Heartbleed

MyE28.com Forum system comments and questions. Please post registration, login, or general forum usage problems here.
Post Reply
tig
Posts: 9234
Joined: Mar 18, 2013 6:25 PM
Location: Durango
Contact:

Heartbleed

Post by tig »

http://filippo.io/Heartbleed/#www.mye28.com

Might want to fix this guys.
mooseheadm5
Beamter
Beamter
Posts: 23035
Joined: Apr 08, 2009 10:30 PM
Location: Charlottesville, VA
Contact:

Post by mooseheadm5 »

OK, looked it up, have contacted Justin.
tig
Posts: 9234
Joined: Mar 18, 2013 6:25 PM
Location: Durango
Contact:

Post by tig »

Heratbleed is likely the worst vulnerability the Internet has seen to date. I strongly suggest that after the sysops update the system that they invalidate everyone's passwords.

If you are not willing to go that far then all members would be advised to change their passwords. Especially if they use the same password on other sites.
Justin_FL
MyE28 IT Guru
MyE28 IT Guru
Posts: 2822
Joined: Feb 12, 2006 12:00 PM
Location: Palm Beach
Contact:

Post by Justin_FL »

I can patch the server soon but from a quick reading it affects encrypted SSL data, which is not used by this forum.
tig
Posts: 9234
Joined: Mar 18, 2013 6:25 PM
Location: Durango
Contact:

Post by tig »

Best article explaining it I have found:

http://arstechnica.com/security/2014/04 ... tte-style/
tig
Posts: 9234
Joined: Mar 18, 2013 6:25 PM
Location: Durango
Contact:

Post by tig »

Justin_FL wrote:I can patch the server soon but from a quick reading it affects encrypted SSL data, which is not used by this forum.
Wow, I just noticed that the sign-in page does not use SSL.

This means that every user's password is SENT IN CLEAR TEXT when they enter it. This means that you should NEVER log in to mye28.com from wireless network that you are not 100% sure is secure (like a coffee shop) because it is likely that someone is sniffing the data and will see your password.

If you use that same password on other sites then all the hacker needs to know is your email address.

People using this forum should use extra care to use a UNIQUE password for this site from all other passwords they use.

Since the Heartbleed vulnerability gives attackers access to memory on the server it does not matter if SSL is actually in use or not. The test I pointed to above shows that the site is exploitable.
tig
Posts: 9234
Joined: Mar 18, 2013 6:25 PM
Location: Durango
Contact:

Post by tig »

Image
Jeremy
Beamter
Beamter
Posts: 15843
Joined: Feb 12, 2006 12:00 PM
Location: Connecticut

Post by Jeremy »

cek wrote:People using this forum should use extra care to use a UNIQUE password for this site from all other passwords they use.
This is basic internet security to begin with. Re-using passwords is extremely hazardous. I use a common theme, but each password I create is non-identical to others.
WilNJ
Posts: 4193
Joined: Aug 12, 2009 11:22 AM
Location: North Jersey

Post by WilNJ »

Jeremy wrote:This is basic internet security to begin with. Re-using passwords is extremely hazardous. I use a common theme, but each password I create is non-identical to others.
Purely for educational purposes, please share that password with us as well as your common theme.

I'm not security expert but something that I understand to be true about password security is that you're better off adding characters rather an overly complex password.

Feel free to blow me up if I'm wrong but I understand

mye28,,,,,,,,,,,,,,,,,,10

to be more robust than

mYe28iSc0ol
jodystevens
Posts: 314
Joined: Oct 10, 2013 2:45 PM
Location: Canada

Post by jodystevens »

First of all it affects OpenSSL which this site does not use because it does not need it. It doesn't store any sensitive information like banking info, credit card numbers or even street addresses. So much media hype over an exploit that's been vulnerable for 2 years and has been patched by most banking sites already. Who cares if someone steals your forum password.
Jeremy
Beamter
Beamter
Posts: 15843
Joined: Feb 12, 2006 12:00 PM
Location: Connecticut

Post by Jeremy »

jodystevens wrote:Who cares if someone steals your forum password.
A lot of people (very unwisely) re-use passwords and login names across multiple services. Getting a person's Yahoo credentials can gain a person access to their online banking, PayPal, and other services in this case.
WilNJ wrote:I'm not security expert but something that I understand to be true about password security is that you're better off adding characters rather an overly complex password.
Yes, but ...

While what you wrote is true, it only counts if someone has unlimited attempts to "guess" your password. A brute force attack. These types of attacks are well protected against on internet sites, thus making your password complexity almost a non-factor for internet website passwords.

Password compromises usually happen by way of a keylogger tied to a trojan or other computer malware/virus. Protecting your computer from these types of attacks with effective anti-virus and anti-malware software is what is actually more effective at securing your online passwords compared to adding password complexity. Complexity is similarly useless against exploits such as Heartbleed.

Now, if you're creating a password to encrypt some data, there's a different set of security rules. And that's where complexity definitely plays a role.
Brad D.
Beamter
Beamter
Posts: 10735
Joined: Feb 12, 2006 12:00 PM
Location: San Antonio, TX
Contact:

Post by Brad D. »

I got an email at work today requiring a password change I use our Juniper SSL VPN service as well as many others on campus who may have been compromised due to Heartbleed.
geordi
Posts: 1415
Joined: Jan 26, 2012 12:17 AM
Location: WYOKA

Post by geordi »

Thanks for the post guys… i made the recommended change
tig
Posts: 9234
Joined: Mar 18, 2013 6:25 PM
Location: Durango
Contact:

Post by tig »

jodystevens wrote:First of all it affects OpenSSL which this site does not use because it does not need it. It doesn't store any sensitive information like banking info, credit card numbers or even street addresses. So much media hype over an exploit that's been vulnerable for 2 years and has been patched by most banking sites already. Who cares if someone steals your forum password.
This site may not need SSL, but it did have the vulnerable version of OpenSSL installed and activated and listening on the SSL port (443). Because this vulnerability exposes server memory to the attacker it does not matter whether the site needs SSL or not.
tig
Posts: 9234
Joined: Mar 18, 2013 6:25 PM
Location: Durango
Contact:

Post by tig »

By far the best description of the Heartbleed bug.

Image

Note, as I said before, normal traffic to the server does not have to use SSL for this to be exploitable.
booker
Posts: 4354
Joined: Feb 12, 2006 12:00 PM
Location: New Orleans

Post by booker »

I suggest not using the internet anymore.
rodpaine
Posts: 1392
Joined: Feb 12, 2006 12:00 PM
Location: 55 miles west of D.C. in northern VA
Contact:

Heartbleed and 1Password

Post by rodpaine »

If you are on the Internet as much as I am and involved with a lot of password based accounts, than you really should be using '1Password' to help improve your password strength, which is pretty poor in my experience working with computer users, when I ran ASTEC Co., Inc. They also have comments about Heartbleed here...
http://email.agilewebsolutions.com/t/Vi ... 06BE9B4083
-Rod
Jeremy
Beamter
Beamter
Posts: 15843
Joined: Feb 12, 2006 12:00 PM
Location: Connecticut

Post by Jeremy »

I use LastPass personally, it has similar functionality. I still maintain that increasing password strength offers no increased protection for internet based services, however. All it truly does is makes your passwords harder to remember, thus increasing the chance you'll write it down, and then it's not "secure" at all.
rodpaine
Posts: 1392
Joined: Feb 12, 2006 12:00 PM
Location: 55 miles west of D.C. in northern VA
Contact:

Post by rodpaine »

Jeremy,
What your saying is partially correct, but during the 14 years I was configuring, installing and updating over 3,000 Macs primarily in small business offices and division offices in larger organizations, my experience with these systems was that poor passwords was the leading cause of difficulties, requiring my involvment. Out right computer failures, including failed hard disk drives and no backups to restore from, were way below the time I spent correcting poor password use and resultant problems. It is still an issue that I see is way too big, even now as an outsider.
-Rod
Justin_FL
MyE28 IT Guru
MyE28 IT Guru
Posts: 2822
Joined: Feb 12, 2006 12:00 PM
Location: Palm Beach
Contact:

Post by Justin_FL »

FYI, I updated the server Wednesday evening in case anyone was wondering...
Jeremy
Beamter
Beamter
Posts: 15843
Joined: Feb 12, 2006 12:00 PM
Location: Connecticut

Post by Jeremy »

Rod-

Can you define "poor password use"? Were they just bad passwords, ie they were using password as the password or the password matched the login name?

What's the minimum complexity you would consider "safe" or "prudent"?

I'm curious because school forces us to use a password that's at least 8 characters long and includes a 2 out of three of: combination of upper and lower case characters, special characters, and numbers. These passwords expire and must be changed every 3 months, and you need to come up with an entirely new password every time. Once a password is used, it can never be used again with that account. I resorted to serializing my passwords in an effort to keep my remaining bits of sanity intact.

It takes a minimum of 38 keystrokes to log into a computer lab computer, then the same 38 keystrokes again to access your school e-mail, then the same 38 keystrokes a third time to access your classwork. It's absurd, and IMHO, completely unnecessary. IS security is not my forte, however, which is why I asked what you personally consider to be "good enough" in the password realm.
Post Reply