[kwlug-disc] Heartbleed affected sites

unsolicited unsolicited at swiz.ca
Fri Apr 11 16:24:37 EDT 2014 

Why?

The bug was introduced 2 years ago, but its not known to have been 
exploited, from anything I've seen, which doesn't say much.

Nefarious activity in the wild is monitored by various organizations to 
whatever extent it is, and the issue was not discovered / reported by 
them, as far as I know.

 From what I saw a 64k chunk of memory is potentially exposed in an ssh 
server to someone if they were exploiting it, for which we don't know 
they were. (Or even aware it was possible.)

Doesn't mean there was anything useful in that 64k chunk. Which they 
would then have to decipher in the sense of figuring out if there is 
anything useful, and that usefulness has to extend to being able to do 
something with it.

Without any knowledge one way or the other, I assume CRA is shut down 
not because there's an issue going forward (problem easily patched, 
now), but because they don't know what might have happened during or 
within. Short of checksumming every system, I don't know how they might 
prove one way or another. But someone higher up is probably requiring 
due diligence on something that can't be proven.

I do wonder if 'change your password' isn't FUD, promoted for trying to 
give users the sense that they're in control of their own security, and 
that changing their password will let them be proactive and 'solve the 
problem'.

There's a lot if 'ifs' to the chain of events above before you have 
certainty of impact. And a lot of other risks (especially human error) 
out there that are quite probably more likely to happen and impact you 
than this one. No, I don't know what they are, either. But I also 
haven't seen any impact.

It's a lot of work to change all the passwords, let alone for some time 
afterwards trying to remember what you changed them to.

Not sure it's worth the effort in the absence of any detected impact. 
Hard to say its not just fear mongering. Certainly some media I've seen 
running around with their heads cut off demonstrate a deep 
misunderstanding of things, yet their heads are still talking.


On 14-04-11 10:51 AM, CrankyOldBugger wrote:
> Mashable has a list going of sites affected by Heartbleed:
>
> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
>
> Don't forget to add Canada Revenue (and most other government sites) to
> your list of passwords to change!

More information about the kwlug-disc mailing list