[kwlug-disc] Heartbleed affected sites
unsolicited
unsolicited at swiz.ca
Tue Apr 15 16:06:02 EDT 2014
Well said.
Well, except for:
Use a password manager - what if there isn't one? e.g. SSH signons? And
in the lack of the password manager, you're back to square one. I take
your point, however, using one where you can will decrease the size of
the set. Except, how to keep disparate password managers in sync?
> And if you don't care and don't want to bother, that don't bother me
> none. It's your money/reputation/time/whatever.
But that's the point, that is unquantifiable. And I.T. / media can and
should do better than that, be more surgical, not "the world is ending"
sending everyone to chase their tails pointlessly everywhere.
On 14-04-15 11:25 AM, Darcy Casselman wrote:
> Don't get me wrong. On the scale of things you should do in response to
> Heartbleed, changing your password, IMHO, is pretty low on the list.
>
> Turning on two-factor authentication is way higher. Admittedly, not as a
> direct result of Heartbleed, but out of a realization that you can't trust
> servers to keep your secrets.
>
> And installing and using a password manager is also important out of a
> similar realization: you are going to need to change your password.
> Rainbow tables and whatnot mean you can't trust yourself to create password
> for yourself that is unique and memorable and safe. You should get in the
> habit of changing your passwords, and heartbleed is as good an excuse to
> get started than any of the many, many other "OMG change your password"
> scares of the last few years.
>
> And if you don't care and don't want to bother, that don't bother me
> none. It's your money/reputation/time/whatever.
>
> On Mon, Apr 14, 2014 at 11:50 PM, unsolicited <unsolicited at swiz.ca> wrote:
>
>> This keeps missing the point.
>>
>> Is LastPass pre-installed on all browsers on all devices everywhere all
>> the time and everyone forced to use it? Is the browser the only means by
>> which OpenSSL libraries come into play?
>>
>> If not, then my comments stand, and LastPass is not a magic pill. e.g. ssh
>> into a server. This is about the I.T. and media industries, not a specific
>> OS or app. And misinformed and misleading media sensationalization. Media
>> is the message, I guess. And so much for factual basis.
>>
>>
>> On 14-04-14 11:23 PM, CrankyOldBugger wrote:
>>
>>> This is why I use LastPass.. it does a great job of remember this stuff
>>> for
>>> me.
>>>
>>>
>>> On 14 April 2014 20:20, unsolicited <unsolicited at swiz.ca> wrote:
>>>
>>> That's my point - it DOES hurt to change it.
>>>>
>>>> Time consumption to do so, and time wasted later trying to remember what
>>>> you changed it to -this- time. Or chase down how you recorded it (e.g.
>>>> browser cache / password lookup). Now repeat for every other place you've
>>>> been encouraged to (pointlessly) change your password as well, which of
>>>> course you did because the media knows all.
>>>>
>>>> Now multiply by number of users out there. And again by number of
>>>> accessing devices. What a waste of resources.
>>>>
>>>> This is my issue - all very well to take corrective action to known and
>>>> quantified issues, but not so to send everyone to chase their tail
>>>> everywhere 'just in case.' The I.T. industry could and should do a better
>>>> job for its users. I.T. is a tool, not an end in itself. The tail should
>>>> not be wagging the dog.
>>>>
>>>> -----
>>>>
>>>> Your note makes me wonder ... wherefore OpenID on all this? (In the sense
>>>> of being a single password.) And I wonder if (some day?) OpenID could go
>>>> change all your passwords for you, and the user need only change their
>>>> OpenID password.
>>>>
>>>> Given your note, I'm guessing that makes some sense to you too, if two
>>>> factor authentication is used for OpenID there. [OpenID == (set of OpenID
>>>> like services, which seems to more and more include gmail accounts)]
>>>>
>>>>
>>>> On 14-04-14 11:12 AM, Darcy Casselman wrote:
>>>>
>>>> I still contend that your Instagram password is the last thing you need
>>>>> to
>>>>> worry about from Heartbleed.
