You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!
The banners on the left side and below do not show for registered users!
If you have any problems with the registration process or your account login, please contact contact us.
Vancouver Off-Topic / Current EventsThe off-topic forum for Vancouver, funnies, non-auto centered discussions, WORK SAFE. While the rules are more relaxed here, there are still rules. Please refer to sticky thread in this forum.
An alarming lapse in Internet security has exposed millions of passwords, credit-card numbers and other sensitive bits of information to potential theft by computer hackers who may have been secretly exploiting the problem before its discovery.
Some popular sites that may have been affected: The CRA, Yahoo, Flickr, OkCupid, Eventbrite, Indiegogo, Imgur.
The breakdown revealed this week affects the encryption technology that is supposed to protect online accounts for e-mails, instant messaging and a wide range of electronic commerce.
Security researchers who uncovered the threat, known as “Heartbleed,” are particularly worried about the breach because it went undetected for more than two years.
Although there is now a way to close the security hole, there are still plenty of reasons to be concerned, said David Chartier, CEO of Codenomicon. A small team from the Finnish security firm diagnosed Heartbleed while working independently from another Google Inc. researcher who also discovered the threat.
“I don’t think anyone that had been using this technology is in a position to definitively say they weren’t compromised,” Chartier said.
Chartier and other computer security experts are advising people to consider changing all their online passwords.
“I would change every password everywhere because it’s possible something was sniffed out,” said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software. “You don’t know because an attack wouldn’t have left a distinct footprint.”
But changing the passwords won’t do any good, these experts said, until the affected services install the software released Monday to fix the problem. That puts the onus on the Internet services affected by Heartbleed to alert their users to the potential risks and let them know when the Heartbleed fix has been installed so they can change their passwords.
Yahoo Inc., which boasts more than 800 million users worldwide, is among the Internet services that could be potentially hurt by Heartbleed. The Sunnyvale, Calif., company said most of its most popular services – including sports, finance and Tumblr – had been fixed, but work was still being done on other products that it didn’t identify in a statement Tuesday.
Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to signify that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock had been closed. Interlopers could also grab the keys for deciphering encrypted data without the website owners knowing the theft had occurred, according to security researchers.
The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet. About two-thirds of Web servers rely on OpenSSL, Chartier said.
Despite the worries raised by Heartbleed, Codenomicon said many large consumer sites aren’t likely to be affected because of their “conservative choice” of equipment and software. “Ironically, smaller and more progressive services or those who have upgraded to [the] latest and best encryption will be affected most,” the security firm said in a blog post.
In a Tuesday post announcing it had installed the Heartbleed fix, Tumblr offered its users some blunt advice.
“This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal e-mails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit,” Tumblr said. “This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like e-mail, file storage, and banking, which may have been compromised by this bug.”
Cliff Notes:
- Hope to God that the services you use have patched the bug on their servers
- If service is patched, change passwords
__________________
(604) Black 2008 Acura TL Type-S, 09/07 - 09/11
(604) Black 2010 Acura RDX - 09/11 - 05/15
(613) White 2013 Kia Rio5, 09/12 - 09/13
(604) White 2014 BMW 335i xDrive, 05/15 - 01/17
(604) Blue 2017 BMW 240i xDrive, 01/17 - 12/20
(604) White 2021 Tesla Model 3 SR+, 12/20 - Present
What hasn't Killed me, has made me more tolerant of RS!
Join Date: Aug 2012
Location: Vancouver
Posts: 181
Thanked 109 Times in 44 Posts
I doubt an exploit like this could have stayed secret for two years. The chances of this exploit actually being used up till now are pretty slim I think.
The recent security flaws in SSL is scary: First the Apple SSL security issue, now this... let's hope this is the last of it.
__________________
(604) Black 2008 Acura TL Type-S, 09/07 - 09/11
(604) Black 2010 Acura RDX - 09/11 - 05/15
(613) White 2013 Kia Rio5, 09/12 - 09/13
(604) White 2014 BMW 335i xDrive, 05/15 - 01/17
(604) Blue 2017 BMW 240i xDrive, 01/17 - 12/20
(604) White 2021 Tesla Model 3 SR+, 12/20 - Present
Scares me shitless... I am to the point where I cannot think of another password I can remember...
