This has been around the new for a couple for days - think it would be to good to bring this to the attention of fellow RS'ers.

http://www.theglobeandmail.com/technology/new-web-security-threat-i-would-change-every-password-everywhere/article17892756/

An alarming lapse in Internet security has exposed millions of passwords, credit-card numbers and other sensitive bits of information to potential theft by computer hackers who may have been secretly exploiting the problem before its discovery.

Some popular sites that may have been affected: The CRA, Yahoo, Flickr, OkCupid, Eventbrite, Indiegogo, Imgur.

The breakdown revealed this week affects the encryption technology that is supposed to protect online accounts for e-mails, instant messaging and a wide range of electronic commerce.

Security researchers who uncovered the threat, known as “Heartbleed,” are particularly worried about the breach because it went undetected for more than two years.

Although there is now a way to close the security hole, there are still plenty of reasons to be concerned, said David Chartier, CEO of Codenomicon. A small team from the Finnish security firm diagnosed Heartbleed while working independently from another Google Inc. researcher who also discovered the threat.

“I don’t think anyone that had been using this technology is in a position to definitively say they weren’t compromised,” Chartier said.

Chartier and other computer security experts are advising people to consider changing all their online passwords.

“I would change every password everywhere because it’s possible something was sniffed out,” said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software. “You don’t know because an attack wouldn’t have left a distinct footprint.”

But changing the passwords won’t do any good, these experts said, until the affected services install the software released Monday to fix the problem. That puts the onus on the Internet services affected by Heartbleed to alert their users to the potential risks and let them know when the Heartbleed fix has been installed so they can change their passwords.

Yahoo Inc., which boasts more than 800 million users worldwide, is among the Internet services that could be potentially hurt by Heartbleed. The Sunnyvale, Calif., company said most of its most popular services – including sports, finance and Tumblr – had been fixed, but work was still being done on other products that it didn’t identify in a statement Tuesday.

Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to signify that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock had been closed. Interlopers could also grab the keys for deciphering encrypted data without the website owners knowing the theft had occurred, according to security researchers.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet. About two-thirds of Web servers rely on OpenSSL, Chartier said.

Despite the worries raised by Heartbleed, Codenomicon said many large consumer sites aren’t likely to be affected because of their “conservative choice” of equipment and software. “Ironically, smaller and more progressive services or those who have upgraded to [the] latest and best encryption will be affected most,” the security firm said in a blog post.

In a Tuesday post announcing it had installed the Heartbleed fix, Tumblr offered its users some blunt advice.

“This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal e-mails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit,” Tumblr said. “This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like e-mail, file storage, and banking, which may have been compromised by this bug.”

Cliff Notes:
- Hope to God that the services you use have patched the bug on their servers
- If service is patched, change passwords

Microsoft must have had a good laugh for once..

Is there a list of major places using OpenSSL?

Is there a list of major places using OpenSSL?

The Heartbleed Hit List: The Passwords You Need to Change Right Now (http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/)

I doubt an exploit like this could have stayed secret for two years. The chances of this exploit actually being used up till now are pretty slim I think.

The recent security flaws in SSL is scary: First the Apple SSL security issue, now this... let's hope this is the last of it.

if you have android, download heartbleed detector...

can someone explain the diff between open SSL and what the banks use?

it seems like none of the banks were affected.

and i would assume banks have a very high security system in place... why wouldn't every place just use what they use?

inject me with education.

Scares me shitless... I am to the point where I cannot think of another password I can remember...

Guess gotta spend the $25 on a good PW manager and change them all sigh.....

I am totally locked out of my 3 microsoft accounts too, last year or something they forced me to change the passwords with so many denied PW changes.
-cant use previous pw
-too similar to previous pw
-needs capital
-needs number

LIKE JESUS let me make my own damn password, I only use your crappy email service for junk anyways.

It might be easier for you to make a passphrase instead. They're much easier to remember.

Four random words is supposed to be the most secure, but nobody lets you use that.

can someone explain the diff between open SSL and what the banks use?

it seems like none of the banks were affected.

and i would assume banks have a very high security system in place... why wouldn't every place just use what they use?

inject me with education.

