Home Page
   Articles
       links
About Us    
Traders        
Recipes            
Latest Articles
Major online security bug.

 
Post new topic   Reply to topic    Downsizer Forum Index -> IT Matters
Author 
 Message
NorthernMonkeyGirl



Joined: 10 Apr 2011
Posts: 4584
Location: Peeping over your shoulder
PostPosted: Thu Apr 10, 14 9:46 am    Post subject: Major online security bug. Reply with quote
    

The "Heartbleed"...thing...has affected sites using OpenSSL. In other words someone can get at your passwords on certain sites.

This purports to be a list of sites tested, I will copy out the ones they found to be vulnerable as of 8th April. While the BBC says change your passwords now, others say wait until everything is fixed (48 hours ish) so that your new password isn't also seen.

Testing yahoo.com... vulnerable.
Testing imgur.com... vulnerable.
Testing stackoverflow.com... vulnerable.
Testing kickass.to... vulnerable.
Testing flickr.com... vulnerable.
Testing redtube.com... vulnerable.
Testing sogou.com... vulnerable.
Testing adf.ly... vulnerable.
Testing outbrain.com... vulnerable.
Testing archive.org... vulnerable.
Testing addthis.com... vulnerable.
Testing stackexchange.com... vulnerable.
Testing popads.net... vulnerable.
Testing avito.ru... vulnerable.
Testing kaskus.co.id... vulnerable.
Testing web.de... vulnerable.
Testing suning.com... vulnerable.
Testing zeobit.com... vulnerable.
Testing beeg.com... vulnerable.
Testing seznam.cz... vulnerable.
Testing okcupid.com... vulnerable.
Testing pch.com... vulnerable.
Testing xda-developers.com... vulnerable.
Testing steamcommunity.com... vulnerable.
Testing slate.com... vulnerable.
Testing scoop.it... vulnerable.
Testing hidemyass.com... vulnerable.
Testing 123rf.com... vulnerable.
Testing m-w.com... vulnerable.
Testing dreamstime.com... vulnerable.
Testing amung.us... vulnerable.
Testing duckduckgo.com... vulnerable.
Testing leo.org... vulnerable.
Testing eventbrite.com... vulnerable.
Testing wetransfer.com... vulnerable.
Testing sh.st... vulnerable.
Testing entrepreneur.com... vulnerable.
Testing zoho.com... vulnerable.
Testing yts.re... vulnerable.
Testing usmagazine.com... vulnerable.
Testing fool.com... vulnerable.
Testing digitalpoint.com... vulnerable.
Testing picmonkey.com... vulnerable.
Testing petflow.com... vulnerable.
Testing squidoo.com... vulnerable.
Testing avazutracking.net... vulnerable.
Testing elegantthemes.com... vulnerable.
Testing 500px.com... vulnerable.

Last edited by NorthernMonkeyGirl on Thu Apr 10, 14 10:58 am; edited 1 time in total

robkb



Joined: 29 May 2009
Posts: 4205
Location: SE London
PostPosted: Thu Apr 10, 14 9:53 am    Post subject: Reply with quote
    

Most of the advice I've read says to wait for the patch to be applied before changing passwords.

And just how long were they 'testing' Redtube...?

NorthernMonkeyGirl



Joined: 10 Apr 2011
Posts: 4584
Location: Peeping over your shoulder
PostPosted: Thu Apr 10, 14 10:06 am    Post subject: Reply with quote
    

And was it before or after "hidemyass"?

vegplot



Joined: 19 Apr 2007
Posts: 21301
Location: Bethesda, Gwynedd
PostPosted: Thu Apr 10, 14 10:13 am    Post subject: Re: Major online security bug. Reply with quote
    

NorthernMonkeyGirl wrote:
The "Heartbleed"...thing...has affected sites using SSL.


