[kwlug-disc] Heartbleed affected sites

unsolicited unsolicited at swiz.ca
Tue Apr 15 00:56:37 EDT 2014


How many users out there? How many passwords? For each one, is each user 
going to know or execute such evaluation? How do you know the potential 
damage not changing a password will do? How do you know to what use your 
information might be put - if you even know what information they have, 
or have retained? How do you anticipate the leakage of some set of 
personal data from one site combined with the leakage of some set of 
personal data from another site, when combined, as to the potential risk 
to which one is exposed?

Don't say they should all read all privacy and other agreements. That's 
a non-starter. If they even adhere to them. And don't say they can all 
redress through the courts - that's a cruel joke. e.g. Cost to pursue 
exceeding potential loss, they know it, so proceed with inappropriate 
tactics anyways. The courts have become a weapon. Detente, even.

The calculation is not calculable. For everyone, at all instances, at 
all times.

The risk is unknowable. The calculation is not calculable.

That may be life.

At the least, I.T. and the media should not be across the board creating 
pointless panic of change everything - when changing the majority of 
things changes nothing wrt the (potential?) risk. Especially when, as 
you note, they may have to do it again shortly thereafter as servers get 
fixed. At the least, quantify the risks, and be more surgical with what 
to change.

Potentially exploited. Potential risk. Potentially not exploited. 
Potentially no risk. Somewhere in between is more accurate, but to say 
the sky is falling everywhere is irresponsible. With significant costs. 
Engendered by irresponsible communications.


