[kwlug-disc] Heartbleed affected sites

Bob Jonkman bjonkman at sobac.com
Mon Apr 14 23:55:46 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

unsolicited <unsolicited at swiz.ca> wrote:
> That's my point - it DOES hurt to change [your password]. Time 
> consumption to do so, and time wasted later trying to remember
> what you changed it to -this- time.

Risk management 101: If your cost of your time to change the password
exceeds the  risk+value of the data that password is protecting, then
you should not change your password.

- --Bob.



On 14-04-14 11:50 PM, unsolicited wrote:
> This keeps missing the point.
> 
> Is LastPass pre-installed on all browsers on all devices
> everywhere all the time and everyone forced to use it? Is the
> browser the only means by which OpenSSL libraries come into play?
> 
> If not, then my comments stand, and LastPass is not a magic pill. 
> e.g. ssh into a server. This is about the I.T. and media
> industries, not a specific OS or app. And misinformed and
> misleading media sensationalization. Media is the message, I guess.
> And so much for factual basis.
> 
> On 14-04-14 11:23 PM, CrankyOldBugger wrote:
>> This is why I use LastPass.. it does a great job of remember this
>>  stuff for me.
>> 
>> 
>> On 14 April 2014 20:20, unsolicited <unsolicited at swiz.ca> wrote:
>> 
>>> That's my point - it DOES hurt to change it.
>>> 
>>> Time consumption to do so, and time wasted later trying to 
>>> remember what you changed it to -this- time. Or chase down how 
>>> you recorded it (e.g. browser cache / password lookup). Now 
>>> repeat for every other place you've been encouraged to 
>>> (pointlessly) change your password as well, which of course
>>> you did because the media knows all.
>>> 
>>> Now multiply by number of users out there. And again by number 
>>> of accessing devices. What a waste of resources.
>>> 
>>> This is my issue - all very well to take corrective action to 
>>> known and quantified issues, but not so to send everyone to
>>> chase their tail everywhere 'just in case.' The I.T. industry
>>> could and should do a better job for its users. I.T. is a tool,
>>> not an end in itself. The tail should not be wagging the dog.
>>> 
>>> -----
>>> 
>>> Your note makes me wonder ... wherefore OpenID on all this?
>>> (In the sense of being a single password.) And I wonder if
>>> (some day?) OpenID could go change all your passwords for you,
>>> and the user need only change their OpenID password.
>>> 
>>> Given your note, I'm guessing that makes some sense to you
>>> too, if two factor authentication is used for OpenID there.
>>> [OpenID == (set of OpenID like services, which seems to more
>>> and more include gmail accounts)]
>>> 
>>> 
>>> On 14-04-14 11:12 AM, Darcy Casselman wrote:
>>> 
>>>> I still contend that your Instagram password is the last
>>>> thing you need to worry about from Heartbleed.
>>>> 
>>>> https://twitter.com/CP24/status/455686305305751553
>>>> 
>>>> But sure, it doesn't hurt to change it.
>>>> 
>>>> Although, as I write on my blog, relying on a shared secret
>>>> for your identity has been proven again and again to be 
>>>> insufficient. Setting up two-step verification with a
>>>> one-time password is the best way right now to avoid having
>>>> your credentials stolen from a server, regardless of how an
>>>> attacker gets that information.
>>>> 
>>>> http://flyingsquirrel.ca/index.php/2014/04/12/enable- 
>>>> two-factor-authentication/
>>>> 
>>>> Darcy.
>>>> 
>>>> 
>>>> On Sat, Apr 12, 2014 at 4:15 PM, unsolicited 
>>>> <unsolicited at swiz.ca> wrote:
>>>> 
>>>> Yep, had caught those aspects.
>>>>> 
>>>>> Keyword being 'potential'. Which is only to say, with the 
>>>>> media all running around with their heads cut off, and only
>>>>> a small subset of such services you use WITH impacted
>>>>> servers AND real potential harm to you at exposure IF you
>>>>> have an account worth messing around with more lucrative
>>>>> than others, there's a lot of FUD out there.
>>>>> 
>>>>> Which is not to say you won't be impacted, nor that it
>>>>> won't hurt when you are ... but it's not EVERYWHERE for 
>>>>> EVERYTHING.
>>>>> 
>>>>> I don't dispute the problem is discerning when it really 
