[kwlug-disc] Heartbleed affected sites

Bob Jonkman bjonkman at sobac.com
Fri Apr 11 17:26:35 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

unsolicited wrote:
> I do wonder if 'change your password' isn't FUD, promoted for
> trying to give users the sense that they're in control of their
> own security, and that changing their password will let them be
> proactive and 'solve the problem'.

No, in this case 'change your password' is not FUD.  In that 64K chunk
of memory that gets downloaded are not only the private keys for the
SSL handshake (which requires the site to re-generate SSL keys), but
that 64K chunk of memory could also contain the higher
application-level password or hash or key for the user/password
combination.

I'm not a fan of PW policies that require frequent password changes. A
password is as strong today as it is 90 days from today, unless there
has been a security breach that compromises the password.  Well,
Heartbleed is a security breach that compromises passwords. Now is the
time to change passwords.

Change passwords on all sites, not just the ones that have been
reported as vulnerable. If you change your password now and the site
says tomorrow that they've fixed the Heartbleed bug, change your
password again (because the first change may have been compromised
before their fix was in place).

Good password practices:

 * Use a password database and generator like KeepassX, Lastpass, or
similar.

But if you don't use a password database then:

 * Use a different password on every site or application for which you
need a password.  That way if one site is compromised it doesn't
affect every other site. Of course, Heartbleed affects every site, so
that's not always true.

 * Make it long. Long passwords are good passwords. 20 characters is
good. 16 is probably adequate. 10 is marginal.

 * Choose a phrase that is easy to remember, but difficult to guess.
As an example, something like "Itookthebustoworkthismorning" -- it's
sufficiently long, easy to type, easy to remember.

 * Don't bother with $p3c14l characters or numbers; the bad guys have
software that makes those substitutions too[1]. Special characters
make the password difficult to type and difficult to remember. If you
need to type slowly because of special characters then it's easy for a
bad guy to shoulder-surf and see what you're typing. According to
KeepassX the passphrase "Itookthebustoworkthismorning" has 28
characters for 224 bits of entropy; on the other hand, passwords with
28 random characters with upper-case, lower-case, numbers and special
characters (created by KeepassX's password generator) have only 182
bits of entropy.

 * If the site does not offer a password reset option then write down
your password, and keep it where you keep your money.  If the
passphrase is protecting $10 worth of data then keep it in your
wallet; if the passphrase is protecting $10,000 worth of data then
keep it in a safe. Don't forget to write down the site or application
name, the user ID, and any other credentials you need.

A truism found on teh Internets:

♻ @_cypherpunks_ Three laws of computer !security:
1) Don't have a computer
2) If you have a computer, don't turn it on
3) If you turn it on, don't use it

- --Bob.

[1] http://arstechnica.com/security/2012/08/passwords-under-assault/2/



Bob Jonkman <bjonkman at sobac.com>          Phone: +1-519-669-0388
SOBAC Microcomputer Services             http://sobac.com/sobac/
http://bob.jonkman.ca/blogs/    http://sn.jonkman.ca/bobjonkman/
Software   ---   Office & Business Automation   ---   Consulting
GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA


On 14-04-11 04:24 PM, unsolicited wrote:
> Why?
> 
> The bug was introduced 2 years ago, but its not known to have been
>  exploited, from anything I've seen, which doesn't say much.
> 
> Nefarious activity in the wild is monitored by various
> organizations to whatever extent it is, and the issue was not
> discovered / reported by them, as far as I know.
> 
> From what I saw a 64k chunk of memory is potentially exposed in an 
> ssh server to someone if they were exploiting it, for which we
> don't know they were. (Or even aware it was possible.)
> 
> Doesn't mean there was anything useful in that 64k chunk. Which
> they would then have to decipher in the sense of figuring out if
> there is anything useful, and that usefulness has to extend to
> being able to do something with it.
> 
> Without any knowledge one way or the other, I assume CRA is shut 
> down not because there's an issue going forward (problem easily 
> patched, now), but because they don't know what might have
> happened during or within. Short of checksumming every system, I
> don't know how they might prove one way or another. But someone
> higher up is probably requiring due diligence on something that
> can't be proven.
> 
> I do wonder if 'change your password' isn't FUD, promoted for
> trying to give users the sense that they're in control of their
> own security, and that changing their password will let them be
> proactive and 'solve the problem'.
> 
> There's a lot if 'ifs' to the chain of events above before you have
>  certainty of impact. And a lot of other risks (especially human 
> error) out there that are quite probably more likely to happen and 
> impact you than this one. No, I don't know what they are, either.
> But I also haven't seen any impact.
> 
> It's a lot of work to change all the passwords, let alone for some 
> time afterwards trying to remember what you changed them to.
> 
> Not sure it's worth the effort in the absence of any detected 
> impact. Hard to say its not just fear mongering. Certainly some
> media I've seen running around with their heads cut off demonstrate
> a deep misunderstanding of things, yet their heads are still
> talking.
> 
> 
> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>> Mashable has a list going of sites affected by Heartbleed:
>> 
>> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
>> 
>> Don't forget to add Canada Revenue (and most other government 
>> sites) to your list of passwords to change!
> 
> 
> _______________________________________________ kwlug-disc mailing 
> list kwlug-disc at kwlug.org 
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Ensure confidentiality, authenticity, non-repudiability

iEYEARECAAYFAlNIXgkACgkQuRKJsNLM5eoFkACfbucDW9BLHLCIhL7riLpe0Ad7
miUAoK9Yq40Bxjjtpn5CyW+n6r4fPIq4
=Y4qG
-----END PGP SIGNATURE-----




More information about the kwlug-disc mailing list