[kwlug-disc] Heartbleed affected sites

unsolicited unsolicited at swiz.ca
Tue Apr 15 16:06:02 EDT 2014


Well said.

Well, except for:

Use a password manager - what if there isn't one? e.g. SSH signons? And 
in the lack of the password manager, you're back to square one. I take 
your point, however, using one where you can will decrease the size of 
the set. Except, how to keep disparate password managers in sync?

 > And if you don't care and don't want to bother, that don't bother me
 > none.   It's your money/reputation/time/whatever.

But that's the point, that is unquantifiable. And I.T. / media can and 
should do better than that, be more surgical, not "the world is ending" 
sending everyone to chase their tails pointlessly everywhere.


On 14-04-15 11:25 AM, Darcy Casselman wrote:
> Don't get me wrong. On the scale of things you should do in response to
> Heartbleed, changing your password, IMHO, is pretty low on the list.
>
> Turning on two-factor authentication is way higher.  Admittedly, not as a
> direct result of Heartbleed, but out of a realization that you can't trust
> servers to keep your secrets.
>
> And installing and using a password manager is also important out of a
> similar realization: you are going to need to change your password.
> Rainbow tables and whatnot mean you can't trust yourself to create password
> for yourself that is unique and memorable and safe.  You should get in the
> habit of changing your passwords, and heartbleed is as good an excuse to
> get started than any of the many, many other "OMG change your password"
> scares of the last few years.
>
> And if you don't care and don't want to bother, that don't bother me
> none.   It's your money/reputation/time/whatever.
>
> On Mon, Apr 14, 2014 at 11:50 PM, unsolicited <unsolicited at swiz.ca> wrote:
>
>> This keeps missing the point.
>>
>> Is LastPass pre-installed on all browsers on all devices everywhere all
>> the time and everyone forced to use it? Is the browser the only means by
>> which OpenSSL libraries come into play?
>>
>> If not, then my comments stand, and LastPass is not a magic pill. e.g. ssh
>> into a server. This is about the I.T. and media industries, not a specific
>> OS or app. And misinformed and misleading media sensationalization. Media
>> is the message, I guess. And so much for factual basis.
>>
>>
>> On 14-04-14 11:23 PM, CrankyOldBugger wrote:
>>
>>> This is why I use LastPass.. it does a great job of remember this stuff
>>> for
>>> me.
>>>
>>>
>>> On 14 April 2014 20:20, unsolicited <unsolicited at swiz.ca> wrote:
>>>
>>>   That's my point - it DOES hurt to change it.
>>>>
>>>> Time consumption to do so, and time wasted later trying to remember what
>>>> you changed it to -this- time. Or chase down how you recorded it (e.g.
>>>> browser cache / password lookup). Now repeat for every other place you've
>>>> been encouraged to (pointlessly) change your password as well, which of
>>>> course you did because the media knows all.
>>>>
>>>> Now multiply by number of users out there. And again by number of
>>>> accessing devices. What a waste of resources.
>>>>
>>>> This is my issue - all very well to take corrective action to known and
>>>> quantified issues, but not so to send everyone to chase their tail
>>>> everywhere 'just in case.' The I.T. industry could and should do a better
>>>> job for its users. I.T. is a tool, not an end in itself. The tail should
>>>> not be wagging the dog.
>>>>
>>>> -----
>>>>
>>>> Your note makes me wonder ... wherefore OpenID on all this? (In the sense
>>>> of being a single password.) And I wonder if (some day?) OpenID could go
>>>> change all your passwords for you, and the user need only change their
>>>> OpenID password.
>>>>
>>>> Given your note, I'm guessing that makes some sense to you too, if two
>>>> factor authentication is used for OpenID there. [OpenID == (set of OpenID
>>>> like services, which seems to more and more include gmail accounts)]
>>>>
>>>>