Guess gotta spend the $25 on a good PW manager and change them all sigh.....
I am totally locked out of my 3 microsoft accounts too, last year or something they forced me to change the passwords with so many denied PW changes.
-cant use previous pw
-too similar to previous pw
-needs capital
-needs number
LIKE JESUS let me make my own damn password, I only use your crappy email service for junk anyways.
Scares me shitless... I am to the point where I cannot think of another password I can remember...
Guess gotta spend the $25 on a good PW manager and change them all sigh.....
I am totally locked out of my 3 microsoft accounts too, last year or something they forced me to change the passwords with so many denied PW changes.
-cant use previous pw
-too similar to previous pw
-needs capital
-needs number
LIKE JESUS let me make my own damn password, I only use your crappy email service for junk anyways.
Scares me shitless... I am to the point where I cannot think of another password I can remember...
Guess gotta spend the $25 on a good PW manager and change them all sigh.....
I am totally locked out of my 3 microsoft accounts too, last year or something they forced me to change the passwords with so many denied PW changes.
-cant use previous pw
-too similar to previous pw
-needs capital
-needs number
LIKE JESUS let me make my own damn password, I only use your crappy email service for junk anyways.
OTTAWA — The Canada Revenue Agency abruptly pulled the plug on its online services Wednesday over security concerns, saying it will take until the weekend at least before taxpayers can again file their returns online. The problem has forced it to extend the deadline for online filing.
In addition, the government’s super-IT agency was unable to say how widespread the problem might be across federal departments, or how long it might take to fix. The security loophole that led to the shutdown is found in many government and consumer websites around the world, and could have provided improper access to sensitive information during the two years before it was revealed this week.
Shared Services Canada said it was working to “identify the extent of the problem and to apply solutions, including implementing patches, as required.”
Those patches — or digital repairs — could take several days to complete, one expert said. Because of the nature of the security loophole, which can’t be traced, it may be impossible to say how much, if any, private information has been accessed.
“The people who have filed (income tax returns), maybe someone was watching,” said David Skillicorn, a computer security expert from Queen’s University in Kingston, Ont. “The issue for the CRA, more importantly, is that they don’t know how much their internal systems were compromised.”
The outage was caused by an online security loophole known as the Heartbleed bug.
Heartbleed is a two-year old vulnerability found in software used by thousands of websites globally to encrypt information when logging in to secure online services. The loophole lets someone see encrypted information sent between two computers, such as usernames and passwords, but permits secretly snooping around the system running the website and the user’s personal computer.
It only works on systems that use a security device known as Open SSL – which the CRA website does – to encrypt login information.
The Canada Revenue Agency services affected by Wednesday’s shutdown included the electronic tax-filing systems Efile and Netfile, as well as access to business and personal account data stored by the system.
The shutdown came just as the agency had ramped up for tax-filing season, and as it has continued to encourage Canadians to file electronically rather than by using paper forms.
“Given that we are in the midst of tax filing season, this will be challenging and will require sustained effort and collaboration across the agency to minimize the impact on the services we provide to Canadians,” CRA commissioner Andrew Treusch wrote in a notice to employees Wednesday.
Taxpayers looking to file their returns were blocked Wednesday morning from logging on to the Canada Revenue Agency website. An online message told taxpayers that as a security precaution, access was blocked until concerns were addressed.
“We know there’s a systems vulnerability. We have identified that, so we shut down those systems right away as a precautionary measure only,” National Revenue Minister Kerry-Lynne Findlay said. “We’re investigating. We’re working on it.”
Findlay’s office said late Wednesday that no penalties or interest would be applied to anyone filing online after the April 30 tax deadline. The grace period will correspond to however long the service outage lasts.
“Consideration will be given to taxpayers who are unable to comply with their filing requirements because of this service interruption,” she told the House of Commons.
