Heartbleed

[SiegeTank]

Most people have heard by now about the so-called "Heartbleed" security flaw discovered in OpenSSL which apparently has existed for months and is just now being fixed. Ironically I hear the federal government knew about this months ago but didn't bother to mention it to THE CITIZENS ITS PURPOSE IS TO PROTECT so they could exploit it for their own investigative purposes. (Man, gotta love shit like that. "To serve and protect." But that's a gripe for another thread.)

We have a lot of technically astute people here, I can say that honestly and without brown-nosing at all. I'm wondering what you guys think about this. My concern is that despite the amount of press this bug HAS obtained it's actually being DOWNPLAYED by companies with Internet sites that make use of customer confidential data in order to minimize exposure in anticipation of a wave of lawsuits that are likely inevitable once site users start discovering that their personal data was compromised months ago and now that the "jig is up", the hackers are going to start using that data before people take action and change passwords, move accounts, etc.

You can see it readily if you check on a specific company by Googling the company's name and "heartbleed." Some that were compromised, like eBay, Google, Twitter, Netflix and many more SAY NOTHING ABOUT THIS on their login pages or in any of their own public forums. OR if they do it's only in response to customer inquiries. For example, I just logged into Netflix, a company which has been confirmed as compromised by numerous tech sites, AND THERE IS NO WARNING THAT I SHOULD CHANGE MY PASSWORD. Which I logged in expressedly to do. Now that's bad! Under HELP, searching for "heartbleed" comes up with "No results found." LOL

Any company whose servers were at any time compromised by Heartbleed should be AUTOMATICALLY e-mailing ALL their active customers as well as popping up a warning box every time a customer logs in insisting they change their password immediately. That's assuming, of course, that they've PATCHED their OpenSSL since it would be the height of irresponsibility not to apply the fixes that are already available.

I'm naturally paranoid. So I go out of my way to minimize my use of the Internet for anything that I consider to be of value. But a lot of people "buy" into the assurances of these big websites that their personal data is completely safe. Yeah, and I got this bridge in Brooklyn for sale...

 

[Cr4zyb4rd]

They just as easily buy into assurances that somebody else could be doing a better job or in whatever way making us all safer than we were yesterday.

 

[devestator]

In some cases password changes are not necessary because they were not exposed by this bug. In others, you shouldn't be changing your password yet. Yes, it's a security risk, but changing your password too soon can be a bigger security risk.

You have to have an understanding of the bug some. xkcd.com has a comic that kind of breaks this down:

xkcd: Heartbleed Explanation

Like it says there, essential a request would come in saying the phrase was 500 characters long but only send a 3 letter phrase, and the server would respond with it's 3 letter phrase plus the next 497 characters in it's memory starting at that address. This would expose requests and such coming from other users. It could be used to get private keys and such which is where the big problem is IMO. With that, unless the private key is changed, the connection to that server remains vulnerable because the encrypted information can be easily decrypted.

Now, I said that in some cases the passwords were not exposed. That is because of the way the login is handled at many of the places. Some of them handle the login on a different server that didn't get affected. Some may have been sending the password hashed in which case the only way to really break it (after decryption) would be a hash table that happens to have your password on it. Others haven't announced anything yet because it may not be safe to change your passwords yet. As it stands right now, if it were possible to expose a password on a particular server, there is no guarantee that your password was exposed. But further some servers are still vulnerable. If you change your password to early, you may be exposing both your new password as well as any additional information that may be required to change the password (think secret question answers).

One other thing to note here, is some of these servers may be running IIS (Internet Information Systems) for their web server. IIS to my knowledge was not effected by the heartbleed bug. You mention Netflix in particular, I can't say with certainty but I think netflix runs IIS servers for their logins at least.

And finally, as for the government, or whoever else not telling anyone. I don't think we know all the information to really make that determination fully. They could have been taking advantage of it and not letting anyone know, or it's also possible that they informed the people that maintain OpenSSL of the bug so that they could fix it. Unfortunately when you have a big security hole like this, you don't scramble to alert all the users immediately. You plug the hole first. You don't want to alert more hackers that may not know about the vulnerability by informing everyone.

At least, that all is my opinions and understanding of things I don't work in security though, just a developer these days, so it's entirely possible that I got something wrong. That is just from my reading about it after finding out about it.

EDIT: Here is another post that I found that breaks it down some: http://www.engadget.com/2014/04/12/heartbleed-explained/

 

[hawthorne]

This covers most of the major websites. Any others that aren't on this list, the thing to look for is if they use SSL encryption.

The Heartbleed Hit List: The Passwords You Need to Change Right Now

 

[Mspudd14]

Unfortunately when you have a big security hole like this, you don't scramble to alert all the users immediately. You plug the hole first. You don't want to alert more hackers that may not know about the vulnerability by informing everyone.

This is why the company I know of that was affected by this delayed general announcement regarding what this was and how it worked. Instead they fixed the security hole, released an emergency security update, and spent 2 days contacting their Distributors so they could notify their clients this was a high priority update before doing a general press release regarding the specifics of Heartbleed. At that 2 day mark they were not comfortable with the number of individuals who had run the security patch so they pushed the general disclosure back another week to give users time to run that patch before letting any hackers with their heads in the sand know about it.

While I would not put it past some folks with advanced knowledge to use this sort of thing to their advantage I do think most companies who are directly affected by security holes like this tend to focus on resolution more so than advantages that could be gained.

 

[JDEKnox]

https://github.com/musalbas/heartbleed-masstest

Has a list of vulnerable / not vulnerable ~ use the info at your own discretion.

 

[rob]

Heartbleed is a bigger deal than most people realize. This has geo-political ramifications that will undoubtedly be used to do bad things (eg: A country stealing private keys and decoding years of logged sensitive data).

Also, the heartbleed vulnerability goes both ways. If a client connects to a malicious server, it will leak local information as well.