>>>>> matters.
>>>>> 
>>>>> I'm only irritated that they put out carte blanche 'change 
>>>>> everything' 'just in case'. This, my industry (I.T.),
>>>>> should be able to be rather more surgical, and less 'there
>>>>> MAY be risk, better safe than sorry'.
>>>>> 
>>>>> Considering the time and expense and potential exposure
>>>>> most everyone is being told to expend. Most of which is
>>>>> pointless for lack of real exposure. That's my issue - lots
>>>>> of FUD and noise, most of it, just noise, and we all have
>>>>> better things to do.
>>>>> 
>>>>> 
>>>>> 
>>>>> On 14-04-12 12:51 PM, Khalid Baheyeldin wrote:
>>>>> 
>>>>> Heartbleed extracted whatever happened to be in memory at 
>>>>> the time. That
>>>>>> can be passwords or hashes or anything else.
>>>>>> 
>>>>>> It is non-specific, but a determined attacker can 
>>>>>> potentially glean some info with persistence.
>>>>>> 
>>>>>> Also, because the attacker does not need to complete a 
>>>>>> connection that would be logged (e.g. HTTP, ...etc.),
>>>>>> this makes the attacks untraceable with the usual logs
>>>>>> (e.g. web server).
>>>>>> 
>>>>>> This is what makes it scary: potential information 
>>>>>> disclosure, and non traceablility.
>>>>>> 
>>>>>> 
>>>>>> On Sat, Apr 12, 2014 at 4:29 AM, unsolicited 
>>>>>> <unsolicited at swiz.ca <mailto:unsolicited at swiz.ca>>
>>>>>> wrote:
>>>>>> 
>>>>>> That's over simplistic.
>>>>>> 
>>>>>> You can't extract a password that isn't there.
>>>>>> 
>>>>>> *IF* it is even in the packet you get.
>>>>>> 
>>>>>> *IF* it was being exploited at the time.
>>>>>> 
>>>>>> *IF* you are of interest to them.
>>>>>> 
>>>>>> *IF* they are interested in doing damage to that
>>>>>> provider of services.
>>>>>> 
>>>>>> Lot of IFs. Lot of FUD.
>>>>>> 
>>>>>> What's being protected?
>>>>>> 
>>>>>> Will you know?
>>>>>> 
>>>>>> Will you care?
>>>>>> 
>>>>>> Not saying now that exploit known they wouldn't run with 
>>>>>> it.
>>>>>> 
>>>>>> But patching is simplistic.
>>>>>> 
>>>>>> I take your point about SSL keys - IF it was in the data
>>>>>>  returned.
>>>>>> 
>>>>>> But with properly isolated systems, it should only be the
>>>>>>  front end impacted. On the assumption that nobody
>>>>>> inside your firewall is exploiting it.
>>>>>> 
>>>>>> Lots of IFs all around.
>>>>>> 
>>>>>> But I take your point.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On 14-04-11 05:44 PM, Bob Jonkman wrote:
>>>>>> 
> If your router is accessible from the WAN port via http
>>>>>>> then you
> have more urgent problems than Heartbleed.
> 
> If a site has both http and https then there's no (new) 
> vulnerability with http, but a Heartbleed attack on https can
> still
>>>>>>> extract
> passwords and other info.
> 
> To extract a password from an http session a bad guy
>>>>>>> needs to be a
> man-in-the-middle, or sniffing the network (remember
>>>>>>> Firesheep?). To
> extract a password with Heartbleed an attacker only has to
> initiate an https session.
> 
> --Bob.
> 
> 
> 
> On 14-04-11 05:35 PM, Khalid Baheyeldin wrote:
> 
> But, wouldn't Heartbleed be an issue, only if you
>>>>>>> use SSL on the
> site? For example, if you have OpenWRT/Tomato/DD-WRT
>>>>>>> and logging
> via http (not https), then there is no exploit via
>>>>>>> OpenSSL?
> 
> 
> On Fri, Apr 11, 2014 at 3:26 PM, Bob Jonkman <bjonkman at sobac.com 
> <mailto:bjonkman at sobac.com>>
> 
> wrote:
> 
> If you're using a tool to check for Heartbleed vulnerabilities, be
>  sure to check the Web interface on your router and/or
>>>>>>> modem as
> well.
> 
> I'm not sure if router vendors are on top of this, but
>>>>>>> according
> to ssltest.py my Tomato/MLPPP Version 1.25-mp3alpha6
>>>>>>> (from
> http://fixppp.org ) is not vulnerable, nor my Thomson
>>>>>>> Speedtouch
> modem with firmware 6.1.0.5
> 
> Also, somebody asked me how safe these vulnerability
>>>>>>> checking
> tools are, especially the online and
>>>>>>> Javascript-based ones.
> What's to say they're not merely displaying "all is well", and
>>>>>>> actually
> compiling a list of vulnerable sites for later
>>>>>>> exploitation?
> 
> --Bob.
> 
> 
> On 14-04-08 12:06 PM, Khalid Baheyeldin wrote:>
> 
