Pages:
Author

Topic: WTF??? Heartbleed & lastpass & gmail (Read 1353 times)

legendary
Activity: 2968
Merit: 1198
April 16, 2014, 02:35:37 AM
#23
I knew my shit was fucked with in gmail a few months back, I made a post about it.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

https://bitcointalksearch.org/topic/m.6183743
hmm can we get a list of bitcoin related services and websites that might be effected by Heartbleed..! and do we need to change password of almost every internet service we use that uses OPEN SSL
its worse than that, changing ur password wont help if the site does not update their software

Worst than that. The site not only needs to upgrade their software, but also replace their private key and and get a new certificate issued. Many sites are never going to do this (or they will just get a new certificate without creating a new private key, which does not close the hole).

Don't expect anything on the internet to be secure any time soon, if ever. Be careful, especially with coins.


hero member
Activity: 798
Merit: 500
Time is on our side, yes it is!
April 16, 2014, 02:32:16 AM
#22
some useful info to be had here and I thank you all for putting your finding here so folks can try and keep up with their security.  Sub'd
sr. member
Activity: 459
Merit: 250
April 12, 2014, 10:01:12 PM
#21
There have been numerous articles on this, but causing more confusion. Many give you a link to see if a site is safe or not, but there are several links and they give conflicting results. Also, they say don't change your password until you know the site has been fixed, but no site I've logged onto has said anything.
hero member
Activity: 588
Merit: 501
April 12, 2014, 06:40:25 PM
#20
If you consider that the NSA know about this bug for over than 2 years and they kept it a secret so they can exploit it, but at the same time they kept people exposed to the danger
donator
Activity: 1218
Merit: 1015
April 12, 2014, 06:02:34 PM
#19
I'd guess the biggest take-away here is that, again, you absolutely cannot be reusing passwords and shouldn't even be reusing email addresses or usernames (though I'll admit to usually doing the latter). Judging their "security competence" is relevant, but not everything, because, as this vulnerability points out pretty clearly, you need to trust many more entities than just the pen-testers and devs at one particular website -- it's simply impossible for your data to really be secure if you've shared it no matter who's storing it. Even storing everything on an online computer with just a password to unlock is risky.

[OT rambling on something I know nothing about]
We're at a point, now, where I think there's really a market for semi-offline computers (not a full-blown giant box, but something which can fit in something like a HDD bay of a PC case and connect via SATA and maybe it could also just be a module inside a CPU with dedicated pins to interact with just one dedicated USB port) which seamlessly interacts with your online computers to provide needed credentials but which don't "wake up" to provide that information unless you physically provide some kind of biometric data or other data unique in physical space like a Yubikey. So, say you want to log in to a website. You click the "login" button which immediately tells your PC's software to start trying pull attempts on your credentials. All pull and push requests in queue are displayed in a dialog box, and you could get super-secure by having an additional button on the Yubikey-like to lock in all requests first. You'd then activate your Yubikey-similar which wakes up the semi-offline PC and provides a password to confirm the wake command is legitimate (it's never stored on the online PC and the online PC has no means of decrypting it). The PC then receives and processes all pull requests in queue and then immediately goes back to sleep, so you're logged into whatever you're queued for without needing to type any information in. The same process works for saving credentials, where your PC's software has a queue of data (credentials to store) to push to the semi-offline PC; you press your Yubikey and then that data is allowed to pass from your PC to the semi-offline PC. You encrypt all this so there are two sets of keys (online can decrypt credential retrievals and encrypt credential saves, semi-offline can encrypt credential retrievals and decrypt credential saves). Setup would take a couple minutes... maybe you have a switch on the Yubikey with three positions (offline pair, online pair, use), where you pop the Yubikey into the semi-offline and hit a button (wait for a LED to blink to confirm it's ready), then insert it into the online computer, hit a button to pair - repeat the process backwards for the online pairing, then leave the Yubikey in the online computer in the "use" switch for normal use. You can keep a spare Yubikey or two with the same seeds in safe places which maybe require some type of manufacturer-set password to activate.

In all of this, the only way you can use it is with an original or identical Yubikey-like physically connected to the online PC which is paired with the physically-connected semi-offlince PC. Once in the "use" position, you could also do things like require the Yubikey-like be given a password and use (probably biometric) 2FA. I'd guess you can get the added cost of all this down to around $40 in mass production. You basically just have a small, enclosed rpi, Yubikey, and specialized but fairly simple software. I think the simplicity of pressing buttons exceeds the complexity of learning how/when to press buttons and to do the initial pairing.

