heartbleed

somdfunguy

not impressed
http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/


Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.
you can test your website here http://filippo.io/Heartbleed/
 
Last edited:

somdfunguy

not impressed
You and I both know it wasn't before. It's been patched. This is a good thing.

Full disclosure is always the best policy.
 
Last edited:

LibertyBeacon

Unto dust we shall return
But anyway, this is a fairly amusing bug.

This is the motherlode: the private keys. Game over.

If only I'd bought stock in Verisign.
 

vraiblonde

Board Mommy
PREMO Member
Patron
OK, cool. Didn't mean to sound as if I was prying. Was just curious about the SSL on the forums.
Not at all. We do not have SSL on the forums because there's no need for it - there's no information in here that is worth anything. What's the worst that can happen if someone cracks your forum account?

We have SSL on the classifieds, but we don't store credit card information on the servers anyway. Plus there are a number of other security measures besides SSL in place. It's highly unlikely that Somd.com will be targeted. What you need to keep an eye on are your banking and credit card accounts, and any sites where your credit card is stored: Amazon, PayPal, etc. It wouldn't hurt to change those passwords, but if the institution hasn't revoked and reimplimented their SSL certificate, not sure what good it will do.

People have their credit card information stolen all the time, this is really nothing new.
 

vraiblonde

Board Mommy
PREMO Member
Patron
Then people would know who I am! :cds: :jameo:
:lol:

That always makes me laugh, when people think we have access to any personal information about them just because they have a forum account. We have your email address, whatever one you have associated with your account, and your IP address. That's it. Someone sent me a nastygram a few years back, accusing me of giving out their cellphone number. Um, we don't have your cellphone number to give. :lol:
 

slotpuppy

Ass-hole
:lol:

That always makes me laugh, when people think we have access to any personal information about them just because they have a forum account. We have your email address, whatever one you have associated with your account, and your IP address. That's it. Someone sent me a nastygram a few years back, accusing me of giving out their cellphone number. Um, we don't have your cellphone number to give. :lol:
You have my cell number. :cds:
 

vraiblonde

Board Mommy
PREMO Member
Patron
These freakouts remind me of Y2K: what is serious and what is a bunch of BS fear mongering from companies who stand to make money by "fixing" the situation. This exploit is 2 years old, why is it now an "emergency"? Yes, server admins should obviously patch their chit and check their security - but they should be doing that on a regular basis anyway. End users should be keeping track of their accounts, and have alerts in place so that they are notified in the event of suspicious activity. You should have solid passwords in place and change them periodically - some sites force you to change every x-days and won't let you get away with something simple.

But there are still people who fall for phishing schemes, and the old Nigerian 419 scams. People respond to emails from "relatives overseas" needing money. They think some Middle Eastern prince really did choose them to help him funnel his millions into the US. They think Bill Gates is going to give them $5000 for forwarding an email.

It's hard to tell what's real anymore.
 

somdfunguy

not impressed
These freakouts remind me of Y2K: what is serious and what is a bunch of BS fear mongering from companies who stand to make money by "fixing" the situation. This exploit is 2 years old, why is it now an "emergency"? Yes, server admins should obviously patch their chit and check their security - but they should be doing that on a regular basis anyway. End users should be keeping track of their accounts, and have alerts in place so that they are notified in the event of suspicious activity. You should have solid passwords in place and change them periodically - some sites force you to change every x-days and won't let you get away with something simple.

But there are still people who fall for phishing schemes, and the old Nigerian 419 scams. People respond to emails from "relatives overseas" needing money. They think some Middle Eastern prince really did choose them to help him funnel his millions into the US. They think Bill Gates is going to give them $5000 for forwarding an email.

It's hard to tell what's real anymore.
Agreed, many are FUD, this one actually is serious. what can people do about it? nothing really. just make sure you follow the basic rules, the best: use different passwords for each website/service you.

good info in plain English http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/
 
Last edited:
Top