[kwlug-disc] Heartbleed affected sites

Bob Jonkman bjonkman at sobac.com
Tue Apr 15 18:09:12 EDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

unsolicited wrote:
> Use a password manager - what if there isn't one? e.g. SSH
> signons?

KeepassX autotype works just fine in an SSH terminal.  In fact, it
really helps with complex login commands, like

  ssh -X bjonkman at remote.example.com -p 2222 -R 22:localhost:10022 -L
10080:localhost:80

which autotype and save me from having to remember it.  The only
problem is that KeepassX 0.4.3 hasn't implemented the {DELAY=3}
parameter in the autotype sequence, but that's apparently fixed in
KeepassX v2.0

And even if autotype didn't work, I think every password manager has
an option to copy the password to the clipboard for manual
cut'n'paste. So you still get strong passwords without having to
remember them.

- --Bob.


On 14-04-15 04:06 PM, unsolicited wrote:
> Well said.
> 
> Well, except for:
> 
> Use a password manager - what if there isn't one? e.g. SSH signons?
> And in the lack of the password manager, you're back to square one.
> I take your point, however, using one where you can will decrease
> the size of the set. Except, how to keep disparate password
> managers in sync?
> 
>> And if you don't care and don't want to bother, that don't bother
>> me none.   It's your money/reputation/time/whatever.
> 
> But that's the point, that is unquantifiable. And I.T. / media can
> and should do better than that, be more surgical, not "the world is
> ending" sending everyone to chase their tails pointlessly
> everywhere.
> 
> 
> On 14-04-15 11:25 AM, Darcy Casselman wrote:
>> Don't get me wrong. On the scale of things you should do in
>> response to Heartbleed, changing your password, IMHO, is pretty
>> low on the list.
>> 
>> Turning on two-factor authentication is way higher.  Admittedly,
>> not as a direct result of Heartbleed, but out of a realization
>> that you can't trust servers to keep your secrets.
>> 
>> And installing and using a password manager is also important out
>> of a similar realization: you are going to need to change your
>> password. Rainbow tables and whatnot mean you can't trust
>> yourself to create password for yourself that is unique and
>> memorable and safe.  You should get in the habit of changing your
>> passwords, and heartbleed is as good an excuse to get started
>> than any of the many, many other "OMG change your password" 
>> scares of the last few years.
>> 
>> And if you don't care and don't want to bother, that don't bother
>> me none.   It's your money/reputation/time/whatever.
>> 
>> On Mon, Apr 14, 2014 at 11:50 PM, unsolicited
>> <unsolicited at swiz.ca> wrote:
>> 
>>> This keeps missing the point.
>>> 
>>> Is LastPass pre-installed on all browsers on all devices
>>> everywhere all the time and everyone forced to use it? Is the
>>> browser the only means by which OpenSSL libraries come into
>>> play?
>>> 
>>> If not, then my comments stand, and LastPass is not a magic
>>> pill. e.g. ssh into a server. This is about the I.T. and media
>>> industries, not a specific OS or app. And misinformed and
>>> misleading media sensationalization. Media is the message, I
>>> guess. And so much for factual basis.
>>> 
>>> 
>>> On 14-04-14 11:23 PM, CrankyOldBugger wrote:
>>> 
>>>> This is why I use LastPass.. it does a great job of remember
>>>> this stuff for me.
>>>> 
>>>> 
>>>> On 14 April 2014 20:20, unsolicited <unsolicited at swiz.ca>
>>>> wrote:
>>>> 
>>>> That's my point - it DOES hurt to change it.
>>>>> 
>>>>> Time consumption to do so, and time wasted later trying to
>>>>> remember what you changed it to -this- time. Or chase down
>>>>> how you recorded it (e.g. browser cache / password lookup).
>>>>> Now repeat for every other place you've been encouraged to
>>>>> (pointlessly) change your password as well, which of course