I'd guess this is mostly on OS devs and major PC assemblers, because everything else is going to feel kludgey/clunky -- it should be something more "default," I think. As far as hardware, then, the only thing "sticking out" is the Yubikey-like device, which many of us already have one or a few of. -Or something like that. I'm sure someone can think of a smarter solution.
full member
Activity: 129
Merit: 100
April 12, 2014, 05:08:51 PM
#18
Damn, the list helpful, thanks!
hero member
Activity: 588
Merit: 501
April 12, 2014, 05:06:34 PM
#17
double identification guys Sad
hero member
Activity: 770
Merit: 502
April 12, 2014, 04:14:32 PM
#16
I knew my shit was fucked with in gmail a few months back, I made a post about it.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

https://bitcointalksearch.org/topic/m.6183743
hmm can we get a list of bitcoin related services and websites that might be effected by Heartbleed..! and do we need to change password of almost every internet service we use that uses OPEN SSL
its worse than that, changing ur password wont help if the site does not update their software

That mashable shows on the right side box, if they fix/patched it.
sr. member
Activity: 266
Merit: 250
April 12, 2014, 03:11:53 PM
#15
I knew my shit was fucked with in gmail a few months back, I made a post about it.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

https://bitcointalksearch.org/topic/m.6183743
hmm can we get a list of bitcoin related services and websites that might be effected by Heartbleed..! and do we need to change password of almost every internet service we use that uses OPEN SSL
its worse than that, changing ur password wont help if the site does not update their software
sr. member
Activity: 294
Merit: 250
April 12, 2014, 01:09:06 PM
#14
Does this affect mobiles and android also?
It affects everything that uses OpenSSL. All services on android that uses OpenSSL is/was affected.
sr. member
Activity: 252
Merit: 250
April 12, 2014, 12:36:36 PM
#13
Does this affect mobiles and android also?
legendary
Activity: 1218
Merit: 1003
We are the champions of the night
April 12, 2014, 10:28:28 AM
#12
Open source developers never caught this or created it them selves > sold to NSA. Developers = Profit?

DOes anyone have a list of who has patched their websites/servers? Cuz if they are not patch/fixed it's pointless to even change PW's.

Some moar info be awesome.



Here's one
hero member
Activity: 770
Merit: 502
April 12, 2014, 10:27:06 AM
#11
Open source developers never caught this or created it them selves > sold to NSA. Developers = Profit?

DOes anyone have a list of who has patched their websites/servers? Cuz if they are not patch/fixed it's pointless to even change PW's.

Some moar info be awesome.

Edit:
It just eats my brain this went undetected for years   Undecided
hero member
Activity: 770
Merit: 500
April 12, 2014, 06:16:06 AM
#10
quite simple explanation.
Lol not so simple :p


Just go and change all your passwords in the world Tongue It is simple Smiley
sr. member
Activity: 350
Merit: 252
REAL-EYES || REAL-IZE || REAL-LIES||
April 12, 2014, 06:14:33 AM
#9
Thanks for the warning,i heard something about it on TV,but i didn't pay attention to it.Is time to change all my passwords.
hmm most websites and other services will deny that they were effected but I'll suggest you to change your pass better safe than sorry
sr. member
Activity: 364
Merit: 250
April 12, 2014, 06:08:22 AM
#8
Thanks for the warning,i heard something about it on TV,but i didn't pay attention to it.Is time to change all my passwords.
hero member
Activity: 770
Merit: 500
April 12, 2014, 06:07:25 AM
#7



quite simple explanation.
sr. member
Activity: 350
Merit: 252
REAL-EYES || REAL-IZE || REAL-LIES||
April 12, 2014, 06:02:28 AM
#6
I knew my shit was fucked with in gmail a few months back, I made a post about it.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

https://bitcointalksearch.org/topic/m.6183743
hmm can we get a list of bitcoin related services and websites that might be effected by Heartbleed..! and do we need to change password of almost every internet service we use that uses OPEN SSL
Hmmm what is heartbleed? I don't want to click on links.
Its a Bug that has affected many popular websites and services like : gmail, fb, and some other using OPEN SSL/TLS The bug is there from 2011 and very Highly Vulnerable
 Click the Mashable link shared above for more info..! its fine.. !
full member
Activity: 196
Merit: 101
April 12, 2014, 06:01:43 AM
#5
I knew my shit was fucked with in gmail a few months back, I made a post about it.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

https://bitcointalksearch.org/topic/m.6183743
hmm can we get a list of bitcoin related services and websites that might be effected by Heartbleed..! and do we need to change password of almost every internet service we use that uses OPEN SSL
Hmmm what is heartbleed? I don't want to click on links.

it's a bug in the system that allows users to steal data
full member
Activity: 208
Merit: 100
Risk-hedging platform for cryptocurrency investors
April 12, 2014, 05:59:02 AM
#4
Hmmm what is heartbleed? I don't want to click on links.

http://heartbleed.com/

Quote
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

related current article in wired http://www.wired.com/2014/04/nsa-exploited-heartbleed-two-years/

Pages:
Jump to: