<div dir="ltr"><div><div><div>I still contend that your Instagram password is the last thing you need to worry about from Heartbleed.<br><br><a href="https://twitter.com/CP24/status/455686305305751553">https://twitter.com/CP24/status/455686305305751553</a><br>
<br></div>But sure, it doesn't hurt to change it.<br><br></div>Although, as I write on my blog, relying on a shared secret for your identity has been proven again and again to be insufficient. Setting up two-step verification with a one-time password is the best way right now to avoid having your credentials stolen from a server, regardless of how an attacker gets that information.<br>
<br><a href="http://flyingsquirrel.ca/index.php/2014/04/12/enable-two-factor-authentication/">http://flyingsquirrel.ca/index.php/2014/04/12/enable-two-factor-authentication/</a><br><br></div>Darcy.<br></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Sat, Apr 12, 2014 at 4:15 PM, unsolicited <span dir="ltr"><<a href="mailto:unsolicited@swiz.ca" target="_blank">unsolicited@swiz.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Yep, had caught those aspects.<br>
<br>
Keyword being 'potential'. Which is only to say, with the media all running around with their heads cut off, and only a small subset of such services you use WITH impacted servers AND real potential harm to you at exposure IF you have an account worth messing around with more lucrative than others, there's a lot of FUD out there.<br>
<br>
Which is not to say you won't be impacted, nor that it won't hurt when you are ... but it's not EVERYWHERE for EVERYTHING.<br>
<br>
I don't dispute the problem is discerning when it really matters.<br>
<br>
I'm only irritated that they put out carte blanche 'change everything' 'just in case'. This, my industry (I.T.), should be able to be rather more surgical, and less 'there MAY be risk, better safe than sorry'.<br>
<br>
Considering the time and expense and potential exposure most everyone is being told to expend. Most of which is pointless for lack of real exposure. That's my issue - lots of FUD and noise, most of it, just noise, and we all have better things to do.<div class="">
<br>
<br>
<br>
On 14-04-12 12:51 PM, Khalid Baheyeldin wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">
Heartbleed extracted whatever happened to be in memory at the time. That<br>
can be passwords or hashes or anything else.<br>
<br>
It is non-specific, but a determined attacker can potentially glean some<br>
info with persistence.<br>
<br>
Also, because the attacker does not need to complete a connection that<br>
would be logged (e.g. HTTP, ...etc.), this makes the attacks untraceable<br>
with the usual logs (e.g. web server).<br>
<br>
This is what makes it scary: potential information disclosure, and non<br>
traceablility.<br>
<br>
<br>
On Sat, Apr 12, 2014 at 4:29 AM, unsolicited <<a href="mailto:unsolicited@swiz.ca" target="_blank">unsolicited@swiz.ca</a><br></div><div><div class="h5">
<mailto:<a href="mailto:unsolicited@swiz.ca" target="_blank">unsolicited@swiz.ca</a>>> wrote:<br>
<br>
That's over simplistic.<br>
<br>
You can't extract a password that isn't there.<br>
<br>
*IF* it is even in the packet you get.<br>
<br>
*IF* it was being exploited at the time.<br>
<br>
*IF* you are of interest to them.<br>
<br>
*IF* they are interested in doing damage to that provider of services.<br>
<br>
Lot of IFs. Lot of FUD.<br>
<br>
What's being protected?<br>
<br>
Will you know?<br>
<br>
Will you care?<br>
<br>
Not saying now that exploit known they wouldn't run with it.<br>
<br>
But patching is simplistic.<br>
<br>
I take your point about SSL keys - IF it was in the data returned.<br>
<br>
But with properly isolated systems, it should only be the front end<br>
impacted. On the assumption that nobody inside your firewall is<br>
exploiting it.<br>
<br>
Lots of IFs all around.<br>
<br>
But I take your point.<br>
<br>
<br>
<br>
On 14-04-11 05:44 PM, Bob Jonkman wrote:<br>
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
If your router is accessible from the WAN port via http then you<br>
have<br>
more urgent problems than Heartbleed.<br>
<br>
If a site has both http and https then there's no (new)<br>
vulnerability<br>
with http, but a Heartbleed attack on https can still extract<br>
passwords and other info.<br>
<br>
To extract a password from an http session a bad guy needs to be a<br>
man-in-the-middle, or sniffing the network (remember Firesheep?). To<br>
extract a password with Heartbleed an attacker only has to<br>
initiate an<br>
https session.<br>
<br>
- --Bob.<br>
<br>
<br>
<br>
On 14-04-11 05:35 PM, Khalid Baheyeldin wrote:<br>
<br>
But, wouldn't Heartbleed be an issue, only if you use SSL on the<br>
site? For example, if you have OpenWRT/Tomato/DD-WRT and logging<br>
via http (not https), then there is no exploit via OpenSSL?<br>
<br>
<br>
On Fri, Apr 11, 2014 at 3:26 PM, Bob Jonkman<br></div></div>
<<a href="mailto:bjonkman@sobac.com" target="_blank">bjonkman@sobac.com</a> <mailto:<a href="mailto:bjonkman@sobac.com" target="_blank">bjonkman@sobac.com</a>>><div class=""><br>
wrote:<br>
<br>
If you're using a tool to check for Heartbleed<br>
vulnerabilities, be<br>
sure to check the Web interface on your router and/or modem as<br>
well.<br>
<br>
I'm not sure if router vendors are on top of this, but according<br>
to ssltest.py my Tomato/MLPPP Version 1.25-mp3alpha6 (from<br>
<a href="http://fixppp.org" target="_blank">http://fixppp.org</a> ) is not vulnerable, nor my Thomson Speedtouch<br>
modem with firmware 6.1.0.5<br>