>>>>> you did because the media knows all.
>>>>> 
>>>>> Now multiply by number of users out there. And again by
>>>>> number of accessing devices. What a waste of resources.
>>>>> 
>>>>> This is my issue - all very well to take corrective action
>>>>> to known and quantified issues, but not so to send everyone
>>>>> to chase their tail everywhere 'just in case.' The I.T.
>>>>> industry could and should do a better job for its users.
>>>>> I.T. is a tool, not an end in itself. The tail should not
>>>>> be wagging the dog.
>>>>> 
>>>>> -----
>>>>> 
>>>>> Your note makes me wonder ... wherefore OpenID on all this?
>>>>> (In the sense of being a single password.) And I wonder if
>>>>> (some day?) OpenID could go change all your passwords for
>>>>> you, and the user need only change their OpenID password.
>>>>> 
>>>>> Given your note, I'm guessing that makes some sense to you
>>>>> too, if two factor authentication is used for OpenID there.
>>>>> [OpenID == (set of OpenID like services, which seems to
>>>>> more and more include gmail accounts)]
>>>>> 
>>>>> 
>>>>> On 14-04-14 11:12 AM, Darcy Casselman wrote:
>>>>> 
>>>>> I still contend that your Instagram password is the last
>>>>> thing you need
>>>>>> to worry about from Heartbleed.
>>>>>> 
>>>>>> https://twitter.com/CP24/status/455686305305751553
>>>>>> 
>>>>>> But sure, it doesn't hurt to change it.
>>>>>> 
>>>>>> Although, as I write on my blog, relying on a shared
>>>>>> secret for your identity has been proven again and again
>>>>>> to be insufficient. Setting up two-step verification with
>>>>>> a one-time password is the best way right now to avoid
>>>>>> having your credentials stolen from a server, regardless
>>>>>> of how an attacker gets that information.
>>>>>> 
>>>>>> http://flyingsquirrel.ca/index.php/2014/04/12/enable- 
>>>>>> two-factor-authentication/
>>>>>> 
>>>>>> Darcy.
>>>>>> 
>>>>>> 
>>>>>> On Sat, Apr 12, 2014 at 4:15 PM, unsolicited
>>>>>> <unsolicited at swiz.ca> wrote:
>>>>>> 
>>>>>> Yep, had caught those aspects.
>>>>>> 
>>>>>>> 
>>>>>>> Keyword being 'potential'. Which is only to say, with
>>>>>>> the media all running around with their heads cut off,
>>>>>>> and only a small subset of such services you use WITH
>>>>>>> impacted servers AND real potential harm to you at 
>>>>>>> exposure IF you have an account worth messing around
>>>>>>> with more lucrative than others, there's a lot of FUD
>>>>>>> out there.
>>>>>>> 
>>>>>>> Which is not to say you won't be impacted, nor that it
>>>>>>> won't hurt when you are ... but it's not EVERYWHERE for
>>>>>>> EVERYTHING.
>>>>>>> 
>>>>>>> I don't dispute the problem is discerning when it
>>>>>>> really matters.
>>>>>>> 
>>>>>>> I'm only irritated that they put out carte blanche
>>>>>>> 'change everything' 'just in case'. This, my industry
>>>>>>> (I.T.), should be able to be rather more surgical, and
>>>>>>> less 'there MAY be risk, better safe than sorry'.
>>>>>>> 
>>>>>>> Considering the time and expense and potential exposure
>>>>>>> most everyone is being told to expend. Most of which is
>>>>>>> pointless for lack of real exposure. That's my issue -
>>>>>>> lots of FUD and noise, most of it, just noise, and we 
>>>>>>> all have better things to do.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On 14-04-12 12:51 PM, Khalid Baheyeldin wrote:
>>>>>>> 
>>>>>>> Heartbleed extracted whatever happened to be in memory
>>>>>>> at the time. That
>>>>>>> 
>>>>>>>> can be passwords or hashes or anything else.
>>>>>>>> 
>>>>>>>> It is non-specific, but a determined attacker can
>>>>>>>> potentially glean some info with persistence.
>>>>>>>> 
>>>>>>>> Also, because the attacker does not need to complete
>>>>>>>> a connection that would be logged (e.g. HTTP,
>>>>>>>> ...etc.), this makes the attacks untraceable with the
>>>>>>>> usual logs (e.g. web server).
>>>>>>>> 
>>>>>>>> This is what makes it scary: potential information