>>>>>
>>>>> https://twitter.com/CP24/status/455686305305751553
>>>>>
>>>>> But sure, it doesn't hurt to change it.
>>>>>
>>>>> Although, as I write on my blog, relying on a shared secret for your
>>>>> identity has been proven again and again to be insufficient. Setting up
>>>>> two-step verification with a one-time password is the best way right now
>>>>> to
>>>>> avoid having your credentials stolen from a server, regardless of how an
>>>>> attacker gets that information.
>>>>>
>>>>> http://flyingsquirrel.ca/index.php/2014/04/12/enable-
>>>>> two-factor-authentication/
>>>>>
>>>>> Darcy.
>>>>>
>>>>>
>>>>> On Sat, Apr 12, 2014 at 4:15 PM, unsolicited <unsolicited at swiz.ca>
>>>>> wrote:
>>>>>
>>>>> Yep, had caught those aspects.
>>>>>
>>>>>>
>>>>>> Keyword being 'potential'. Which is only to say, with the media all
>>>>>> running around with their heads cut off, and only a small subset of
>>>>>> such
>>>>>> services you use WITH impacted servers AND real potential harm to you
>>>>>> at
>>>>>> exposure IF you have an account worth messing around with more
>>>>>> lucrative
>>>>>> than others, there's a lot of FUD out there.
>>>>>>
>>>>>> Which is not to say you won't be impacted, nor that it won't hurt when
>>>>>> you
>>>>>> are ... but it's not EVERYWHERE for EVERYTHING.
>>>>>>
>>>>>> I don't dispute the problem is discerning when it really matters.
>>>>>>
>>>>>> I'm only irritated that they put out carte blanche 'change everything'
>>>>>> 'just in case'. This, my industry (I.T.), should be able to be rather
>>>>>> more
>>>>>> surgical, and less 'there MAY be risk, better safe than sorry'.
>>>>>>
>>>>>> Considering the time and expense and potential exposure most everyone
>>>>>> is
>>>>>> being told to expend. Most of which is pointless for lack of real
>>>>>> exposure.
>>>>>> That's my issue - lots of FUD and noise, most of it, just noise, and we
>>>>>> all
>>>>>> have better things to do.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 14-04-12 12:51 PM, Khalid Baheyeldin wrote:
>>>>>>
>>>>>> Heartbleed extracted whatever happened to be in memory at the time.
>>>>>> That
>>>>>>
>>>>>>> can be passwords or hashes or anything else.
>>>>>>>
>>>>>>> It is non-specific, but a determined attacker can potentially glean
>>>>>>> some
>>>>>>> info with persistence.
>>>>>>>
>>>>>>> Also, because the attacker does not need to complete a connection that
>>>>>>> would be logged (e.g. HTTP, ...etc.), this makes the attacks
>>>>>>> untraceable
>>>>>>> with the usual logs (e.g. web server).
>>>>>>>
>>>>>>> This is what makes it scary: potential information disclosure, and non
>>>>>>> traceablility.
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Apr 12, 2014 at 4:29 AM, unsolicited <unsolicited at swiz.ca
>>>>>>> <mailto:unsolicited at swiz.ca>> wrote:
>>>>>>>
>>>>>>> That's over simplistic.
>>>>>>>
>>>>>>> You can't extract a password that isn't there.
>>>>>>>
>>>>>>> *IF* it is even in the packet you get.
>>>>>>>
>>>>>>> *IF* it was being exploited at the time.
>>>>>>>
>>>>>>> *IF* you are of interest to them.
>>>>>>>
>>>>>>> *IF* they are interested in doing damage to that provider of
>>>>>>> services.
>>>>>>>
>>>>>>> Lot of IFs. Lot of FUD.
>>>>>>>
>>>>>>> What's being protected?
>>>>>>>
>>>>>>> Will you know?
>>>>>>>
>>>>>>> Will you care?