<br>
Also, somebody asked me how safe these vulnerability checking<br>
tools are, especially the online and Javascript-based ones.<br>
What's<br>
to say they're not merely displaying "all is well", and actually<br>
compiling a list of vulnerable sites for later exploitation?<br>
<br>
--Bob.<br>
<br>
<br>
On 14-04-08 12:06 PM, Khalid Baheyeldin wrote:><br>
<br>
You can use this python tool ssltest.py to check<br>
if your<br>
servers are vulnerable:<br>
<br>
$ wget -O ssltest.py<br></div>
"<a href="http://pastebin.com/raw.php?__i=WmxzjkXJ" target="_blank">http://pastebin.com/raw.php?_<u></u>_i=WmxzjkXJ</a><br>
<<a href="http://pastebin.com/raw.php?i=WmxzjkXJ" target="_blank">http://pastebin.com/raw.php?<u></u>i=WmxzjkXJ</a>>"<br>
$ python ssltest.py <a href="http://example.com" target="_blank">example.com</a> <<a href="http://example.com" target="_blank">http://example.com</a>><div class=""><br>
<br>
<br>
<br>
On 14-04-11 10:51 AM, CrankyOldBugger wrote:<br>
<br>
Mashable has a list going of sites affected by<br>
Heartbleed:<br>
<br></div>
<a href="http://mashable.com/2014/04/__09/heartbleed-bug-websites-__affected/" target="_blank">http://mashable.com/2014/04/__<u></u>09/heartbleed-bug-websites-__<u></u>affected/</a><div class=""><br>
<<a href="http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/" target="_blank">http://mashable.com/2014/04/<u></u>09/heartbleed-bug-websites-<u></u>affected/</a>><br>
<br>
<br>
<br>
Don't forget to add Canada Revenue (and most other government<br>
<br>
sites) to your list of passwords to change!<br>
<br>
<br>
<br>
<br></div>
Bob Jonkman <<a href="mailto:bjonkman@sobac.com" target="_blank">bjonkman@sobac.com</a> <mailto:<a href="mailto:bjonkman@sobac.com" target="_blank">bjonkman@sobac.com</a>>><br>
Phone: <a href="tel:%2B1-519-669-0388" value="+15196690388" target="_blank">+1-519-669-0388</a> <tel:%2B1-519-669-0388><div class=""><br>
SOBAC Microcomputer Services <a href="http://sobac.com/sobac/" target="_blank">http://sobac.com/sobac/</a><br>
<a href="http://bob.jonkman.ca/blogs/" target="_blank">http://bob.jonkman.ca/blogs/</a><br></div>
<a href="http://sn.jonkman.ca/__bobjonkman/" target="_blank">http://sn.jonkman.ca/__<u></u>bobjonkman/</a><div class=""><br>
<<a href="http://sn.jonkman.ca/bobjonkman/" target="_blank">http://sn.jonkman.ca/<u></u>bobjonkman/</a>><br>
Software --- Office & Business Automation --- Consulting<br>
GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA<br>
<br>
<br>
<br></div><div class="">
______________________________<u></u>___________________ kwlug-disc<br>
mailing list <a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a><br>
<mailto:<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a>><br>
<a href="http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/__<u></u>listinfo/kwlug-disc_kwlug.org</a><br>
<<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/<u></u>listinfo/kwlug-disc_kwlug.org</a>><br>
<br>
<br>
<br>
<br>
<br>
<br>
______________________________<u></u>___________________ kwlug-disc<br>
mailing<br>
list <a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a> <mailto:<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a>><br>
<a href="http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/__<u></u>listinfo/kwlug-disc_kwlug.org</a><br></div><div class="">
<<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/<u></u>listinfo/kwlug-disc_kwlug.org</a>><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.14 (GNU/Linux)<br>
Comment: Ensure confidentiality, authenticity, non-repudiability<br>
<br></div>
iEYEARECAAYFAlNIYh8ACgkQuRKJsN<u></u>__<u></u>LM5erCjgCfZAuLyG8v83bORUxPxTvs<u></u>__14m+<br>
r8kAoInhKmR99uQBN2cIt+__<u></u>2KY3xq4KMl<br>
=6dTX<br>
-----END PGP SIGNATURE-----<div class=""><br>
<br>
<br>
______________________________<u></u>___________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a> <mailto:<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a>><br>
<a href="http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/__<u></u>listinfo/kwlug-disc_kwlug.org</a><br>
<<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/<u></u>listinfo/kwlug-disc_kwlug.org</a>><br>
<br>
<br>
<br>
______________________________<u></u>___________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a> <mailto:<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a>><br>
<a href="http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/__<u></u>listinfo/kwlug-disc_kwlug.org</a><br></div><div class="">
<<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/<u></u>listinfo/kwlug-disc_kwlug.org</a>><br>
<br>
<br>
<br>
<br>
--<br>
Khalid M. Baheyeldin<br>
</div><a href="http://2bits.com" target="_blank">2bits.com</a> <<a href="http://2bits.com" target="_blank">http://2bits.com</a>>, Inc.<div class=""><br>
Fast Reliable Drupal<br>
Drupal optimization, development, customization and consulting.<br>
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>
Simplicity is the ultimate sophistication. -- Leonardo da Vinci<br>
For every complex problem, there is an answer that is clear, simple, and<br>
wrong." -- H.L. Mencken<br>
<br>
<br></div><div class="">
______________________________<u></u>_________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/<u></u>listinfo/kwlug-disc_kwlug.org</a><br>
<br>
</div></blockquote><div class="HOEnZb"><div class="h5">
<br>
<br>
______________________________<u></u>_________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/<u></u>listinfo/kwlug-disc_kwlug.org</a><br>
</div></div></blockquote></div><br></div>