Heartbleed
Thread Starter
The sizzle in the Steak
Joined: Nov 2001
Posts: 71,436
Likes: 1,877
From: Southern California
Heartbleed
Getting mixed opinions.
Some experts act as if it's the worst security flaw ever.
Other experts claim it's not that big of a deal.
Thoughts?
Change all the passwords?
Some experts act as if it's the worst security flaw ever.
Other experts claim it's not that big of a deal.
Thoughts?
Change all the passwords?
Thread Starter
The sizzle in the Steak
Joined: Nov 2001
Posts: 71,436
Likes: 1,877
From: Southern California
Here is a list of sites effected that updated/fixed the issue, I believe:
Google Gmail, Android Smartphones with version 4.1.1 (which you need to run an update on it), Tumblr Bloggers, Facebook, Yahoo mail, Amazon web services, Intuit turbo tax users, Dropbox, LastPass, PayPal business merchant accounts.
Google Gmail, Android Smartphones with version 4.1.1 (which you need to run an update on it), Tumblr Bloggers, Facebook, Yahoo mail, Amazon web services, Intuit turbo tax users, Dropbox, LastPass, PayPal business merchant accounts.
Race Director
Joined: Dec 2003
Posts: 12,521
Likes: 1,824
From: MAGA country
Meh, as far as Apache/Nginix web server issues, I wouldn't be overly worried. Yeah, the flaw has existed for 2 years, but it's doubtful anyone knew about it until the release 2 days ago. If you want to be absolutely safe, then yes, change all your pwds. I'm not.
If you have a NAS with a web server that has been activated, be sure you verify if it uses OpenSSL. If it does, shut down/disable the web server until you get a patch/update. I think Qsnap does, not sure about others...
If you have a NAS with a web server that has been activated, be sure you verify if it uses OpenSSL. If it does, shut down/disable the web server until you get a patch/update. I think Qsnap does, not sure about others...
Safety Car
Joined: Jul 2007
Posts: 4,845
Likes: 145
I think they great majority of attacks happening right now are, as said in another news article, "amateur hour." These aren't people that are a real threat. They're too dumb to steal an identity or even really do any damage. They just want your naked pics and anything else they can use for a good story that gets them the attention they desperately crave. For the lulz, if you will.
In the end, everyone will probably sue Target again in a class-action lawsuit and call it a day.
In the end, everyone will probably sue Target again in a class-action lawsuit and call it a day.
Thread Starter
The sizzle in the Steak
Joined: Nov 2001
Posts: 71,436
Likes: 1,877
From: Southern California
I think they great majority of attacks happening right now are, as said in another news article, "amateur hour." These aren't people that are a real threat. They're too dumb to steal an identity or even really do any damage. They just want your naked pics and anything else they can use for a good story that gets them the attention they desperately crave. For the lulz, if you will.
In the end, everyone will probably sue Target again in a class-action lawsuit and call it a day.
In the end, everyone will probably sue Target again in a class-action lawsuit and call it a day.
NSA used Heartbleed bug to capture information, report says
The National Security Agency knew for at least two years about the software flaw that has left countless individuals vulnerable to hackers, but the agency failed to alert the public and instead used the weakness to gather intelligence, Bloomberg News reported Friday.
The flaw involves the so-called Heartbleed bug, a flaw in the OpenSSL encryption tool that is believed to be used on about two-thirds of all websites. Because of the glitch, security experts say hackers could steal countless passwords used to access websites and other sensitive information.
While the Bloomberg report cited two unnamed sources, described as "people familiar with the matter," the NSA denied the allegations late Friday in a post on the official Twitter account of the agency's public affairs office. The agency said: "Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public."
Bloomberg reported that the NSA exploited the Heartbleed bug to obtain vital data used by cyber crooks. It said the clandestine agency discovered the flaw shortly after it was accidentally created in 2012 by an adjustment in the OpenSSL software, according to an unnamed source.
After that, Bloomberg said, the bug "became a basic part of the agency's tool kit for stealing account passwords" and other information, while most Internet users and security experts remained unaware of the flaw.
