Heartbleed Virus A Concern?

HomeForumsGeneral DiscussionHeartbleed Virus A Concern?

Viewing 19 posts - 1 through 19 (of 19 total)
  • Author
    Posts
  • #39427
    RayRay
    Participant
    #39452
    CharlieCharlie
    Keymaster

    It’s bad from what I hear because of how many servers are affected, but I don’t think there’s anything that individual users can do to protect themselves from this. I’ve heard to try not to change any passwords or login to sites for the next 24-48 hours unless you have to. That might be an overreaction, but it’s hard to tell at this point. I wouldn’t worry too much, if only because there isn’t anything that we can do at this point but wait for hundreds of thousands of web servers around the world to update their software and eliminate this bug.

    #39460
    Rick in ChinaRick in China
    Participant

    It’s not a virus.. it’s a bug found in a very commonly used component to manage secure web traffic. Big difference 😀

    Concerned – yes, but, realistically, I don’t think many people are going to be directly affected by this, it’s more of a could affect anyone wont likely affect you type thing, like SARS!

    I agree with Charlie to some extent – there may be little value in changing passwords on services that haven’t been patched yet, but if by chance your login/pass has already been dumped out somewhere it’s there, and changing it now means you can potentially stop a threat from an older info dump, just you’d want to change it again once any service which hasn’t already been patched does patch.

    #39467
    CharlieCharlie
    Keymaster

    Came across this today: The Heartbleed Hit List

    #39468
    Rick in ChinaRick in China
    Participant

    @Charlie
    Supposed to have a link?

    #39470
    RayRay
    Participant

    No kidding, i was seriously using one password for like 8 sites. My technogeekbutmakesthebig$$$ brother slapped some sense into me quicksmart 🙂

    #39471
    Rick in ChinaRick in China
    Participant

    Same password for 8 sites isn’t an issue.. necessarily.

    I classify my passwording into level of information provided. If I need to provide a lot of personal information, m’fer gets a unique strong password. If it’s, say, a forum where I have nothing necessarily other than a user name, doesn’t matter, can put it into the “common whatever” usage.

    Choosing a strong password doesn’t necessarily mean shit, either. The services you use may use encryption – but encryption gets cracked, and newer types of encryption need to be implemented on legacy data. Users generally expect this kind of thing to happen – or don’t realise it needs to – and there are many other problems with any data on any service beyond just strong encryption that we need to consider. Safety comes only from assuming everything will be decrypted and all data will be vulnerable so be cautious with the data entered everywhere, forgetting that sometimes we think we’re on an official site when it’s not (MITM). Bottom line is expect everything to be compromised~

    Most of the common password uniqueness and strength issues can be solved with quality password managers, but those also introduce other issues — SSOF or whatever, it’s all about being stingy like a m’fer about what you enter where 🙂

    #39472
    niklasniklas
    Participant

    Concerned – yes, but, realistically, I don’t think many people are going to be directly affected by this, it’s more of a could affect anyone wont likely affect you type thing, like SARS!

    I’m not so sure. If there’s no cap on the heartbeat requests server-side then a single computer could be bombing out loads of these requests and snap up quite some information. And we’re not talking single computers being used for this, but huge botnets. I believe China have the biggest botnets by far as well.

    A couple days ago when Heartbleed was getting much attention in news both my weixin and QQ accounts were logged out due to “suspicious activity” and I had to have them verified.

    I’d say it’s pretty serious and now might be a good time to change passwords. Guess the waiting with changing password thing makes sense too, as many systems might still be vulnerable. To stay safe maybe change now, and then change again after a while when systems should’ve been upgraded and not vulnerable is a good idea.

    #39475
    CharlieCharlie
    Keymaster

    @Charlie
    Supposed to have a link?

    Yes, I’m an idiot, sorry. Here’s the link: The Heartbleed Hit List: Passwords You Need to Change Right Now

    I classify my passwording into level of information provided. If I need to provide a lot of personal information, m’fer gets a unique strong password. If it’s, say, a forum where I have nothing necessarily other than a user name, doesn’t matter, can put it into the “common whatever” usage.

    This is an interesting strategy. I haven’t heard of anyone doing this, but it makes sense. But for the sites where you provide a lot of personal information, how do you manage those passwords? I think a password manager is the only way to stay on top of multiple difficult-to-crack passwords.

    I use 1Password on Mac and iPhone and it is not cheap but it’s amazing. Once you get on a system like this you might as well just create insane passwords for everything (which I have been doing) since it’s the same amount of effort anyway. You aren’t remembering passwords and you aren’t manually inputting passwords (1Password has browser extensions and works through Alfred which I also use constantly).

    Looks like the NSA has known about Heartbleed for years. Those bastards.

    #39477
    Rick in ChinaRick in China
    Participant

    1password seems like the best password manager option – it’s what my company suggests to use also, and they’ll pay for it for employees who choose to use it.. I’m very tempted, there are lots of benefits, but to answer your question:

    Sometimes, for example, I strap a bunch of combinations of characters and phrases together, sometimes situational – like if I see some rmb beside me on the counter I’m near I might do something like: rNIc$1&5/WwiBwT$1 — which I remember by “right now I see $1 and 5, what would I buy with that $1” – it’s not as strong as a 1Password generated key by any means, but I figure it’s strong *enough* for most cases. I can remember quite a few of these, I don’t know how many, maybe 12 to 15 of them kickin’ at a time..

    RE: NSA – why would they report something that gives them so much access to information, who cares about *public security* right 😛

    #39478
    niklasniklas
    Participant
    #39479
    CharlieCharlie
    Keymaster

    1password seems like the best password manager option – it’s what my company suggests to use also, and they’ll pay for it for employees who choose to use it..

    Sounds like an amazing company you work at! I suggested 1Password to my company’s CEO after we had an employee’s password phished which led to a lot of problems and he scoffed incredulously at the price, hahah.

    #39480
    Rick in ChinaRick in China
    Participant

    @Charlie
    RE: “and he scoffed incredulously at the price”

    That’s the type of attitude towards security that leads to massive theft and destruction, and crying CEOs jumping out of windows 😛

    #39481
    niklasniklas
    Participant

    Came across this today: The Heartbleed Hit List

    Anyone know of a similar list but for Chinese websites?

    #39487
    CharlieCharlie
    Keymaster

    That’s the type of attitude towards security that leads to massive theft and destruction, and crying CEOs jumping out of windows

    ¯\_(ツ)_/¯

    Pretty sure you couldn’t jump out of a single window in entire Tianfu Software Park even if you wanted to! We’re too close to Foxconn to even consider allowing windows to fully open.

    #39519
    RayRay
    Participant

    reddit is now recommending users change their passwords due to Heartbleed

    #39520
    Rick in ChinaRick in China
    Participant

    Pah.

    I looked at the list of infected systems that recommend changing passwords. I think I had like, godaddy, and nothin’ else 😛

    #39521
    RayRay
    Participant

    New password suggestion: mynewpassword.
    Security level: impenetrable 🙂
    @RickinChina: godaddy.com was not what I was expecting. Got excited for a minute there…

    #39522
    Rick in ChinaRick in China
    Participant

    I was lazy and bought some cheap domain/whatever bits’n’pieces to squat on before. I’ve heard lots of godaddy hate for ages, but don’t really care, for the amount and lack of usage it is convenient and I don’t trust most smaller companies with my credit card details..not that I trust godaddy much more. So, yeah, that’s the only thing I think that affected me, although I’ll change the google pwds even if they say it’s not necessary.

    What affected you?

Viewing 19 posts - 1 through 19 (of 19 total)
  • You must be logged in to reply to this topic.