Not quite accurate. Only OpenSSL, as used by Apache and nginx, is affected. Microsoft IIS sites that implement SSL are fine for instance.

dpack



Joined: 02 Jul 2005
Posts: 45374
Location: yes
PostPosted: Thu Apr 10, 14 10:33 am    Post subject: Reply with quote
    

i dont think i have used any of them unless they were embedded in other things

NorthernMonkeyGirl



Joined: 10 Apr 2011
Posts: 4584
Location: Peeping over your shoulder
PostPosted: Thu Apr 10, 14 10:58 am    Post subject: Re: Major online security bug. Reply with quote
    

vegplot wrote:
NorthernMonkeyGirl wrote:
The "Heartbleed"...thing...has affected sites using SSL.


Not quite accurate. Only OpenSSL, as used by Apache and nginx, is affected. Microsoft IIS sites that implement SSL are fine for instance.


Fixed, thank you

nats



Joined: 12 Jun 2007
Posts: 2374
Location: Swindon but not a Swindonian
PostPosted: Thu Apr 10, 14 11:15 am    Post subject: Reply with quote
    

The fix isn't a "simple" fix (I'm sure VP, NMG etc know this, just clarifying for those that don'e!) so it can take a while to implement. You have to update some code, revoce some security certificates, create and digitally sign new ones and then implement them. This is why it's taking a bit of time to do. I'm going to check at the weekend personally....

sean
Downsizer Moderator


Joined: 28 Oct 2004
Posts: 42207
Location: North Devon
PostPosted: Tue Apr 15, 14 11:08 am    Post subject: Reply with quote
    

On the bright side, it's been used to hack mumsnet. (Or mumsnet claim it has in a bid to look big and important.)

Nick



Joined: 02 Nov 2004
Posts: 34535
Location: Hereford
PostPosted: Tue Apr 15, 14 11:09 am    Post subject: Reply with quote
    

You know, that pleased me more than the Tory having to pay for his own legal bills. At least the Tory was elected to be a gobshite.

dpack



Joined: 02 Jul 2005
Posts: 45374
Location: yes
PostPosted: Tue Apr 15, 14 9:34 pm    Post subject: Reply with quote
    



hackers pah

if they hack me they can have my bills or my "followers"

dpack



Joined: 02 Jul 2005
Posts: 45374
Location: yes
PostPosted: Wed Apr 16, 14 11:23 am    Post subject: Reply with quote
    

just in case i changed my dropbox password though

oldish chris



Joined: 14 Jun 2006
Posts: 4148
Location: Comfortably Wet Southport
PostPosted: Wed Apr 16, 14 5:55 pm    Post subject: Reply with quote
    

I'm not sure how bag a security risk this heartbleed thing is.

Quote:
On April 7, the original OpenSSL advisory was first issued, which did not refer to the flaw as "Heartbleed," but rather as a "Heartbeat" flaw in OpenSSL. Heartbeat refers to the technical monitoring function that the feature provides within OpenSSL.

The name Heartbleed, as well as the well-designed logo that has been reused in countless media reports, is the creation of security research firm Codenomicon. Along with Google security researchers, Codenomicon is taking credit for the initial discovery of the Heartbleed flaw. - See more at: https://www.eweek.com/security/heartbleed-ssl-flaw-angst-aggravated-by-broken-disclosure-process.html#sthash.QlvgaTAu.dpuf


and
Quote:
“Neel Mehta discovered that OpenSSL incorrectly handled memory in the TLS heartbeat extension. An attacker could use this issue to obtain up to 64k of memory contents from the client or server, possibly leading to the disclosure of private keys and other sensitive information.
(my emphasis) ref: https://news.softpedia.com/news/Dear-Ubuntu-Users-Stop-Saying-the-Ubuntu-Is-Unprotected-Against-the-Heartbleed-Exploit-437846.shtml

I'm detecting a lot of possibles and coulds and commercial hype.

gz



Joined: 23 Jan 2009
Posts: 8571
Location: Ayrshire, Scotland
PostPosted: Wed Apr 16, 14 8:51 pm    Post subject: Reply with quote
    

The Ubuntu update to deal with this has just arrived on my computer

Post new topic   Reply to topic    Downsizer Forum Index -> IT Matters All times are GMT
Page 1 of 1
View Latest Posts View Latest Posts

 

Archive
Powered by php-BB © 2001, 2005 php-BB Group
Style by marsjupiter.com, released under GNU (GNU/GPL) license.
Copyright © 2004 marsjupiter.com