The flaw involves the so-called Heartbleed bug, a flaw in the OpenSSL encryption tool that is believed to be used on about two-thirds of all websites. Because of the glitch, security experts say hackers could steal countless passwords used to access websites and other sensitive information.
While the Bloomberg report cited two unnamed sources, described as "people familiar with the matter," the NSA denied the allegations late Friday in a post on the official Twitter account of the agency's public affairs office. The agency said: "Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public."
Bloomberg reported that the NSA exploited the Heartbleed bug to obtain vital data used by cyber crooks. It said the clandestine agency discovered the flaw shortly after it was accidentally created in 2012 by an adjustment in the OpenSSL software, according to an unnamed source.
After that, Bloomberg said, the bug "became a basic part of the agency's tool kit for stealing account passwords" and other information, while most Internet users and security experts remained unaware of the flaw.
Trending Topics
nnInn
Joined: Mar 2006
Posts: 37,670
Likes: 1,084
NSA Denies It Used 'Heartbleed' Bug
http://www.nbcnews.com/tech/security...ligence-n78356
The National Security Agency on Friday denied a report that it has been aware for years of the enormous 'Heartbleed' security flaw affecting millions of websites, but kept the information secret and used it for its own purposes.
Bloomberg, citing unidentified sources, reported Friday that the NSA knew about Heartbleed for two years before the public disclosure of the bug by security researchers last week.
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong," the agency said in a statement to NBC News.
Heartbleed is a flaw in OpenSSL, a piece of code intended to create a secure connection between a server and Web browser — for example, between an online shop and customer. The bug allows an attacker to make the server surrender bits of information out of its memory that should not be accessible. What's more, the exploit leaves no trace.
Bloomberg, citing unidentified sources, reported Friday that the NSA knew about Heartbleed for two years before the public disclosure of the bug by security researchers last week.
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong," the agency said in a statement to NBC News.
Heartbleed is a flaw in OpenSSL, a piece of code intended to create a secure connection between a server and Web browser — for example, between an online shop and customer. The bug allows an attacker to make the server surrender bits of information out of its memory that should not be accessible. What's more, the exploit leaves no trace.
Safety Car
Joined: Jul 2007
Posts: 4,845
Likes: 145
I did say "the majority of attacks". Certainly there's more "h4xx0Rs" than NSA agents. And I say that the NSA using heartbleed for information gathering would be a pretty dumb idea because it lacks any real context. You couldn't tell if that "Gonna blow up shit" came from an IM, an email, or a Clancey novel. You'd have a 64k chunk to derive all context from.
But maybe... NSA=Amateur hour and we're both right?
But maybe... NSA=Amateur hour and we're both right?
Thread Starter
The sizzle in the Steak
Joined: Nov 2001
Posts: 71,436
Likes: 1,877
From: Southern California
While the Bloomberg report cited two unnamed sources, described as "people familiar with the matter," the NSA denied the allegations late Friday in a post on the official Twitter account of the agency's public affairs office. The agency said: "Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public."
Hence the
Reading is fundamental. :wink:
Moderator Alumnus
Joined: May 2001
Posts: 4,295
Likes: 121
From: Ronkonkoma, NY
I think the bottom line is, if you used a site that uses openssl there is a very very very small chance someone else has your login/password.
I don't care about all the amateurs, I care about the people who actively seek out vulnerable sites -those are the dangerous ones. If you run a site and you had an undetectable vulnerability sitting there for years, then yeah, that's a pretty damn big deal.
As far as password changing goes - I'm changing my passwords on sites where I'm not taking any chances. I'm not going to take their word that they weren't vulnerable before. The rest will be changed when I feel like it. (it's really best to change passwords regularly regardless).
I don't care about all the amateurs, I care about the people who actively seek out vulnerable sites -those are the dangerous ones. If you run a site and you had an undetectable vulnerability sitting there for years, then yeah, that's a pretty damn big deal.
As far as password changing goes - I'm changing my passwords on sites where I'm not taking any chances. I'm not going to take their word that they weren't vulnerable before. The rest will be changed when I feel like it. (it's really best to change passwords regularly regardless).