>>>>>>>
>>>>>>> Not saying now that exploit known they wouldn't run with it.
>>>>>>>
>>>>>>> But patching is simplistic.
>>>>>>>
>>>>>>> I take your point about SSL keys - IF it was in the data
>>>>>>> returned.
>>>>>>>
>>>>>>> But with properly isolated systems, it should only be the front
>>>>>>> end
>>>>>>> impacted. On the assumption that nobody inside your firewall is
>>>>>>> exploiting it.
>>>>>>>
>>>>>>> Lots of IFs all around.
>>>>>>>
>>>>>>> But I take your point.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 14-04-11 05:44 PM, Bob Jonkman wrote:
>>>>>>>
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA1
>>>>>>>
>>>>>>> If your router is accessible from the WAN port via http then
>>>>>>> you
>>>>>>> have
>>>>>>> more urgent problems than Heartbleed.
>>>>>>>
>>>>>>> If a site has both http and https then there's no (new)
>>>>>>> vulnerability
>>>>>>> with http, but a Heartbleed attack on https can still
>>>>>>> extract
>>>>>>> passwords and other info.
>>>>>>>
>>>>>>> To extract a password from an http session a bad guy needs
>>>>>>> to
>>>>>>> be a
>>>>>>> man-in-the-middle, or sniffing the network (remember
>>>>>>> Firesheep?).
>>>>>>> To
>>>>>>> extract a password with Heartbleed an attacker only has to
>>>>>>> initiate an
>>>>>>> https session.
>>>>>>>
>>>>>>> - --Bob.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 14-04-11 05:35 PM, Khalid Baheyeldin wrote:
>>>>>>>
>>>>>>> But, wouldn't Heartbleed be an issue, only if you use
>>>>>>> SSL
>>>>>>> on
>>>>>>> the
>>>>>>> site? For example, if you have OpenWRT/Tomato/DD-WRT and
>>>>>>> logging
>>>>>>> via http (not https), then there is no exploit via
>>>>>>> OpenSSL?
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Apr 11, 2014 at 3:26 PM, Bob Jonkman
>>>>>>> <bjonkman at sobac.com <mailto:bjonkman at sobac.com>>
>>>>>>>
>>>>>>> wrote:
>>>>>>>
>>>>>>> If you're using a tool to check for Heartbleed
>>>>>>> vulnerabilities, be
>>>>>>> sure to check the Web interface on your router and/or
>>>>>>> modem as
>>>>>>> well.
>>>>>>>
>>>>>>> I'm not sure if router vendors are on top of this, but
>>>>>>> according
>>>>>>> to ssltest.py my Tomato/MLPPP Version 1.25-mp3alpha6
>>>>>>> (from
>>>>>>> http://fixppp.org ) is not vulnerable, nor my Thomson
>>>>>>> Speedtouch
>>>>>>> modem with firmware 6.1.0.5
>>>>>>>
>>>>>>> Also, somebody asked me how safe these vulnerability
>>>>>>> checking
>>>>>>> tools are, especially the online and Javascript-based
>>>>>>> ones.
>>>>>>> What's
>>>>>>> to say they're not merely displaying "all is well", and
>>>>>>> actually
>>>>>>> compiling a list of vulnerable sites for later
>>>>>>> exploitation?
>>>>>>>
>>>>>>> --Bob.
>>>>>>>
>>>>>>>
>>>>>>> On 14-04-08 12:06 PM, Khalid Baheyeldin wrote:>
>>>>>>>
>>>>>>> You can use this python tool ssltest.py to
>>>>>>> check
>>>>>>> if your
>>>>>>> servers are vulnerable:
>>>>>>>
>>>>>>> $ wget -O ssltest.py
>>>>>>> "http://pastebin.com/raw.php?__i=WmxzjkXJ
>>>>>>> <http://pastebin.com/raw.php?i=WmxzjkXJ>"
>>>>>>> $ python ssltest.py example.com <
>>>>>>> http://example.com>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>>>>>>>
>>>>>>> Mashable has a list going of sites affected
>>>>>>> by
>>>>>>> Heartbleed:
>>>>>>>
>>>>>>> http://mashable.com/2014/04/__
>>>>>>> 09/heartbleed-bug-websites-__affected/
>>>>>>>
>>>>>>> <http://mashable.com/2014/04/
>>>>>>> 09/heartbleed-bug-websites-affected/>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Don't forget to add Canada Revenue (and most other
>>>>>>> government
>>>>>>>
>>>>>>> sites) to your list of passwords to change!