>>>>>>>> disclosure, and non traceablility.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On Sat, Apr 12, 2014 at 4:29 AM, unsolicited
>>>>>>>> <unsolicited at swiz.ca <mailto:unsolicited at swiz.ca>>
>>>>>>>> wrote:
>>>>>>>> 
>>>>>>>> That's over simplistic.
>>>>>>>> 
>>>>>>>> You can't extract a password that isn't there.
>>>>>>>> 
>>>>>>>> *IF* it is even in the packet you get.
>>>>>>>> 
>>>>>>>> *IF* it was being exploited at the time.
>>>>>>>> 
>>>>>>>> *IF* you are of interest to them.
>>>>>>>> 
>>>>>>>> *IF* they are interested in doing damage to that
>>>>>>>> provider of services.
>>>>>>>> 
>>>>>>>> Lot of IFs. Lot of FUD.
>>>>>>>> 
>>>>>>>> What's being protected?
>>>>>>>> 
>>>>>>>> Will you know?
>>>>>>>> 
>>>>>>>> Will you care?
>>>>>>>> 
>>>>>>>> Not saying now that exploit known they wouldn't run
>>>>>>>> with it.
>>>>>>>> 
>>>>>>>> But patching is simplistic.
>>>>>>>> 
>>>>>>>> I take your point about SSL keys - IF it was in the
>>>>>>>> data returned.
>>>>>>>> 
>>>>>>>> But with properly isolated systems, it should only be
>>>>>>>> the front end impacted. On the assumption that nobody
>>>>>>>> inside your firewall is exploiting it.
>>>>>>>> 
>>>>>>>> Lots of IFs all around.
>>>>>>>> 
>>>>>>>> But I take your point.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On 14-04-11 05:44 PM, Bob Jonkman wrote:
>>>>>>>> 
> If your router is accessible from the WAN port via
>>>>>>>>> http then you
> have more urgent problems than Heartbleed.
> 
> If a site has both http and https then there's no (new) 
> vulnerability with http, but a Heartbleed attack on https can
> still
>>>>>>>>> extract
> passwords and other info.
> 
> To extract a password from an http session a bad guy
>>>>>>>>> needs to be a
> man-in-the-middle, or sniffing the network (remember
>>>>>>>>> Firesheep?). To
> extract a password with Heartbleed an attacker only
>>>>>>>>> has to
> initiate an https session.
> 
> --Bob.
> 
> 
> 
> On 14-04-11 05:35 PM, Khalid Baheyeldin wrote:
> 
> But, wouldn't Heartbleed be an issue, only if you
>>>>>>>>> use SSL on the
> site? For example, if you have
>>>>>>>>> OpenWRT/Tomato/DD-WRT and logging
> via http (not https), then there is no exploit via
>>>>>>>>> OpenSSL?
> 
> 
> On Fri, Apr 11, 2014 at 3:26 PM, Bob Jonkman <bjonkman at sobac.com
> <mailto:bjonkman at sobac.com>>
> 
> wrote:
> 
> If you're using a tool to check for Heartbleed vulnerabilities, be 
> sure to check the Web interface on your router
>>>>>>>>> and/or modem as
> well.
> 
> I'm not sure if router vendors are on top of
>>>>>>>>> this, but according
> to ssltest.py my Tomato/MLPPP Version 1.25-mp3alpha6
>>>>>>>>> (from
> http://fixppp.org ) is not vulnerable, nor my
>>>>>>>>> Thomson Speedtouch
> modem with firmware 6.1.0.5
> 
> Also, somebody asked me how safe these vulnerability
>>>>>>>>> checking
> tools are, especially the online and
>>>>>>>>> Javascript-based ones.
> What's to say they're not merely displaying "all is
>>>>>>>>> well", and actually
> compiling a list of vulnerable sites for later
>>>>>>>>> exploitation?
> 
> --Bob.
> 
> 
> On 14-04-08 12:06 PM, Khalid Baheyeldin wrote:>
> 
> You can use this python tool
>>>>>>>>> ssltest.py to check
> if your servers are vulnerable:
> 
> $ wget -O ssltest.py
> 
>>>>>>>>> "http://pastebin.com/raw.php?__i=WmxzjkXJ
> 
>>>>>>>>> <http://pastebin.com/raw.php?i=WmxzjkXJ>"
> $ python ssltest.py example.com <
>>>>>>>>> http://example.com>
> 
> 
> 
> 
> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
> 
> Mashable has a list going of sites
>>>>>>>>> affected by
> Heartbleed:
> 
> http://mashable.com/2014/04/__
>>>>>>>>> 09/heartbleed-bug-websites-__affected/
> 
> <http://mashable.com/2014/04/
>>>>>>>>> 09/heartbleed-bug-websites-affected/>
> 
> 
> 
> Don't forget to add Canada Revenue (and most other
>>>>>>>>> government
> 
> sites) to your list of passwords to
>>>>>>>>> change!
> 
> 
> 
