Possibly the single largest security vulnerability on the 'net discovered

Discussion in 'Computer Science & Culture' started by Kittamaru, Apr 8, 2014.

  1. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    Messages:
    13,938
    http://arstechnica.com/security/201...opens-two-thirds-of-the-web-to-eavesdropping/

    The above is just a snippet... but all I can say is DAYUM!
     
  2. Google AdSense Guest Advertisement



    to hide all adverts.
  3. LaurieAG Registered Senior Member

    Messages:
    586
  4. Google AdSense Guest Advertisement



    to hide all adverts.
  5. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
  6. Google AdSense Guest Advertisement



    to hide all adverts.
  7. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    More information: (In regards to Server Administrators etc sent from CAcert.org)

    What to do?
    ===========
    • Ensure that you upgrade your system to a fixed OpenSSL version (1.0.1g or above).
    • Only then create new keys for your certificates.
    • Revoke all certificates, which may be affected.
    • Check what services you have used that may have been affected within the last two years.
    • Wait until you think that those environments got fixed.
    • Then (and only then) change your credentials for those services. If you do it too early, i.e. before the sites got fixed, your data may be leaked again. So be careful when you do this.
     
  8. cluelusshusbund + Public Dilemma + Valued Senior Member

    Messages:
    7,985
    "Check what services you have used that may have been affected within the last two years."

    How is that done.???
     
  9. scheherazade Northern Horse Whisperer Valued Senior Member

    Messages:
    3,798
    In response, Revenue Canada has closed it's on-line Income Tax service until at least the weekend while they check their system.
     
  10. Quantum Quack Life's a tease... Valued Senior Member

    Messages:
    23,328
    A great list Stryder...
    News came over "the wire" so to speak about 12 hours ago for me, and they were playing it down big time...

    I would add to your list one extra.
    Be prepared for future breaches, perform regular audits. and possibly change credentials 2 weeks or less after the first set are changed, then every 3 months sort of schedule. [if possible]

    Summary of proposal:
    So do as Stryder suggested
    Then wait 2 weeks and do it again...
    then do it every 3 months or so... IMO

    If the hacks are smart enough to find this weakness they are smart enough to know what the likely reaction will be...so work on the basis that they know what you are going to do as a first reaction to the threat.
    Gosh! the shi*t's going to hit the fan on this one... IMO
     
  11. Quantum Quack Life's a tease... Valued Senior Member

    Messages:
    23,328
    Another good layman's explainer can be found at:

    http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/
    snip:
    Looks like IT security over drive!
    Stryder, have you seen this video?
    http://vimeo.com/91425662
    [video=vimeo;91425662]http://vimeo.com/91425662[/video]
     
  12. cluelusshusbund + Public Dilemma + Valued Senior Member

    Messages:
    7,985
    Heres a list (in progress) of which sites you need to change you'r password:::

    http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

    I had alredy called Fidelity.com an 2 credit card websites an my bank an they said they wasnt affected by heartbleed so no need to change password because of heartbleed... but the website link above said to change password at Yahoo... an Google talked like it wasnt necessary to change PW.!!!

    Mayb most websites got fixed or will get fixed an "disaster" will be averted.!!!
     
  13. Quantum Quack Life's a tease... Valued Senior Member

    Messages:
    23,328
    I talked with an Australian major bank customer services about 3 hours ago and they barely knew of the issue...I gather most banks are confident their various levels of account security should prevent any significant loss. The line is: The banks generally do not use this software but the data mined from other places may make their customer accounts insecure.
    However it may be the loss of confidence of the net user across the board that is the real problem.[worth big bucks] IMO
    It appears the "powers that be" are concerned about consumer confidence probably more than the actual threat to data.
    Face books huge user list apparently has been wide open for over 3 years... so you can imagine there is a whole heap of worrying going on right now...
     
  14. Quantum Quack Life's a tease... Valued Senior Member

    Messages:
    23,328
    Coincidence only perhaps... speaking about the Major bank I mentioned in the previous post:
    Full article at:
    http://www.abc.net.au/news/2014-04-15/commonwealth-bank-customers-hit-by-electronic-banking-outage/5391366?WT.mc_id=newsmail
    In 5 years of net banking this is the first time... that I am aware of for this bank.
     
  15. cluelusshusbund + Public Dilemma + Valued Senior Member

    Messages:
    7,985
    Wait as see :shrug:
     

Share This Page