No system is 100% secure as long as it have Internet access.

Scares me shitless... I am to the point where I cannot think of another password I can remember...

Guess gotta spend the $25 on a good PW manager and change them all sigh.....

I am totally locked out of my 3 microsoft accounts too, last year or something they forced me to change the passwords with so many denied PW changes.
-cant use previous pw
-too similar to previous pw
-needs capital
-needs number

LIKE JESUS let me make my own damn password, I only use your crappy email service for junk anyways.

FUCK I KNOW THAT FEEL BRO :(

Scares me shitless... I am to the point where I cannot think of another password I can remember...

Guess gotta spend the $25 on a good PW manager and change them all sigh.....

I am totally locked out of my 3 microsoft accounts too, last year or something they forced me to change the passwords with so many denied PW changes.
-cant use previous pw
-too similar to previous pw
-needs capital
-needs number

LIKE JESUS let me make my own damn password, I only use your crappy email service for junk anyways.

LastPass is your answer :concentrate:

LastPass is your answer :concentrate:

This- Lastpass has been very helpful in generating random passwords. You just need to remember your master one to actually log into the service.

LastPass is your answer :concentrate:

I dont mind paying for a service like that, but can anyone chime in on

lastpass vs keepass?

or better yet paid vs keepass (free/opensouce)

CRA has been affected too.

?Heartbleed? bug forces revenue agency to shut down online tax-return filing | canada.com (http://o.canada.com/news/national/heartbleed-bug-forces-revenue-agency-to-shut-down-online-tax-return-filing/)

OTTAWA — The Canada Revenue Agency abruptly pulled the plug on its online services Wednesday over security concerns, saying it will take until the weekend at least before taxpayers can again file their returns online. The problem has forced it to extend the deadline for online filing.

In addition, the government’s super-IT agency was unable to say how widespread the problem might be across federal departments, or how long it might take to fix. The security loophole that led to the shutdown is found in many government and consumer websites around the world, and could have provided improper access to sensitive information during the two years before it was revealed this week.

Shared Services Canada said it was working to “identify the extent of the problem and to apply solutions, including implementing patches, as required.”

Those patches — or digital repairs — could take several days to complete, one expert said. Because of the nature of the security loophole, which can’t be traced, it may be impossible to say how much, if any, private information has been accessed.

“The people who have filed (income tax returns), maybe someone was watching,” said David Skillicorn, a computer security expert from Queen’s University in Kingston, Ont. “The issue for the CRA, more importantly, is that they don’t know how much their internal systems were compromised.”

The outage was caused by an online security loophole known as the Heartbleed bug.

Heartbleed is a two-year old vulnerability found in software used by thousands of websites globally to encrypt information when logging in to secure online services. The loophole lets someone see encrypted information sent between two computers, such as usernames and passwords, but permits secretly snooping around the system running the website and the user’s personal computer.

It only works on systems that use a security device known as Open SSL – which the CRA website does – to encrypt login information.

The Canada Revenue Agency services affected by Wednesday’s shutdown included the electronic tax-filing systems Efile and Netfile, as well as access to business and personal account data stored by the system.

The shutdown came just as the agency had ramped up for tax-filing season, and as it has continued to encourage Canadians to file electronically rather than by using paper forms.

“Given that we are in the midst of tax filing season, this will be challenging and will require sustained effort and collaboration across the agency to minimize the impact on the services we provide to Canadians,” CRA commissioner Andrew Treusch wrote in a notice to employees Wednesday.

Taxpayers looking to file their returns were blocked Wednesday morning from logging on to the Canada Revenue Agency website. An online message told taxpayers that as a security precaution, access was blocked until concerns were addressed.

“We know there’s a systems vulnerability. We have identified that, so we shut down those systems right away as a precautionary measure only,” National Revenue Minister Kerry-Lynne Findlay said. “We’re investigating. We’re working on it.”

Findlay’s office said late Wednesday that no penalties or interest would be applied to anyone filing online after the April 30 tax deadline. The grace period will correspond to however long the service outage lasts.

“Consideration will be given to taxpayers who are unable to comply with their filing requirements because of this service interruption,” she told the House of Commons.

