Author Topic: Change Your Passwords: A Massive Bug Has Put Your Details (Read 8577 times)

mishca09 · « **on:** April 13, 2014, 09:44:47 PM »

I posted this on theden and I thought it I would share it here to.

Change Your Passwords: A Massive Bug Has Put Your Details at Risk
Internet security experts are scrambling to assess the extent of the breach caused by a massive bug called Heartbleed in the OpenSSL technology that runs encryption for two-thirds of the web and went unnoticed for two years until last week

MORE
Heartbleed Bug: Here Are the Passwords You Should Change
Quick Tech Trick: How to Make a Strong Password (and Actually Remember It)
How to Protect Yourself Against the Heartbleed Bug
A newly discovered bug in software supposed to provide extra protection for thousands of the world’s most popular websites has exposed highly sensitive information such as credit card numbers, usernames, and passwords, security researchers said.

The discovery of the bug, known as Heartbleed, has caused several websites to advise their users to change their passwords.

“This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” Tumblr wrote in a note to its many users.

“The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.”

Yahoo, the owner of Tumblr, confirms that its users’ passwords have been compromised.

The bug was discovered late last week in the OpenSSL technology that runs encryption for two-thirds of the Internet. The researchers who discovered it said that most Internet users “are likely to be affected either directly or indirectly.”

It was found simultaneously by a Google security researcher and a small security firm named Codenomicon and disclosed Monday night.

Experts are now scrambling to asses the extent of the security breach, because the bug remained undiscovered for two years. Hackers may have exploited it without leaving footprints.

“We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace,” Codenomicon wrote on their newly created website about the bug.

According to several security experts, it is one of the most serious security flaws uncovered in many years.

“Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it,” Jonathan Sander, vice president of research and technology for Stealthbits Technologies, a cybersecurity firm, told the Los Angeles Times.

The U.S. government’s Department of Homeland Security has advised all businesses using the vulnerable versions of the software to review their servers.

goldshirt*9 · « **Reply #1 on:** April 13, 2014, 09:54:22 PM »

tried to find out what sites are affected

brickbatz · « **Reply #2 on:** April 13, 2014, 09:55:39 PM »

Bully's link to affected sites.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-main-link

8ullfrog · « **Reply #3 on:** April 14, 2014, 02:08:49 AM »

My cousin had his email account compromised (Yahoo), a good friend had his email account compromised (Hotmail) an attempt was made against my mom's email (Google) and an attempt was made against my roommates fb profile (Facebook).

This is a major bless'ed pain in the ass. On sites where passwords cannot be remembered for security purposes, I touch type my passwords out, and now I've got to learn new ones.

I'm tired of these bless'ed compromised systems.

6pairsofshoes · « **Reply #4 on:** April 14, 2014, 10:59:00 AM »

I'm still changing p/w s. What a pain.

goldshirt*9 · « **Reply #5 on:** April 14, 2014, 11:22:47 AM »

nothing on there bothers me

brickbatz · « **Reply #6 on:** April 15, 2014, 12:23:30 AM »

Using TeamViewer to connect remotely I changed a cousin's passwords two days ago and another cousin's passwords yesterday. I make up long strong passwords on notepad, label them, username, email and copy/paste them when changing them.

The cousin I helped yesterday was using her dog's five letter name for everything. When she saw me typing something like this #v5$8^Sd%W0j), then do the same random thing for each of them, I could hear the phone drop. Anyway, I named and it saved it to her documents and printed it out for her. I gave her a movie so she'd quit thinking about it.

6pairsofshoes · « **Reply #7 on:** April 15, 2014, 01:33:58 AM »

Quote from: christ on April 15, 2014, 01:21:09 AM

You guys do know that changing passwords on compromised sites before they have updated (to remove the glitch) is a waste of time, right?

No. But if you hum a few bars, I'll try to fake it.

smokester · « **Reply #8 on:** April 15, 2014, 05:13:18 AM »

^ Forgive me, six, for adding christ's comment to your post. It was worth keeping.

