Heartbleed and the Heartland Owners Forum

linuxkidd

Member
This post relates to a vulnerability in an open-source software package used to provide secure web-site serving (https) among other server communication products, commonly referred to as 'heartbleed'.

We are pleased to announce that while we do use Apache and OpenSSL for encrypting all payment transactions for the Heartland Owners Club, the version of OpenSSL that we employ has never been vulnerable to the Heartbleed attack.

The quick synopsis of the issue:
* Sites using vulnerable versions of OpenSSL (provides https capability to open-source web servers) are susceptible to having a chunk of server memory returned with specially crafted requests.
* The chunk of server memory (64kb in size) could be *anything* that was in memory, to include user credentials, server's private SSL certificates, encryption keys, etc...
* MANY sites ( approximately 17.2% of all Apache/Nginx based sites ) are, or were vulnerable.
* This hole was present in OpenSSL packages available for the past 2 years.
* Server admins have been scrambling to update their servers since the announcement of this issue just a few days ago.

More details about the Heartbleed vulnerability can be found at http://heartbleed.com.

Thanks!
LK
Technical Moderator
 

porthole

Retired
Michael, looking at the link you provided is way over my head.

The simple answer - do I need to change passwords on every site that is a https url that I visit with some form of username password?
Or are the people behind the URL's making the changes as needed?
 

TandT

Founding Utah Chapter Leaders-Retired
Michael,
Thanks for the info, but I agree with Duane. Is there an interpreter in the house? :confused:

Seriously, for most of us what is the bottom line here? Thanks, Trace
 

lindaw

Florida Chapter Leader - Retired
According to what I read this AM if you use yahoo, gmail, google or Facebook you need to change your passwords.
LindaW
 

SeattleLion

Well-known member
Just to offer a little clarification. The potential problem is with a program called OpenSSL. This program handles encryption for pretty much everything on the Internet. The vulnerability appeared with version 1.0. Prior versions did not have this vulnerability. Many of us who run servers do not frequently update OpenSSL. We don't because it is very mature technology. Larger users of this program do routinely update. These are sites like Google, Yahoo, etc. So if this forum is like most of us smaller users, they never updated to the vulnerable versions. FYI, the current release of this product has fixed the issue.

The other thing to be aware of is that while it is possible to extract this data with the vulnerability and that extraction is invisible and untracable, there is no evidence that anyone has actually exploited this vulnerability. If it has been exploited, the odds are extremely low that small sites like ours would be worth exploiting. It's a matter of risk analysis. I am not particularly worried about this site. There aren't enough transactions to interest a bad guy.
 

danemayer

Well-known member
The article I read suggested that there if attacked and data compromised, there will be no evidence of an attack. It also said that there's no point in changing passwords until after notified by the website. If you change before they update their SSL software, your new password could be compromised.
 

linuxkidd

Member
Just did a little search. This seems to explain the problem, (LINK). Trace

The video in your link does a fairly good job of explaining the situation.. there are however a few technical inaccuracies (as there usually are with mass media)..

1: The hacker using this exploit doesn't get to pick what data the server reveals.. it's a crap shoot... They get 64kb of data, and have to sift through that to see if they got any goodies (ala cracker-jacks box)
2: Most sites are configured with 'perfect forward secrecy', especially in the days since the revelations about the NSA's mass surveillance. This means that even if they got the certificates used to encrypt the sites traffic, they can't decrypt anything they may have captured from the past... (not all site have done this, but most have).
3: Since the data revealed is random, and there's nothing logged when the exploit is used, no one really knows what all actually got out. It could have been:
- User credentials (usernames, passwords)
- Credit card details from online shopping sites
- Your emails
- etc...
4: SeattleLion is correct that there's no evidence that the exploit has been used in the wild for any of the past 2 years.. but since it doesn't generate any logs, it's tough to know for certain.
5: Researchers have created 'honey-pot' servers... Servers that have this exploit open, and special software to monitor for attempts to use the exploit.
- This will allow them to monitor for would-be hackers trying to use the hole to gain data.. this is really just to help know if the issue is being used in the wild.

The Washington Post has a decent article with links to site lists..

NOTE: There are links to a testing service 'http://filippo.io/Heartbleed/' ... This site has not been engineered to handle the attention it's gotten about this attack.. And because of the overloading that's occurred, it is giving out both false positive and false negative results. There are other means of testing (via command line tools, etc) that are more accurate, but also more technical.


### Bottom Line for non-technical people ###
* Sites that were vulnerable *could* have lost control of your user credentials along with lots of other stuff.
* There are lists online of major sites that were vulnerable. Check these lists for web-sites status and if it was vulnerable and has been fixed, it's a good idea to change your password.


Am I personally, changing my passwords? Only on sites that manage my money... banks, paypal, etc.
 

SeattleLion

Well-known member
The article I read suggested that there if attacked and data compromised, there will be no evidence of an attack. It also said that there's no point in changing passwords until after notified by the website. If you change before they update their SSL software, your new password could be compromised.

This is all correct. The vulnerability is untraceable. Usually, there is some evidence that an intrusion occurred. Not this time. In fact, no one knows if this vulnerability has ever been exploited. There is no point in changing anything until the site owner updates his OpenSSL to version 1.01g.
 

linuxkidd

Member
If you'd like to test a site that's not listed anywhere, or hasn't posted their own status update..

Please use this tool:
https://www.ssllabs.com/ssltest/index.html

It does a lot more than this one test, but as soon as the test concludes, there will be a section of banners just below the main 'grade' box (A, B, C, etc.. ).. In that list of banners, it'll say something like

"This server is not vulnerable to the Heartbleed attack. (Experimental)"

If it says otherwise, no need to change your password yet.. and honestly, I wouldn't use the site until it's fixed...
 

linuxkidd

Member
Just found out that if you use LastPass, it can help you know when and where to change your credentials! Very cool!

See THIS LINK for more details!

btw.. If you're online and don't use LastPass to generate random passwords, and manage said passwords.. You're REALLY missing out! It's a great, 100% secure cross-system (even mobile) password management tool. It's free to use on desktops, and only $12 / year (ya.. $1 per month paid yearly) to have on Android and iOS devices.. The Android version now has the ability to fill in passwords across practically every app/web-site you use on your android device!

LK
 

linuxkidd

Member
Just found this from XKCD (a popular geek comic site):
Heartbleed Explained <- Very good for understanding the issue.. and pretty darn accurate.

Doesn't change the recommendations above, but gives a bit of clarity.
LK
 

jbeletti

Well-known member
Just found out that if you use LastPass, it can help you know when and where to change your credentials! Very cool! See THIS LINK for more details!...

Ran their Security Check. Really eye opening! Been changing the passwords they suggest for sites that may have been vulnerable to this exploit. Using LastPass's random password generator for all sites now. Just downloaded the Android version of Last Pass as I would bever remember any of these passwords and it's time to stop keeping them all written down :)
 
Top