Heartbleed Bug

[Paul]

Just a quikie to advise that we are NOT affected by this heartbleed bug issue that seems to be doing the rounds at the moment.

Just in case you havent heard....

The Heart Bleed virus allows hackers to exploit a flaw in the OpenSSL encryption software used by a majority of major websites to steal data like credit card numbers, passwords, and other personal information. The first defence for Internet users, then, is to change your passwords to protect your information from being taken and abused.

However, if a major website is still vulnerable to the Heart Bleed bug, changing a password won't matter; the website would have to update their software first. To defend against this, an online tool called the Heartbleed test was created to test if a website has been compromised by the virus. Simply type the web address of the website into the box, and it will let you know whether it is safe. Sites like Facebook, Gmail, Amazon, Yahoo!, Twitter and others have already updated their software.

The Heart Bleed virus basically takes advantage of OpenSSL encryption software, which is standard for many websites and designated by the small padlock symbol. When messaging back and forth on a secure connection — think Facebook or Gmail messaging — sometimes a computer wants to check if the other computer is still available. They check by send a small packet of data, called a "heartbeat," which is then confirmed. The flaw allows hackers to use a fake packet of data, which tricks the computer into responding with data stored in its memory.

Worse, this flaw is undetectable by current standards and has existed under the radar for about two years.

Personally I actually use a plugin for chrome called "chromebleed" which will tell me if the site itself is not secure....

We're fine here as we dont use SSL

Paul

 

[RGV]

Best description I've seen of heatbleed so far:

http://www.xkcd.com/1354/

Also, a list of major sites and how they're affected and whether you need to do anything with regards to your password:

https://www.ivpn.net/blog/heartbleed-passwords-change

Both cribbed from an article on The Register:

http://www.theregister.co.uk/2014/04/11/hackers_hammering_heartbleed/

 

[Calimori]

As someone with some background in this stuff, I recommend you:

• Consider where you use your cards online for now
• Banks should have secondary authentication such as a random number generator
• Look to enable secondary authentication as above on any place that offers it. (paypay can text you a one time code to add security to your login for instance)
• Consider if you really need to use a sensitive site
• Change your passwords in a few weeks when things calm down

If you change your password now, it could well be in the memory this hack exposes unless the site is fixed.
This site doesn't use SSL so the passwords are sent in the clear, over your local network, the internet and then where the servers reside. Whilst it would take someone to have access in those networks, that is a huge amount of potential people who are already reading your password. Hence why we recommend separate passwords for every side which is a massive pain. I suggest come up with a system for each site, use a standard password with numbers and letters, then add on some elements for each site. Plus use a password that is a sentence, that will make it longer but easier to remember. "Pinball_rocks_but_costs_so_much2014" is going to take someone ages to break.

 

[Paul]

• Change your passwords in a few weeks when things calm down

This i believe is the way forward.... if you visit a site that hasn't had the bug patched, and change your password, then they will also have your new password too...