Quote from: christ on April 15, 2014, 04:17:49 AM

Heh.

... and the piano is on my foot.

Monkeying around again, i see.

Incidentally, for important things, I have 18 character passwords of symbols and mixed case letters etc, and I have them completely out of context in a sql database that I have access to from anywhere. It has gotten me out of trouble more than once.

dweez · « **Reply #9 on:** April 15, 2014, 10:34:40 PM »

Quote from: brickbatz on April 15, 2014, 12:23:30 AM

Using TeamViewer to connect remotely I changed a cousin's passwords two days ago and another cousin's passwords yesterday. I make up long strong passwords on notepad, label them, username, email and copy/paste them when changing them.

The cousin I helped yesterday was using her dog's five letter name for everything. When she saw me typing something like this #v5$8^Sd%W0j), then do the same random thing for each of them, I could hear the phone drop. Anyway, I named and it saved it to her documents and printed it out for her. I gave her a movie so she'd quit thinking about it.

KeePass
http://keepass.info/

Quote

What is KeePass?
Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website's FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.

Is it really free?
Yes, KeePass is really free, and more than that: it is open source (OSI certified). You can have a look at its full source and check whether the encryption algorithms are implemented correctly.

As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice.
Bruce Schneier, Crypto-Gram 1999/09/15

dweez · « **Reply #10 on:** April 16, 2014, 10:34:07 AM »

I'm all for OSS but I'm more for "best tool for the job" so if a close-source is better (either works better or better support available) I'll go with that. This will now be an example I use to shut up the "OSS IS BETTER CUZ YOU CAN LOOK THROUGH THE SOURCE AND FIX IT" fanboys.

smokester · « **Reply #11 on:** April 16, 2014, 01:30:04 PM »

I prefer hot sauce.

xtopave · « **Reply #12 on:** April 16, 2014, 05:15:13 PM »

Quote from: smokester on April 16, 2014, 01:30:04 PM

I prefer hot sauce.

My 1st thought when I saw the thread was the Birkin is a massive bag but I didn't dare make that comment.

smokester · « **Reply #13 on:** April 17, 2014, 05:01:06 AM »

Quote from: xtopave on April 16, 2014, 05:15:13 PM

My 1st thought when I saw the thread was the Birkin is a massive bag but I didn't dare make that comment.

Is there such a thing as a dainty Birkin?

smokester · « **Reply #14 on:** April 17, 2014, 10:23:47 AM »

Quote from: christ on April 17, 2014, 05:47:23 AM

Jane?

I'm actually more like Tarzan. Except for the parasol.

townie2 · « **Reply #15 on:** May 23, 2014, 05:52:24 PM »

now it's Ebay that has been compromised, their recommending users change their passwords http://www.thedailybeast.com/articles/2014/05/22/every-ebay-account-holder-worldwide-has-been-hacked-company-says.html

8ullfrog · « **Reply #16 on:** May 23, 2014, 06:55:24 PM »

They wouldn't let me close my paypal account because I didn't have it tied to a bank account.

Which was the entire bless'ed point.

When I used paypal for ebay purchases, I'd grab a visa gift card and use that for funds.

Kept the hand of paypal out of my bless'ed bank account.

mishca09 · « **Reply #17 on:** May 23, 2014, 07:18:49 PM »

I had to tie my banking account to my paypal account because I just recently sold something and they wouldn't release the funds otherwise.

townie2 · « **Reply #18 on:** May 24, 2014, 07:59:53 AM »

i just have my PP linked to my cc too, i don't trust them with my bank account info, then if there's a problem, they can battle it out with Visa.

smokester · « **Reply #19 on:** May 28, 2014, 04:18:52 AM »

If I had any money in my bank account, then I might have a problem with it being hacked. As it is they'd need to put money in to avoid a scolding.