On 14-04-14 11:55 PM, Bob Jonkman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> unsolicited <unsolicited at swiz.ca> wrote:
>> That's my point - it DOES hurt to change [your password]. Time
>> consumption to do so, and time wasted later trying to remember
>> what you changed it to -this- time.
>
> Risk management 101: If your cost of your time to change the password
> exceeds the  risk+value of the data that password is protecting, then
> you should not change your password.
>
> - --Bob.
>
>
>
> On 14-04-14 11:50 PM, unsolicited wrote:
>> This keeps missing the point.
>>
>> Is LastPass pre-installed on all browsers on all devices
>> everywhere all the time and everyone forced to use it? Is the
>> browser the only means by which OpenSSL libraries come into play?
>>
>> If not, then my comments stand, and LastPass is not a magic pill.
>> e.g. ssh into a server. This is about the I.T. and media
>> industries, not a specific OS or app. And misinformed and
>> misleading media sensationalization. Media is the message, I guess.
>> And so much for factual basis.
>>
>> On 14-04-14 11:23 PM, CrankyOldBugger wrote:
>>> This is why I use LastPass.. it does a great job of remember this
>>>   stuff for me.
>>>
>>>
>>> On 14 April 2014 20:20, unsolicited <unsolicited at swiz.ca> wrote:
>>>
>>>> That's my point - it DOES hurt to change it.
>>>>
>>>> Time consumption to do so, and time wasted later trying to
>>>> remember what you changed it to -this- time. Or chase down how
>>>> you recorded it (e.g. browser cache / password lookup). Now
>>>> repeat for every other place you've been encouraged to
>>>> (pointlessly) change your password as well, which of course
>>>> you did because the media knows all.
>>>>
>>>> Now multiply by number of users out there. And again by number
>>>> of accessing devices. What a waste of resources.
>>>>
>>>> This is my issue - all very well to take corrective action to
>>>> known and quantified issues, but not so to send everyone to
>>>> chase their tail everywhere 'just in case.' The I.T. industry
>>>> could and should do a better job for its users. I.T. is a tool,
>>>> not an end in itself. The tail should not be wagging the dog.
>>>>
>>>> -----
>>>>
>>>> Your note makes me wonder ... wherefore OpenID on all this?
>>>> (In the sense of being a single password.) And I wonder if
>>>> (some day?) OpenID could go change all your passwords for you,
>>>> and the user need only change their OpenID password.
>>>>
>>>> Given your note, I'm guessing that makes some sense to you
>>>> too, if two factor authentication is used for OpenID there.
>>>> [OpenID == (set of OpenID like services, which seems to more
>>>> and more include gmail accounts)]
>>>>
>>>>
>>>> On 14-04-14 11:12 AM, Darcy Casselman wrote:
>>>>
>>>>> I still contend that your Instagram password is the last
>>>>> thing you need to worry about from Heartbleed.
>>>>>
>>>>> https://twitter.com/CP24/status/455686305305751553
>>>>>
>>>>> But sure, it doesn't hurt to change it.
>>>>>
>>>>> Although, as I write on my blog, relying on a shared secret
>>>>> for your identity has been proven again and again to be
>>>>> insufficient. Setting up two-step verification with a
>>>>> one-time password is the best way right now to avoid having
>>>>> your credentials stolen from a server, regardless of how an
>>>>> attacker gets that information.
>>>>>
>>>>> http://flyingsquirrel.ca/index.php/2014/04/12/enable-
>>>>> two-factor-authentication/
>>>>>
>>>>> Darcy.
>>>>>
>>>>>
>>>>> On Sat, Apr 12, 2014 at 4:15 PM, unsolicited
>>>>> <unsolicited at swiz.ca> wrote:
>>>>>
>>>>> Yep, had caught those aspects.
>>>>>>
>>>>>> Keyword being 'potential'. Which is only to say, with the
>>>>>> media all running around with their heads cut off, and only
>>>>>> a small subset of such services you use WITH impacted
>>>>>> servers AND real potential harm to you at exposure IF you
>>>>>> have an account worth messing around with more lucrative
>>>>>> than others, there's a lot of FUD out there.
>>>>>>
>>>>>> Which is not to say you won't be impacted, nor that it
>>>>>> won't hurt when you are ... but it's not EVERYWHERE for
>>>>>> EVERYTHING.
>>>>>>
>>>>>> I don't dispute the problem is discerning when it really
>>>>>> matters.
>>>>>>
>>>>>> I'm only irritated that they put out carte blanche 'change
>>>>>> everything' 'just in case'. This, my industry (I.T.),
>>>>>> should be able to be rather more surgical, and less 'there
>>>>>> MAY be risk, better safe than sorry'.
>>>>>>
>>>>>> Considering the time and expense and potential exposure
>>>>>> most everyone is being told to expend. Most of which is
>>>>>> pointless for lack of real exposure. That's my issue - lots
>>>>>> of FUD and noise, most of it, just noise, and we all have
>>>>>> better things to do.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 14-04-12 12:51 PM, Khalid Baheyeldin wrote:
>>>>>>
>>>>>> Heartbleed extracted whatever happened to be in memory at
>>>>>> the time. That
>>>>>>> can be passwords or hashes or anything else.
>>>>>>>
>>>>>>> It is non-specific, but a determined attacker can
>>>>>>> potentially glean some info with persistence.
>>>>>>>
>>>>>>> Also, because the attacker does not need to complete a
>>>>>>> connection that would be logged (e.g. HTTP, ...etc.),
>>>>>>> this makes the attacks untraceable with the usual logs
>>>>>>> (e.g. web server).
>>>>>>>
>>>>>>> This is what makes it scary: potential information
>>>>>>> disclosure, and non traceablility.
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Apr 12, 2014 at 4:29 AM, unsolicited
>>>>>>> <unsolicited at swiz.ca <mailto:unsolicited at swiz.ca>>
>>>>>>> wrote:
>>>>>>>
>>>>>>> That's over simplistic.
>>>>>>>
>>>>>>> You can't extract a password that isn't there.
>>>>>>>
>>>>>>> *IF* it is even in the packet you get.
>>>>>>>
>>>>>>> *IF* it was being exploited at the time.
>>>>>>>
>>>>>>> *IF* you are of interest to them.
>>>>>>>
>>>>>>> *IF* they are interested in doing damage to that
>>>>>>> provider of services.
>>>>>>>
>>>>>>> Lot of IFs. Lot of FUD.
>>>>>>>
>>>>>>> What's being protected?
>>>>>>>
>>>>>>> Will you know?
>>>>>>>
>>>>>>> Will you care?
>>>>>>>
>>>>>>> Not saying now that exploit known they wouldn't run with
>>>>>>> it.
>>>>>>>
>>>>>>> But patching is simplistic.