>>>> On 14-04-14 11:12 AM, Darcy Casselman wrote:
>>>>
>>>>   I still contend that your Instagram password is the last thing you need
>>>>> to
>>>>> worry about from Heartbleed.
>>>>>
>>>>> https://twitter.com/CP24/status/455686305305751553
>>>>>
>>>>> But sure, it doesn't hurt to change it.
>>>>>
>>>>> Although, as I write on my blog, relying on a shared secret for your
>>>>> identity has been proven again and again to be insufficient.  Setting up
>>>>> two-step verification with a one-time password is the best way right now
>>>>> to
>>>>> avoid having your credentials stolen from a server, regardless of how an
>>>>> attacker gets that information.
>>>>>
>>>>> http://flyingsquirrel.ca/index.php/2014/04/12/enable-
>>>>> two-factor-authentication/
>>>>>
>>>>> Darcy.
>>>>>
>>>>>
>>>>> On Sat, Apr 12, 2014 at 4:15 PM, unsolicited <unsolicited at swiz.ca>
>>>>> wrote:
>>>>>
>>>>>    Yep, had caught those aspects.
>>>>>
>>>>>>
>>>>>> Keyword being 'potential'. Which is only to say, with the media all
>>>>>> running around with their heads cut off, and only a small subset of
>>>>>> such
>>>>>> services you use WITH impacted servers AND real potential harm to you
>>>>>> at
>>>>>> exposure IF you have an account worth messing around with more
>>>>>> lucrative
>>>>>> than others, there's a lot of FUD out there.
>>>>>>
>>>>>> Which is not to say you won't be impacted, nor that it won't hurt when
>>>>>> you
>>>>>> are ... but it's not EVERYWHERE for EVERYTHING.
>>>>>>
>>>>>> I don't dispute the problem is discerning when it really matters.
>>>>>>
>>>>>> I'm only irritated that they put out carte blanche 'change everything'
>>>>>> 'just in case'. This, my industry (I.T.), should be able to be rather
>>>>>> more
>>>>>> surgical, and less 'there MAY be risk, better safe than sorry'.
>>>>>>
>>>>>> Considering the time and expense and potential exposure most everyone
>>>>>> is
>>>>>> being told to expend. Most of which is pointless for lack of real
>>>>>> exposure.
>>>>>> That's my issue - lots of FUD and noise, most of it, just noise, and we
>>>>>> all
>>>>>> have better things to do.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 14-04-12 12:51 PM, Khalid Baheyeldin wrote:
>>>>>>
>>>>>>    Heartbleed extracted whatever happened to be in memory at the time.
>>>>>> That
>>>>>>
>>>>>>> can be passwords or hashes or anything else.
>>>>>>>
>>>>>>> It is non-specific, but a determined attacker can potentially glean
>>>>>>> some
>>>>>>> info with persistence.
>>>>>>>
>>>>>>> Also, because the attacker does not need to complete a connection that
>>>>>>> would be logged (e.g. HTTP, ...etc.), this makes the attacks
>>>>>>> untraceable
>>>>>>> with the usual logs (e.g. web server).
>>>>>>>
>>>>>>> This is what makes it scary: potential information disclosure, and non
>>>>>>> traceablility.
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Apr 12, 2014 at 4:29 AM, unsolicited <unsolicited at swiz.ca
>>>>>>> <mailto:unsolicited at swiz.ca>> wrote:
>>>>>>>
>>>>>>>        That's over simplistic.
>>>>>>>
>>>>>>>        You can't extract a password that isn't there.
>>>>>>>
>>>>>>>        *IF* it is even in the packet you get.
>>>>>>>
>>>>>>>        *IF* it was being exploited at the time.
>>>>>>>
>>>>>>>        *IF* you are of interest to them.
>>>>>>>
>>>>>>>        *IF* they are interested in doing damage to that provider of
>>>>>>> services.
>>>>>>>
>>>>>>>        Lot of IFs. Lot of FUD.
>>>>>>>
>>>>>>>        What's being protected?
>>>>>>>
>>>>>>>        Will you know?
>>>>>>>
>>>>>>>        Will you care?
>>>>>>>
>>>>>>>        Not saying now that exploit known they wouldn't run with it.
>>>>>>>
>>>>>>>        But patching is simplistic.
>>>>>>>
>>>>>>>        I take your point about SSL keys - IF it was in the data
>>>>>>> returned.
>>>>>>>
>>>>>>>        But with properly isolated systems, it should only be the front
>>>>>>> end
>>>>>>>        impacted. On the assumption that nobody inside your firewall is
>>>>>>>        exploiting it.
>>>>>>>