> 
> Bob Jonkman <bjonkman at sobac.com <mailto:
>>>>>>>>> bjonkman at sobac.com
> 
>>>>>>>>>> 
>>>>>>>>>>> Phone: +1-519-669-0388<tel:%2B1-519-669-0388>
> 
> SOBAC Microcomputer Services http://sobac.com/sobac/ 
> http://bob.jonkman.ca/blogs/ http://sn.jonkman.ca/__bobjonkman/
> 
> <http://sn.jonkman.ca/bobjonkman/> Software   ---   Office &
> Business Automation   ---
>>>>>>>>> Consulting
> GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912
>>>>>>>>> 89B0 D2CC E5EA
> 
> 
> 
> 
>>>>>>>>> _________________________________________________ 
>>>>>>>>> kwlug-disc
> mailing list kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org> 
> http://kwlug.org/mailman/__
>>>>>>>>> listinfo/kwlug-disc_kwlug.org
> <http://kwlug.org/mailman/
>>>>>>>>> listinfo/kwlug-disc_kwlug.org>
> 
> 
> 
> 
> 
> 
> _________________________________________________
>>>>>>>>> kwlug-disc
> mailing list kwlug-disc at kwlug.org
>>>>>>>>> <mailto:kwlug-disc at kwlug.org>
> http://kwlug.org/mailman/__
>>>>>>>>> listinfo/kwlug-disc_kwlug.org
> 
>>>>>>>>> <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>>>>>>
>
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _________________________________________________ 
>>>>>>>> kwlug-disc mailing list kwlug-disc at kwlug.org
>>>>>>>> <mailto:kwlug-disc at kwlug.org> 
>>>>>>>> http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org
>>>>>>>>
>>>>>>>> 
<http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org>
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _________________________________________________ 
>>>>>>>> kwlug-disc mailing list kwlug-disc at kwlug.org
>>>>>>>> <mailto:kwlug-disc at kwlug.org> 
>>>>>>>> http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org
>>>>>>>>
>>>>>>>> 
<http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org>
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> -- Khalid M. Baheyeldin 2bits.com <http://2bits.com>,
>>>>>>>> Inc.
>>>>>>>> 
>>>>>>>> Fast Reliable Drupal Drupal optimization,
>>>>>>>> development, customization and consulting. Simplicity
>>>>>>>> is prerequisite for reliability. --  Edsger
>>>>>>>> W.Dijkstra Simplicity is the ultimate sophistication.
>>>>>>>> --   Leonardo da Vinci For every complex problem,
>>>>>>>> there is an answer that is clear, simple, and wrong."
>>>>>>>> -- H.L. Mencken
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________ 
>>>>>>>> kwlug-disc mailing list kwlug-disc at kwlug.org 
>>>>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 
_______________________________________________
>>>>>>> kwlug-disc mailing list kwlug-disc at kwlug.org 
>>>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> _______________________________________________ 
>>>>>> kwlug-disc mailing list kwlug-disc at kwlug.org 
>>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> _______________________________________________ kwlug-disc
>>>>> mailing list kwlug-disc at kwlug.org 
>>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> _______________________________________________ kwlug-disc
>>>> mailing list kwlug-disc at kwlug.org 
>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>> 
>>>> 
>>> 
>>> _______________________________________________ kwlug-disc
>>> mailing list kwlug-disc at kwlug.org 
>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>> 
>> 
>> 
>> 
>> _______________________________________________ kwlug-disc
>> mailing list kwlug-disc at kwlug.org 
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> 
> 
> 
> _______________________________________________ kwlug-disc mailing
> list kwlug-disc at kwlug.org 
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Ensure confidentiality, authenticity, non-repudiability

iEYEARECAAYFAlNNrfwACgkQuRKJsNLM5eqymgCfbDVFqwBf6iO5dOWovaVhXIHh
IFUAoL/FC1Rr/cDmNsSozqfTp5Qus5Qw
=XcG7
-----END PGP SIGNATURE-----

More information about the kwlug-disc mailing list