>>>>>>>
>>>>>>> I take your point about SSL keys - IF it was in the data
>>>>>>>   returned.
>>>>>>>
>>>>>>> But with properly isolated systems, it should only be the
>>>>>>>   front end impacted. On the assumption that nobody
>>>>>>> inside your firewall is exploiting it.
>>>>>>>
>>>>>>> Lots of IFs all around.
>>>>>>>
>>>>>>> But I take your point.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 14-04-11 05:44 PM, Bob Jonkman wrote:
>>>>>>>
>> If your router is accessible from the WAN port via http
>>>>>>>> then you
>> have more urgent problems than Heartbleed.
>>
>> If a site has both http and https then there's no (new)
>> vulnerability with http, but a Heartbleed attack on https can
>> still
>>>>>>>> extract
>> passwords and other info.
>>
>> To extract a password from an http session a bad guy
>>>>>>>> needs to be a
>> man-in-the-middle, or sniffing the network (remember
>>>>>>>> Firesheep?). To
>> extract a password with Heartbleed an attacker only has to
>> initiate an https session.
>>
>> --Bob.
>>
>>
>>
>> On 14-04-11 05:35 PM, Khalid Baheyeldin wrote:
>>
>> But, wouldn't Heartbleed be an issue, only if you
>>>>>>>> use SSL on the
>> site? For example, if you have OpenWRT/Tomato/DD-WRT
>>>>>>>> and logging
>> via http (not https), then there is no exploit via
>>>>>>>> OpenSSL?
>>
>>
>> On Fri, Apr 11, 2014 at 3:26 PM, Bob Jonkman <bjonkman at sobac.com
>> <mailto:bjonkman at sobac.com>>
>>
>> wrote:
>>
>> If you're using a tool to check for Heartbleed vulnerabilities, be
>>   sure to check the Web interface on your router and/or
>>>>>>>> modem as
>> well.
>>
>> I'm not sure if router vendors are on top of this, but
>>>>>>>> according
>> to ssltest.py my Tomato/MLPPP Version 1.25-mp3alpha6
>>>>>>>> (from
>> http://fixppp.org ) is not vulnerable, nor my Thomson
>>>>>>>> Speedtouch
>> modem with firmware 6.1.0.5
>>
>> Also, somebody asked me how safe these vulnerability
>>>>>>>> checking
>> tools are, especially the online and
>>>>>>>> Javascript-based ones.
>> What's to say they're not merely displaying "all is well", and
>>>>>>>> actually
>> compiling a list of vulnerable sites for later
>>>>>>>> exploitation?
>>
>> --Bob.
>>
>>
>> On 14-04-08 12:06 PM, Khalid Baheyeldin wrote:>
>>
>> You can use this python tool ssltest.py to
>>>>>>>> check
>> if your servers are vulnerable:
>>
>> $ wget -O ssltest.py "http://pastebin.com/raw.php?__i=WmxzjkXJ
>> <http://pastebin.com/raw.php?i=WmxzjkXJ>" $ python ssltest.py
>> example.com <
>>>>>>>> http://example.com>
>>
>>
>>
>>
>> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>>
>> Mashable has a list going of sites
>>>>>>>> affected by
>> Heartbleed:
>>
>> http://mashable.com/2014/04/__
>>>>>>>> 09/heartbleed-bug-websites-__affected/
>>
>> <http://mashable.com/2014/04/
>>>>>>>> 09/heartbleed-bug-websites-affected/>
>>
>>
>>
>> Don't forget to add Canada Revenue (and most other
>>>>>>>> government
>>
>> sites) to your list of passwords to change!
>>
>>
>>
>>
>> Bob Jonkman <bjonkman at sobac.com
>>>>>>>> <mailto:bjonkman at sobac.com
>>>>>>>>>>
>> Phone: +1-519-669-0388
>>>>>>>> <tel:%2B1-519-669-0388>
>>
>> SOBAC Microcomputer Services http://sobac.com/sobac/
>> http://bob.jonkman.ca/blogs/ http://sn.jonkman.ca/__bobjonkman/
>>
>> <http://sn.jonkman.ca/bobjonkman/> Software   ---   Office &
>> Business Automation   ---
>>>>>>>> Consulting
>> GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912
>>>>>>>> 89B0 D2CC E5EA
>>
>>
>>
>> _________________________________________________
>>>>>>>> kwlug-disc
>> mailing list kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>
>> http://kwlug.org/mailman/__
>>>>>>>> listinfo/kwlug-disc_kwlug.org
>> <http://kwlug.org/mailman/
>>>>>>>> listinfo/kwlug-disc_kwlug.org>
>>
>>
>>
>>
>>
>>
>> _________________________________________________
>>>>>>>> kwlug-disc
>> mailing list kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>
>>
>>>>>>>> http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org
>>
>>>>>>>>
>>>>>>>> <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org>
>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _________________________________________________
>>>>>>> kwlug-disc mailing list kwlug-disc at kwlug.org
>>>>>>> <mailto:kwlug-disc at kwlug.org>
>>>>>>> http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org
>>>>>>>
>>>>>>> <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _________________________________________________
>>>>>>> kwlug-disc mailing list kwlug-disc at kwlug.org
>>>>>>> <mailto:kwlug-disc at kwlug.org>
>>>>>>> http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org
>>>>>>>
>>>>>>> <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -- Khalid M. Baheyeldin 2bits.com <http://2bits.com>,
>>>>>>> Inc.
>>>>>>>
>>>>>>> Fast Reliable Drupal Drupal optimization, development,
>>>>>>> customization and consulting. Simplicity is prerequisite
>>>>>>> for reliability. --  Edsger W.Dijkstra Simplicity is the
>>>>>>> ultimate sophistication. --   Leonardo da Vinci For
>>>>>>> every complex problem, there is an answer that is clear,
>>>>>>> simple, and wrong." -- H.L. Mencken
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> kwlug-disc mailing list kwlug-disc at kwlug.org
>>>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________ kwlug-disc
>>>>>> mailing list kwlug-disc at kwlug.org
>>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________ kwlug-disc
>>>>> mailing list kwlug-disc at kwlug.org
>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>
>>>>>
>>>>
>>>> _______________________________________________ kwlug-disc
>>>> mailing list kwlug-disc at kwlug.org
>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>
>>>
>>>
>>>
>>> _______________________________________________ kwlug-disc
>>> mailing list kwlug-disc at kwlug.org
>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>
>>
>> _______________________________________________ kwlug-disc mailing
>> list kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Ensure confidentiality, authenticity, non-repudiability
>
> iEYEARECAAYFAlNMrcAACgkQuRKJsNLM5erEUwCghlfGr18bbQ5BLuxvJeFj8oIF
> nCwAn38v5NT0s4uuCTYuj/+IAUpNd23p
> =8zSA
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>




More information about the kwlug-disc mailing list