The revenue agency suspended its online tax service for an unprecedented nine days in 2007 because of a computer malfunction caused by a faulty patch. Data security, however, was not a concern at that time. Rather, the faulty patch caused irregularities in the transfer of information between the databases that store and handle Canadians’ tax information.
The Canadian Bankers Association, which represents some 59 domestic and foreign banks, said Wednesday the online banking applications of Canadian banks were not affected by the bug.
“TD already has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk,” said Barbara Timmins, a spokeswoman at TD Bank Group.
- With files from Kathryn May, Ottawa Citizen, and the Canadian Press.
I dont mind paying for a service like that, but can anyone chime in on
lastpass vs keepass?
or better yet paid vs keepass (free/opensouce)
Just started using Keepass. Works fine, especially with browser integration. You can also integrate it with a Dropbox account too.
My plan is to get a small usb keychain and put Keepass mobile on it to autosync with Dropbox, so no matter where I am, I will have an encrypted copy of my password database with me.
But if you lose the keychain or your master password is compromised you're fucked. I have unique passwords for a few important things and one generic one for shit I don't really care about.
__________________ 1991 Toyota Celica GTFour RC // 2007 Toyota Rav4 V6 // 2000 Jeep Grand Cherokee
1992 Toyota Celica GT-S ["sold"] \\ 2007 Jeep Grand Cherokee CRD [sold] \\ 2000 Jeep Cherokee [sold] \\ 1997 Honda Prelude [sold] \\ 1992 Jeep YJ [sold/crashed] \\ 1987 Mazda RX-7 [sold] \\ 1987 Toyota Celica GT-S [crushed]
Quote:
Originally Posted by maksimizer
half those dudes are hotter than ,my GF.
Quote:
Originally Posted by RevYouUp
reading this thread is like waiting for goku to charge up a spirit bomb in dragon ball z
Quote:
Originally Posted by Good_KarMa
OH thank god. I thought u had sex with my wife. :cry:
Use this as a reminder to use 2 factor authentication whenever you can, and use a password manager. I already use 2FA for everything but am still researching password managers. Thinking of using Lastpass for $12 a year. Would like to use an open source if possible though
If you were wondering if RS is affected, it's not since we don't use SSL anyway. On low-risk sites like this (forums, blogs, etc) you should NOT be using the same password you'd use on a high risk site (banks, email, etc)
OpenSSL is an open source SSL library. Incidentally it is part of OpenBSD which is based out of Edmonton. There are different versions and makes of SSL libraries out there. Much like there are different V6 engines out there by different makes in cars. You can potentially swap in and out much like adult entertainment mogul Jason2000 does with his e36. OpenSSL is free and source is free, so it is easier to optimize it for one's particular system.
Banks use devices that use commercial SSL libraries, that's probably why they are not affected. (or more likely the manufacturers haven't let the banks know yet).
The advice is not to change the passwords UNTIL the site that is affected has reissue its SSL certificate. Since each site do their own thing at their own timing (some places probably won't give a flip), the easiest is to go to aggregate news site eg Lastpass to see if the site in question has been patched and has new SSL certs.
Quote:
Originally Posted by Ulic Qel-Droma
can someone explain the diff between open SSL and what the banks use?
it seems like none of the banks were affected.
and i would assume banks have a very high security system in place... why wouldn't every place just use what they use?
What I dont comprehend is why the CRA trusts open source security while the largest bank in Canada does their own dev for security.
#mindblasted
__________________
Sometimes we tend to be in despair when the person we love leaves us, but the truth is, it's not our loss, but theirs, for they left the only person who couldn't give up on them.
Make the effort and take the risk..
"Do what you feel in your heart to be right- for you'll be criticized anyway. You'll be damned if you do, and damned if you don't." - Eleanor Roosevelt
For anyone who's interested in a (relatively) plain English explanation of what heartbleed is exactly, here you go:
So.. Heartbleed used SQL with a little bit of brute force to decrypt the SSL certificates? They make it sound so simple.. Technically, then, the handshaking process was weak from the start and it was just a matter of a short time. (Decrypting SSL would usually take a billion years to decrypt by brute force, wouldn't it?) The guy sifting through the data must've been lucky as hell.