>>>>>>>        Lots of IFs all around.
>>>>>>>
>>>>>>>        But I take your point.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>        On 14-04-11 05:44 PM, Bob Jonkman wrote:
>>>>>>>
>>>>>>>            -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>            Hash: SHA1
>>>>>>>
>>>>>>>            If your router is accessible from the WAN port via http then
>>>>>>> you
>>>>>>>            have
>>>>>>>            more urgent problems than Heartbleed.
>>>>>>>
>>>>>>>            If a site has both http and https then there's no (new)
>>>>>>>            vulnerability
>>>>>>>            with http, but a Heartbleed attack on https can still
>>>>>>> extract
>>>>>>>            passwords and other info.
>>>>>>>
>>>>>>>            To extract a password from an http session a bad guy needs
>>>>>>> to
>>>>>>> be a
>>>>>>>            man-in-the-middle, or sniffing the network (remember
>>>>>>> Firesheep?).
>>>>>>> To
>>>>>>>            extract a password with Heartbleed an attacker only has to
>>>>>>>            initiate an
>>>>>>>            https session.
>>>>>>>
>>>>>>>            - --Bob.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>            On 14-04-11 05:35 PM, Khalid Baheyeldin wrote:
>>>>>>>
>>>>>>>                But, wouldn't Heartbleed be an issue, only if you use
>>>>>>> SSL
>>>>>>> on
>>>>>>> the
>>>>>>>                site? For example, if you have OpenWRT/Tomato/DD-WRT and
>>>>>>> logging
>>>>>>>                via http (not https), then there is no exploit via
>>>>>>> OpenSSL?
>>>>>>>
>>>>>>>
>>>>>>>                On Fri, Apr 11, 2014 at 3:26 PM, Bob Jonkman
>>>>>>>                <bjonkman at sobac.com <mailto:bjonkman at sobac.com>>
>>>>>>>
>>>>>>>                wrote:
>>>>>>>
>>>>>>>                If you're using a tool to check for Heartbleed
>>>>>>>                vulnerabilities, be
>>>>>>>                sure to check the Web interface on your router and/or
>>>>>>> modem as
>>>>>>>                well.
>>>>>>>
>>>>>>>                I'm not sure if router vendors are on top of this, but
>>>>>>> according
>>>>>>>                to ssltest.py my Tomato/MLPPP Version 1.25-mp3alpha6
>>>>>>> (from
>>>>>>>                http://fixppp.org ) is not vulnerable, nor my Thomson
>>>>>>> Speedtouch
>>>>>>>                modem with firmware 6.1.0.5
>>>>>>>
>>>>>>>                Also, somebody asked me how safe these vulnerability
>>>>>>> checking
>>>>>>>                tools are, especially the online and Javascript-based
>>>>>>> ones.
>>>>>>>                What's
>>>>>>>                to say they're not merely displaying "all is well", and
>>>>>>> actually
>>>>>>>                compiling a list of vulnerable sites for later
>>>>>>> exploitation?
>>>>>>>
>>>>>>>                --Bob.
>>>>>>>
>>>>>>>
>>>>>>>                On 14-04-08 12:06 PM, Khalid Baheyeldin wrote:>
>>>>>>>
>>>>>>>                            You can use this python tool ssltest.py to
>>>>>>> check
>>>>>>>                            if your
>>>>>>>                            servers are vulnerable:
>>>>>>>
>>>>>>>                            $ wget -O ssltest.py
>>>>>>>                            "http://pastebin.com/raw.php?__i=WmxzjkXJ
>>>>>>>                            <http://pastebin.com/raw.php?i=WmxzjkXJ>"
>>>>>>>                            $ python ssltest.py example.com <
>>>>>>> http://example.com>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>                On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>>>>>>>
>>>>>>>                            Mashable has a list going of sites affected
>>>>>>> by
>>>>>>>                            Heartbleed:
>>>>>>>
>>>>>>>                            http://mashable.com/2014/04/__
>>>>>>> 09/heartbleed-bug-websites-__affected/
>>>>>>>
>>>>>>>                            <http://mashable.com/2014/04/
>>>>>>> 09/heartbleed-bug-websites-affected/>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>            Don't forget to add Canada Revenue (and most other
>>>>>>> government
