Posted on 04/10/2014 2:48:27 PM PDT by Berlin_Freeper
Computers vulnerable to the Heartbleed bug are actively being targeted online, say security experts.
However, it is not yet clear whether the scanning efforts are benign or are the work of cyber-thieves keen to steal data, they say.
The news comes as some security professionals and developers advised people to change all their passwords.
(Excerpt) Read more at bbc.com ...
Am I affected by the bug?
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.
check out your bank etc here to see if it can be hacked http://lastpass.com/heartbleed/
The Chrome store has an extension (chromebleed) which can tell if a site is vulnerable, and there are lists now.
Bookmarked...
Bookmark.
Ping!
I do hope our host will add to this thread. Not a good
thing to hear with an onging freepathon fundraiser in progress.
This is a great graphic. I wish I could’ve simplified this much with my management team. They just gave the order to “fix it.”
Bump for later.
Thanks.
Oh, great. Facebook is vulnerable.
I guess I'm a dunce on this -- I don't understand the graphic at all.
http://money.cnn.com/2014/04/10/technology/security/heartbleed-passwords/index.html?hpt=hp_t3
From the above link:
Websites are racing to patch the Heartbleed bug, the worst security hole the Internet has ever seen.
As sites fix the bug on their end, it’s time for you to change your passwords. The Heartbleed bug allowed information leaks from a key safety feature that is supposed to keep your online communication private — email, banking, shopping, and passwords.
Don’t change all your passwords yet, though. If a company hasn’t yet updated its site, you still can’t connect safely. A new password would be compromised too.
Thanks. I took care of my YT, Google, GMail and Yahoo, on the “now” list; the others on that one list I don’t bother with. For the “don’t bother” list, I’ll probably change those too, this weekend, just to be sure.
A program makes a query over an SSL link. That query is answered securely by the server on the other side. On a properly-configured SSL tunnel, the responder would answer the query explicitly.
With heartbleed, a query could be issued and request the response to be a certain length. The response could be longer than the explicit data point in, say, a database, and the data that would be gained would be data the requester is not privy to.
In this case, a private key could be decoded by constantly requesting secure traffic respond with more information than what is found in the public key. Since the only data outside of the public key is the private key or a symmetric hash, they could eventually decode the entire private key, thus making a man-in-the-middle attack easy to pull off. The attack poses as a secure server, steals the data it wants, and the customer is none the wiser.
I do hope our host will add to this thread. Not a good
thing to hear with an onging freepathon fundraiser in progress.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.