Sidebar

Dangerous new Security Threat: Heartbleed

garylkoh

garylkoh

WBF Technical Expert (Speakers & Audio Equipment)
Sep 6, 2010
5,599
225
1,190
Seattle, WA
www.genesisloudspeakers.com
A security breach in OpenSSL has been found by Codenomicon that affects all of us. It is a vulnerability in the SSL protocol that allows allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

What this means is that https: is no longer secure.

This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.

The bug is being nicknamed Heartbleed - time to change ALL your passwords. But make sure that the site you are using has already deployed Fixed OpenSSL - otherwise, when you change your password, you are just giving your password up for capture.

More info here: http://heartbleed.com/
 
garylkoh

garylkoh

WBF Technical Expert (Speakers & Audio Equipment)
Sep 6, 2010
5,599
225
1,190
Seattle, WA
www.genesisloudspeakers.com
M

mep

Member Sponsor & WBF Founding Member
Apr 20, 2010
9,481
17
0
How would we possibly know if all of the sites we visit have fixed this problem by deploying Fixed OpenSSL? Ebay? Audiogon? Your bank? Amazon? The list goes on and on.
 
garylkoh

garylkoh

WBF Technical Expert (Speakers & Audio Equipment)
Sep 6, 2010
5,599
225
1,190
Seattle, WA
www.genesisloudspeakers.com
ack

ack

VIP/Donor & WBF Founding Member
May 6, 2010
6,774
1,198
580
Boston, MA
The direct link to the app is https://chrome.google.com/webstore/search/chromebleed

None of the major banking, credit card and travel sites I checked are vulnerable; some also block the heartbeat (in fact, many always did). Chalk another one for a bright Google engineer for discovering this.
 
garylkoh

garylkoh

WBF Technical Expert (Speakers & Audio Equipment)
Sep 6, 2010
5,599
225
1,190
Seattle, WA
www.genesisloudspeakers.com
Steve Williams said:
Well if you all used a Mac there is no problem whatsoever ;)......

http://www.macrumors.com/2014/04/10/apple-heartbleed/
Click to expand...

Not totally true - the iOS and OSX software does not incorporate OpenSSL 1.01, and so are not vulnerable. However, if you installed a browser that used OpenSSL 1.01, you would be vulnerable.

Also, Apple dodged the bullet by being late to the party. iOS incorporates an older version of OpenSSL that was not affected by Heartbleed.
 
Steve Williams

Steve Williams

Site Founder, Site Owner, Administrator
Mar 31, 2010
45,918
19,012
7,105
Coto De Caza, California, south golf course
www.whatsbestforum.com
garylkoh said:
Not totally true - the iOS and OSX software does not incorporate OpenSSL 1.01, and so are not vulnerable. However, if you installed a browser that used OpenSSL 1.01, you would be vulnerable.

Also, Apple dodged the bullet by being late to the party. iOS incorporates an older version of OpenSSL that was not affected by Heartbleed.
Click to expand...

then it's good to be late to the party :)
 
rbbert

rbbert

Well-Known Member
Dec 12, 2010
3,820
239
1,000
Reno, NV
So every single site I use where money is involved apparently doesn't use OpenSSL, and I've gathered that is true generally. Is this really a threat?
 
E

edorr

WBF Founding Member
May 10, 2010
3,139
14
36
Smyrna, GA
rbbert said:
So every single site I use where money is involved apparently doesn't use OpenSSL, and I've gathered that is true generally. Is this really a threat?
Click to expand...

Only if your dumb enough to use the same password at bank of america as on your yahoo account.
 
rbbert

rbbert

Well-Known Member
Dec 12, 2010
3,820
239
1,000
Reno, NV
BTW, when is this site getting a fix?
 
Steve Williams

Steve Williams

Site Founder, Site Owner, Administrator
Mar 31, 2010
45,918
19,012
7,105
Coto De Caza, California, south golf course
www.whatsbestforum.com
Millions of Android Phones Could Be Affected by the Heartbleed Bug. Check to See if Yours Is One of Them

Alyssa Bereznak
Tech Columnist
Yahoo

Disturbing news: The now-infamous Heartbleed security flaw might reach further than your favorite websites. It could affect your mobile device, too.