> You can use this python tool ssltest.py to
>>>>>>> check
> if your servers are vulnerable:
> 
> $ wget -O ssltest.py "http://pastebin.com/raw.php?__i=WmxzjkXJ 
> <http://pastebin.com/raw.php?i=WmxzjkXJ>" $ python ssltest.py 
> example.com <
>>>>>>> http://example.com>
> 
> 
> 
> 
> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
> 
> Mashable has a list going of sites
>>>>>>> affected by
> Heartbleed:
> 
> http://mashable.com/2014/04/__
>>>>>>> 09/heartbleed-bug-websites-__affected/
> 
> <http://mashable.com/2014/04/
>>>>>>> 09/heartbleed-bug-websites-affected/>
> 
> 
> 
> Don't forget to add Canada Revenue (and most other
>>>>>>> government
> 
> sites) to your list of passwords to change!
> 
> 
> 
> 
> Bob Jonkman <bjonkman at sobac.com
>>>>>>> <mailto:bjonkman at sobac.com
>>>>>>>>> 
> Phone: +1-519-669-0388
>>>>>>> <tel:%2B1-519-669-0388>
> 
> SOBAC Microcomputer Services http://sobac.com/sobac/ 
> http://bob.jonkman.ca/blogs/ http://sn.jonkman.ca/__bobjonkman/
> 
> <http://sn.jonkman.ca/bobjonkman/> Software   ---   Office &
> Business Automation   ---
>>>>>>> Consulting
> GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912
>>>>>>> 89B0 D2CC E5EA
> 
> 
> 
> _________________________________________________
>>>>>>> kwlug-disc
> mailing list kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org> 
> http://kwlug.org/mailman/__
>>>>>>> listinfo/kwlug-disc_kwlug.org
> <http://kwlug.org/mailman/
>>>>>>> listinfo/kwlug-disc_kwlug.org>
> 
> 
> 
> 
> 
> 
> _________________________________________________
>>>>>>> kwlug-disc
> mailing list kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>
> 
>>>>>>> http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org
>
>>>>>>>  
>>>>>>> <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org>
>
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> _________________________________________________ 
>>>>>> kwlug-disc mailing list kwlug-disc at kwlug.org 
>>>>>> <mailto:kwlug-disc at kwlug.org> 
>>>>>> http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org
>>>>>>  
>>>>>> <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org>
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> _________________________________________________ 
>>>>>> kwlug-disc mailing list kwlug-disc at kwlug.org 
>>>>>> <mailto:kwlug-disc at kwlug.org> 
>>>>>> http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org
>>>>>>  
>>>>>> <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org>
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> -- Khalid M. Baheyeldin 2bits.com <http://2bits.com>,
>>>>>> Inc.
>>>>>> 
>>>>>> Fast Reliable Drupal Drupal optimization, development, 
>>>>>> customization and consulting. Simplicity is prerequisite 
>>>>>> for reliability. --  Edsger W.Dijkstra Simplicity is the 
>>>>>> ultimate sophistication. --   Leonardo da Vinci For
>>>>>> every complex problem, there is an answer that is clear,
>>>>>> simple, and wrong." -- H.L. Mencken
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> kwlug-disc mailing list kwlug-disc at kwlug.org 
>>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> _______________________________________________ kwlug-disc 
>>>>> mailing list kwlug-disc at kwlug.org 
>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> _______________________________________________ kwlug-disc 
>>>> mailing list kwlug-disc at kwlug.org 
>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>> 
>>>> 
>>> 
>>> _______________________________________________ kwlug-disc 
>>> mailing list kwlug-disc at kwlug.org 
>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>> 
>> 
>> 
>> 
>> _______________________________________________ kwlug-disc
>> mailing list kwlug-disc at kwlug.org 
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> 
> 
> 
> _______________________________________________ kwlug-disc mailing 
> list kwlug-disc at kwlug.org 
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Ensure confidentiality, authenticity, non-repudiability

iEYEARECAAYFAlNMrcAACgkQuRKJsNLM5erEUwCghlfGr18bbQ5BLuxvJeFj8oIF
nCwAn38v5NT0s4uuCTYuj/+IAUpNd23p
=8zSA
-----END PGP SIGNATURE-----




More information about the kwlug-disc mailing list