The revenue agency suspended its online tax service for an unprecedented nine days in 2007 because of a computer malfunction caused by a faulty patch. Data security, however, was not a concern at that time. Rather, the faulty patch caused irregularities in the transfer of information between the databases that store and handle Canadians’ tax information.

The Canadian Bankers Association, which represents some 59 domestic and foreign banks, said Wednesday the online banking applications of Canadian banks were not affected by the bug.

“TD already has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk,” said Barbara Timmins, a spokeswoman at TD Bank Group.

- With files from Kathryn May, Ottawa Citizen, and the Canadian Press.

I dont mind paying for a service like that, but can anyone chime in on

lastpass vs keepass?

or better yet paid vs keepass (free/opensouce)

Just started using Keepass. Works fine, especially with browser integration. You can also integrate it with a Dropbox account too.

My plan is to get a small usb keychain and put Keepass mobile on it to autosync with Dropbox, so no matter where I am, I will have an encrypted copy of my password database with me.

But if you lose the keychain or your master password is compromised you're fucked. I have unique passwords for a few important things and one generic one for shit I don't really care about.

Use this as a reminder to use 2 factor authentication whenever you can, and use a password manager. I already use 2FA for everything but am still researching password managers. Thinking of using Lastpass for $12 a year. Would like to use an open source if possible though

If you were wondering if RS is affected, it's not since we don't use SSL anyway. On low-risk sites like this (forums, blogs, etc) you should NOT be using the same password you'd use on a high risk site (banks, email, etc)

OpenSSL is an open source SSL library. Incidentally it is part of OpenBSD which is based out of Edmonton. There are different versions and makes of SSL libraries out there. Much like there are different V6 engines out there by different makes in cars. You can potentially swap in and out much like adult entertainment mogul Jason2000 does with his e36. OpenSSL is free and source is free, so it is easier to optimize it for one's particular system.

Banks use devices that use commercial SSL libraries, that's probably why they are not affected. (or more likely the manufacturers haven't let the banks know yet).

The advice is not to change the passwords UNTIL the site that is affected has reissue its SSL certificate. Since each site do their own thing at their own timing (some places probably won't give a flip), the easiest is to go to aggregate news site eg Lastpass to see if the site in question has been patched and has new SSL certs.



can someone explain the diff between open SSL and what the banks use?

it seems like none of the banks were affected.

and i would assume banks have a very high security system in place... why wouldn't every place just use what they use?

inject me with education.

Does anyone know when sites are going to resume as normal? Can't file my taxes still :fuuuuu:
Posted via RS Mobile

For anyone who's interested in a (relatively) plain English explanation of what heartbleed is exactly, here you go:

http://imgs.xkcd.com/comics/heartbleed_explanation.png

What I dont comprehend is why the CRA trusts open source security while the largest bank in Canada does their own dev for security.

#mindblasted

For anyone who's interested in a (relatively) plain English explanation of what heartbleed is exactly, here you go:

http://imgs.xkcd.com/comics/heartbleed_explanation.png

So.. Heartbleed used SQL with a little bit of brute force to decrypt the SSL certificates? They make it sound so simple.. Technically, then, the handshaking process was weak from the start and it was just a matter of a short time. (Decrypting SSL would usually take a billion years to decrypt by brute force, wouldn't it?) The guy sifting through the data must've been lucky as hell.

What I dont comprehend is why the CRA trusts open source security while the largest bank in Canada does their own dev for security.

#mindblasted
In most cases, open source is more secure. This very same bug could have existed in any proprietary system. Usually when exploits are found in open source, they get pointed out and fixed. With proprietary, unless the developers themselves find the holes, who knows what happens before (or if) they get fixed.

Also banks are notoriously lazy with updating their software. Most banks use a proprietary system with known exploits, just because they don't keep it updated. If they used OpenSSL, it would be updated by the community all the time. Bugs do happen, but they get fixed too.

Use this as a reminder to use 2 factor authentication whenever you can, and use a password manager. I already use 2FA for everything but am still researching password managers. Thinking of using Lastpass for $12 a year. Would like to use an open source if possible though

If you were wondering if RS is affected, it's not since we don't use SSL anyway. On low-risk sites like this (forums, blogs, etc) you should NOT be using the same password you'd use on a high risk site (banks, email, etc)

I'm using lastpass, in addition with yubikey. Works great saves you time from having to type in the username/password.

