|
I'm surprised that there is no thread about this yet. There's a blue post from Blizzard which explains the situation pretty good:
Many news sites are reporting a vulnerability (dubbed the Heartbleed bug) discovered in OpenSSL, an encryption technology used by a majority of websites and online services—including banks, email providers, and social media sites—to protect sensitive data as it’s transmitted from users to web services. We want to emphasize that Battle.net’s encryption was not affected by this vulnerability. However, if you use the same password on Battle.net that you use elsewhere, your Battle.net account could be at risk if those sites were affected by this bug. If the above situation applies to you, we recommend changing your Battle.net password to a new, unique password. As always, we recommend that you maintain separate login credentials for each online service you use. Using the same email or password across multiple services greatly increases the potential impact of any compromise. More information about the Heartbleed vulnerability can be found at http://heartbleed.com, and you can find additional information on how to protect your Battle.net accounts at http://www.battle.net/security.
Source: http://us.battle.net/wow/en/blog/13742212/heartbleed-account-security-notice-4-10-2014
More info can be found here: http://heartbleed.com/
If you want to check if a specific page is affected by this, you can do so here:
https://lastpass.com/heartbleed/
PS: I'm not sure if this topic belongs under tech support. If so, feel free to move it @ mods
|
I have no idea whether changing passwords right now is a good thing to do (for the sites that are affected). I did it anyway for my E-Mail account on web.de, but there's a high chance it's not fixed yet, meaning it was useless.
Also surprised that there was no thread yet. Quite a hot topic in Germany right now.
|
On April 12 2014 20:05 HolydaKing wrote: I have no idea whether changing passwords right now is a good thing to do (for the sites that are affected). I did it anyway for my E-Mail account on web.de, but there's a high chance it's not fixed yet, meaning it was useless.
Also surprised that there was no thread yet. Quite a hot topic in Germany right now. see the last link. you can check pages there. the result for web.de:
Site: web.de Server software: Apache Was vulnerable: Probably (known use OpenSSL, but might be using a safe version) SSL Certificate: Now Safe (created 3 days ago at Apr 9 09:37:36 2014 GMT) Assessment: Change your password on this site if your last password change was more than 3 days ago
|
The thing about this is that this has been around for years and is just now coming to light.
You are not anymore unsafe then you were before the announcement of this.
|
It affects OpenSSL versions 1.0.1 through 1.0.1f. There are a few sites out there that do a test for the exploit directly, like: heartbleed.criticalwatch.com
|
On April 12 2014 20:16 Disengaged wrote: The thing about this is that this has been around for years and is just now coming to light.
You are not anymore unsafe then you were before the announcement of this.
There's no evidence hackers had knowledge of this before last week though - realistically there are probably many vulnerabilities no one is aware of yet.
|
On April 12 2014 20:09 Enox wrote:Show nested quote +On April 12 2014 20:05 HolydaKing wrote: I have no idea whether changing passwords right now is a good thing to do (for the sites that are affected). I did it anyway for my E-Mail account on web.de, but there's a high chance it's not fixed yet, meaning it was useless.
Also surprised that there was no thread yet. Quite a hot topic in Germany right now. see the last link. you can check pages there. the result for web.de: Show nested quote +Site: web.de Server software: Apache Was vulnerable: Probably (known use OpenSSL, but might be using a safe version) SSL Certificate: Now Safe (created 3 days ago at Apr 9 09:37:36 2014 GMT) Assessment: Change your password on this site if your last password change was more than 3 days ago Oh, thank you. I thought it was just to check if the site was affected, not if it's still affected. I changed it 2 days ago I think, so should be OK.
|
the title of the thread is misspelled
|
oh, you are right^^ guess i played too much hearthstone cant edit the title
|
I work in online fraud prevention both from the retail and banking end of things, and have done for a few years now, just keep an eye on your spam folder, and mind accounts for lower dollar transactions and you'll be fine.
If you have any questions I can answer, lmk
|
|
|
Hong Kong9135 Posts
i took it as an opportunity to get myself to change passwords that should have probably been changed anyways because of how long they've been around
|
The updates to the article pretty much invalidate it's premise.
Changing your passwords does pretty much nothing against the larger threat of this exploit. (I doubt average users would really be a target anyway, excluding a massive internal spying effort, or a terrorist plot involving mass panic Ala Fight Club).
Once someone had access to the networks/servers it would be possible to leave all sorts of back doors and such open.
While the NSA doesn't make me feel warm and cuddly at night, it causes more concern to me to know that China could have known about such an exploit.
The certs and admin logins for major corps/utilities/government orgs is what I imagine the exploit would be used for outside of a massive spying effort.
I think it's obvious you would need scripts and massive computing power to practically obtain significantly large amounts of useful information so I don't think there is much to fear from basement hackers using it to steal forum logins (like has been done so far). But governments like China or agencies like the NSA....That's a whole different story.
On another note this is a good example of 'fighting like water' 'Attack your enemy where they are not.' Why try to bruteforce the encryption when you can just fluster your opponent and they will just give you the information.
|
Heartbleed gives access to 60kB of memory, that can contain about anything in the xxGB memory of the server. Within the global data available, there are the ~256 bytes of the server private key. If those are retrieved and the attacker gets access to a complete connection data, then he can decrypt the connection and potentially retrieve any personal information sent to the server on that connection (if he monitors at server level, he can retrieve everything until key is changed on the server, regardless of whether server is patched or not)
To achieve this worst case scenario, you need to have the correct 256 bytes in the retrieved data and to have context information to be able to identify them. Initial estimate, if the 60kB retrieved are random, is that you would get the key in a few 100 000 tries. What has been tested since is that it is a lot rarer on test servers.
Note that even if getting the first prize (private key) is very difficult, each try retrieves a small window of current server memory, which contains data of active connections at the time the heartbeat was sent (sometimes a password or two).
|
United States40774 Posts
|
|
The only things keeping people from totally freaking out are ego and ignorance as far as I can tell? Lets say we had infallible evidence that the NSA was in fact breaking the hell out of the law and hacking the shit out of everyone?
What exactly would we do about it anyway?
|
Wow. It's really scary when you get stuff like this happen where the user has no control over things and the attackers can gain incredible power/information from servers.
|
The issue with how many were attempting to get the keys in the first place had to do with test servers not under normal load and operating parameters. In testing it, you fire off a handshake procedure. The client issues a hello along with a tag to enable heartbeat functionality, the server responds with its hello, then the probe issues a "malformed" heartbeat request. The probe never actually exchanges keys, nor sends/receives any encrypted information, so the server private key(s) isn't (/aren't) available in memory to grab. Under normal operating parameters of a busy server, the key is loaded many times. Fortunately, almost all servers worth attacking were fixed in the first day, so people have been testing against dummy machines and/or unpopular services.
This can be engineered around by spamming full requests interleaved with malformed heartbeat requests (or that's what I would do).
|
|
|
|