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Bob Jonkman <bjonkman at sobac.com <mailto:
>>>>>>> bjonkman at sobac.com
>>>>>>>
>>>>>>>>
>>>>>>>>> Phone: +1-519-669-0388<tel:%2B1-519-669-0388>
>>>>>>>
>>>>>>> SOBAC Microcomputer Services http://sobac.com/sobac/
>>>>>>> http://bob.jonkman.ca/blogs/
>>>>>>> http://sn.jonkman.ca/__bobjonkman/
>>>>>>>
>>>>>>> <http://sn.jonkman.ca/bobjonkman/>
>>>>>>> Software --- Office & Business Automation ---
>>>>>>> Consulting
>>>>>>> GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0
>>>>>>> D2CC
>>>>>>> E5EA
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _________________________________________________
>>>>>>> kwlug-disc
>>>>>>> mailing list kwlug-disc at kwlug.org
>>>>>>> <mailto:kwlug-disc at kwlug.org>
>>>>>>> http://kwlug.org/mailman/__
>>>>>>> listinfo/kwlug-disc_kwlug.org
>>>>>>> <http://kwlug.org/mailman/
>>>>>>> listinfo/kwlug-disc_kwlug.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _________________________________________________
>>>>>>> kwlug-disc
>>>>>>> mailing
>>>>>>> list kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>
>>>>>>> http://kwlug.org/mailman/__
>>>>>>> listinfo/kwlug-disc_kwlug.org
>>>>>>> <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>>>>
>>>>>>>
>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>> Version: GnuPG v1.4.14 (GNU/Linux)
>>>>>>> Comment: Ensure confidentiality, authenticity,
>>>>>>> non-repudiability
>>>>>>>
>>>>>>> iEYEARECAAYFAlNIYh8ACgkQuRKJsN__
>>>>>>> LM5erCjgCfZAuLyG8v83bORUxPxTvs
>>>>>>> __14m+
>>>>>>> r8kAoInhKmR99uQBN2cIt+__2KY3xq4KMl
>>>>>>> =6dTX
>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _________________________________________________
>>>>>>> kwlug-disc mailing list
>>>>>>> kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>
>>>>>>> http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org
>>>>>>> <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _________________________________________________
>>>>>>> kwlug-disc mailing list
>>>>>>> kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>
>>>>>>> http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org
>>>>>>> <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Khalid M. Baheyeldin
>>>>>>> 2bits.com <http://2bits.com>, Inc.
>>>>>>>
>>>>>>> Fast Reliable Drupal
>>>>>>> Drupal optimization, development, customization and consulting.
>>>>>>> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
>>>>>>> Simplicity is the ultimate sophistication. -- Leonardo da Vinci
>>>>>>> For every complex problem, there is an answer that is clear, simple,
>>>>>>> and
>>>>>>> wrong." -- H.L. Mencken
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> kwlug-disc mailing list
>>>>>>> kwlug-disc at kwlug.org
>>>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>> kwlug-disc mailing list
>>>>>> kwlug-disc at kwlug.org
>>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> kwlug-disc mailing list
>>>>> kwlug-disc at kwlug.org
>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> kwlug-disc mailing list
>>>> kwlug-disc at kwlug.org
>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> kwlug-disc mailing list
>>> kwlug-disc at kwlug.org
>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>>
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
More information about the kwlug-disc
mailing list