Facebook, Twitter) allow you to log onto other websites using your accounts with them (ex. I can log onto Tapatalk using my Google account). Is that safer than having separate passwords for every account? What about if you aren't using 2-factor authentication to do it?
     
  22. whiskeyguy

    whiskeyguy PR representative for Drunk Whiskeyguy.

    Joined:
    Jan 12, 2010
    Messages:
    34,099
    Likes Received:
    19,382
    I used one of the links Zag posted to test "Usbank.com", and it returned vulnerable, but then when I tested it again five minutes later it said it's secure.
     
  23. NeonTaster

    NeonTaster ネオンテイスター
    Donator

    Joined:
    Mar 23, 2008
    Messages:
    49,869
    Likes Received:
    17,203
    See my edit above and go to the Mashable link.
     
    whiskeyguy likes this.
  24. whiskeyguy

    whiskeyguy PR representative for Drunk Whiskeyguy.

    Joined:
    Jan 12, 2010
    Messages:
    34,099
    Likes Received:
    19,382
    From that link:

    Healthcare .gov

    Was it affected: Unclear

    Is there a patch: Unclear

    Do you need to change your password: Unclear

    What did they say: Healthcare.gov has not yet responded to a request for comment.

    Of course they haven't!
     
  25. zagman76

    zagman76 Wackbagger, Geek, Administrator
    Wackbag Staff

    Joined:
    Nov 18, 2004
    Messages:
    12,473
    Likes Received:
    490
    In theory - yes, it's more secure because there is no username/password for "Frank's Hat Emporium" as you are using [insert OpenID / SSO provider here]'s authentication token programatically. Said token is encrypted data, and would look something similar to:
    Frank's Hat Emporium never gets your [SSO PROVIDER] password, just an "A-OK: That is indeed UNKNOWN: !" ideally, these tokens are single use, and use
     
    whiskeyguy likes this.

Share This Page