>>>>>>>
>>>>>>>                            sites) to your list of passwords to change!
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>                Bob Jonkman <bjonkman at sobac.com <mailto:
>>>>>>> bjonkman at sobac.com
>>>>>>>
>>>>>>>>
>>>>>>>>>                           Phone: +1-519-669-0388<tel:%2B1-519-669-0388>
>>>>>>>
>>>>>>>                SOBAC Microcomputer Services http://sobac.com/sobac/
>>>>>>>                http://bob.jonkman.ca/blogs/
>>>>>>>                http://sn.jonkman.ca/__bobjonkman/
>>>>>>>
>>>>>>>                <http://sn.jonkman.ca/bobjonkman/>
>>>>>>>                Software   ---   Office & Business Automation   ---
>>>>>>> Consulting
>>>>>>>                GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0
>>>>>>> D2CC
>>>>>>> E5EA
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>                    _________________________________________________
>>>>>>> kwlug-disc
>>>>>>>                    mailing list kwlug-disc at kwlug.org
>>>>>>>                    <mailto:kwlug-disc at kwlug.org>
>>>>>>>                    http://kwlug.org/mailman/__
>>>>>>> listinfo/kwlug-disc_kwlug.org
>>>>>>>                    <http://kwlug.org/mailman/
>>>>>>> listinfo/kwlug-disc_kwlug.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>                _________________________________________________
>>>>>>> kwlug-disc
>>>>>>>                mailing
>>>>>>>                list kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>
>>>>>>>                http://kwlug.org/mailman/__
>>>>>>> listinfo/kwlug-disc_kwlug.org
>>>>>>>                <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>>>>
>>>>>>>
>>>>>>>            -----BEGIN PGP SIGNATURE-----
>>>>>>>            Version: GnuPG v1.4.14 (GNU/Linux)
>>>>>>>            Comment: Ensure confidentiality, authenticity,
>>>>>>> non-repudiability
>>>>>>>
>>>>>>>            iEYEARECAAYFAlNIYh8ACgkQuRKJsN__
>>>>>>> LM5erCjgCfZAuLyG8v83bORUxPxTvs
>>>>>>> __14m+
>>>>>>>            r8kAoInhKmR99uQBN2cIt+__2KY3xq4KMl
>>>>>>>            =6dTX
>>>>>>>            -----END PGP SIGNATURE-----
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>            _________________________________________________
>>>>>>>            kwlug-disc mailing list
>>>>>>>            kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>
>>>>>>>            http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org
>>>>>>>            <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>        _________________________________________________
>>>>>>>        kwlug-disc mailing list
>>>>>>>        kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>
>>>>>>>        http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org
>>>>>>>        <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Khalid M. Baheyeldin
>>>>>>> 2bits.com <http://2bits.com>, Inc.
>>>>>>>
>>>>>>> Fast Reliable Drupal
>>>>>>> Drupal optimization, development, customization and consulting.
>>>>>>> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
>>>>>>> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
>>>>>>> For every complex problem, there is an answer that is clear, simple,
>>>>>>> and
>>>>>>> wrong." -- H.L. Mencken
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> kwlug-disc mailing list
>>>>>>> kwlug-disc at kwlug.org
>>>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>   _______________________________________________
>>>>>> kwlug-disc mailing list
>>>>>> kwlug-disc at kwlug.org
>>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> kwlug-disc mailing list
>>>>> kwlug-disc at kwlug.org
>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> kwlug-disc mailing list
>>>> kwlug-disc at kwlug.org
>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> kwlug-disc mailing list
>>> kwlug-disc at kwlug.org
>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>>
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>




More information about the kwlug-disc mailing list