According to an announcement by Google, smartphones and tablets running a specific version of Android were affected by the widespread web security bug, which could potentially spill your sensitive login information (like passwords).

The company assured Android owners in a blog post April 9 that most versions are not affected by the flaw. However, as Bloomberg notes, Google added that a version called 4.1.1 Jelly Bean is a “limited exception.”

That version of Android was released in 2012 and is likely to be running on older Android smartphones. According to the most recent statistics released by Google, about 34 percent of Android devices use a version of the 4.1 Jelly Bean software. Though the company said that fewer than 10 percent of devices in use are vulnerable, a Google spokesperson confirmed to Bloomberg that millions of devices still run 4.1.1 Jelly Bean.

So how can you check to see if your device is affected? You’ll need to go to the Settings menu of your phone and find your way to the About Phone section. There you’ll be able to learn what version of Android you’re running and see if any updates are available.

There’s also a free Android app available that will tell you if your device is vulnerable to the bug.

Whether there is an immediate update to patch this bug is still unclear. Google’s blog post says that “patching information for Android 4.1.1 is being distributed to Android partners.” A Verizon spokesperson told Bloomberg that the company was aware of the “security vulnerability referred to as ‘Heartbleed,’ ” and that the company was “working with our device manufacturers to test and deploy patches to any affected device on our network running Android 4.1.1.”

We’ve reached out to Google for comment. In the meantime, fingers crossed that you’re not affected.

If you need to catch up on which sites are affected by the Heartbleed bug, check out my comprehensive list here.

https://www.yahoo.com/tech/the-heartbleed-aftermath-drags-on-what-passwords-you-82296501283.html
 
Steve Williams

Steve Williams

Site Founder, Site Owner, Administrator
Mar 31, 2010
45,918
19,012
7,105
Coto De Caza, California, south golf course
www.whatsbestforum.com
Canadian charged in 'Heartbleed' attack on tax agency

Reuters

OTTAWA, April 16 (Reuters) - Canadian police have arrested a 19-year-old man and charged him in connection with exploiting the "Heartbleed" bug to steal taxpayer data from a government website, the Royal Canadian Mounted Police (RCMP) said on Wednesday.

In what appeared to be the first report of an attack using a flaw in software known as OpenSSL, the Canada Revenue Agency (CRA) said this week that about 900 social insurance numbers and possibly other data had been compromised as a result of an attack on its site.

The suspect, Stephen Solis-Reyes, was arrested at his home in London, Ontario on Wednesday and faces criminal charges of unauthorized use of computer and mischief in relation to data.

"It is believed that Solis-Reyes was able to extract private information held by CRA by exploiting the vulnerability known as the Heartbleed bug," the RCMP said in a statement.

Police seized Solis-Reyes computer equipment and scheduled his court appearance for July 17, 2014.

Internet companies, technology providers, businesses and government agencies have been scrambling to figure out whether their systems are vulnerable to attack since the flaw was disclosed a week ago.

Security experts have warned that more attacks will follow.
 
You must log in or register to reply here.

Similar threads

A
Understanding Password Protection/Encryption
Replies
8
Views
5K
Audio, Video And Computer Technology Expert Forum
Orb
O

Members online

... and 17 more.
Total: 1,602 (members: 67, guests: 1,535)

About us

  • What’s Best Forum is THE forum for high end audio, product reviews, advice and sharing experiences on the best of everything else. This is THE place where audiophiles and audio companies discuss vintage, contemporary and new audio products, music servers, music streamers, computer audio, digital-to-analog converters, turntables, phono stages, cartridges, reel-to-reel tape machines, speakers, headphones and tube and solid-state amplification. Founded in 2010 What’s Best Forum invites intelligent and courteous people of all interests and backgrounds to describe and discuss the best of everything. From beginners to life-long hobbyists to industry professionals, we enjoy learning about new things and meeting new people, and participating in spirited debates.

Quick Navigation

Home Forums Contact us

User Menu

Login
Steve Williams
Site Founder | Site Owner | Administrator
Ron Resnick
Site Co-Owner | Administrator
Julian (The Fixer)
Website Build | Marketing Managersing
Top Bottom