But if you lose the keychain or your master password is compromised you're fucked. I have unique passwords for a few important things and one generic one for shit I don't really care about.

The keychain isn't strictly necessary. So long as the computer I'm using has internet access, I can access my database (since it's hosted on dropbox) and just re-download Keepass to use the database if i REALLY need to. If the master password is compromised, yeah, I'm hooped, which is why it's a damn good one. The upside to that is that you only need the one really good password. Easier than remembering 20 different passwords that are all variations of the same thing.

I finally got around to using a password manager. Another site lost their emails and passwords (Ebay). If you are not using one yet, NOW is the time to do so. If you're using simple passwords and the same one on a few sites, it's pretty much just a matter of time before someone gets them.

I went with Dashlane after looking into several options. It seems to be the most compatible, and most reliable. As soon as a good one that combines bitcoin comes along I'll probably switch, but for not this will do

If you're interested, feel free to use my referral code and we will both get 6 months free:

https://www.dashlane.com/en/cs/3bb9491e

What happens if someone gets the password manager info then?

I'd take that chance (which is next to nil, unless you tell someone or have a keylogger) over the alternative (if you use a similar password on more than one site, someone has all your passwords)

Hmm, I do that lol.

So this software, I guess the point is to completely randomize all your password, and the software keeps track for you?

What happens on the occasion that you want to log into a website, on a computer you don't normally use?

Ideally the data is encrypted. It still take a while to be able to decrypt Blowfish 512.. However if they can get it from your own computer, that means your computer / phone are hooped. So to be extra safe use a password manager that would do 2 factor encryption.

What happens if someone gets the password manager info then?

Hmm, I do that lol.

So this software, I guess the point is to completely randomize all your password, and the software keeps track for you?

What happens on the occasion that you want to log into a website, on a computer you don't normally use?
In this case, the idea is that you always have your phone with you. It syncs all password on your mobile devices, so as long as you have your phone, you have all your passwords.

Presumably you are using two factor authentication for the important sites too, so you'd need your phone with you in that case anyway.

You have to assume that someone has at least ONE of your passwords, it's just a matter of time until they come across your name, and it's time for your passwords to be cracked. And if you use the same word in more than one password, it's MUCH easier to crack the rest.

Hmm, will look into this.
Thanks.

Dashlane vs FastPass?

Interesting. My problem is I don't trust phones since they're so easy to break and I don't trust external services.

pen and paper for you technosavant. hack that!

Interesting. My problem is I don't trust phones since they're so easy to break and I don't trust external services.
No need to trust the service, they don't have a record of your password. The only record of it is in your head. So if someone got your phone and/or the data, they can't do anything with it unless they have the password

Wait, what? I must be missing something here, does the password manager service not hold all your other passwords?

Wait, what? I must be missing something here, does the password manager service not hold all your other passwords?
It holds them in an AES 256 bit encrypted file which is impossible* to crack with a strong key. They don't hold the key itself though, you do. So unless you give up that key, the file is safe.

*nothing is literally impossible but it is effectively impossible until quantum computing hits it big I guess

There's a good post about it here. They use 128 bit as an example, and using a 10.51 Pentaflop supercomputer, it would take 1 billion billion years. If I'm correct, that looks like this: 1,000,000,000,000,000,000 years. The universe itself is 13,750,000,000 old.

Another good example from that page. If everyone in the world had 10 supercomputers that are faster than any computer anyone can possibly have, and they spent 24 hours a day cracking one key with those 70 billion supercomputers, it would take about 77,000,000,000,000,000,000,000,000 years to crack that one key.

Again, these examples are for 128 bit. 256 bit would be about 9 times more... so 9 billion billion years :ahwow:

Right, but if your key is compromised then the level of encryption becomes moot.

I've had to look into the pains of brute forcing your way through encryption recently when a PC was hit with CryptoLocker, ransomware that encrypts your files and demands $500 for the key. The complexity of getting through is certainly interesting.