Heartbleed bug found in OpenSSL software prompts tech companies to urge passwords reset

People are being urged to change their passwords after the discovery of a major new online bug.
Several technology companies are urging people to change all of their passwords after the discovery of a major security flaw.

Computer security specialists says a bug dubbed Heartbleed has been discovered in online data-scrambling software and hackers can use it to their advantage.

The Yahoo blogging platform, Tumblr, has advised the public to “change passwords everywhere – especially on high-security services like email, file storage and banking”.

Cyber-defence specialists at Fox-IT say the bug found in OpenSSL encryption software lets attackers illicitly retrieve passwords and other information from working memory on computer servers.

OpenSSL is used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.

“There is no limit on the number of attacks that can be performed,” Fox-IT said in a blog post that listed steps business IT handlers can take to thwart incursions.

Information considered at risk includes source codes, credit card numbers, passwords and “keys” that could be used to impersonate websites or unlock encrypted data.

“These are the crown jewels, the encryption keys themselves,” said a heartbleed.com website devoted to details of the vulnerability.

“Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will.”

http://www.abc.net.au/news/2014-04-10/heartbleed-bug-password-reset-data-openssl/5379604

rumpole said:

- especially on high-security services like email, file storage and banking”.

I’m certainly not going to worry about having my e-mail hacked.

Banks are another matter. I’ll wait and see for now.

It has the potential to be a very serious issue …

Yahoo is getting lots of bad press about this, but it extends a lot further than that…. as a minimum, if you have a yahoo account, change its password immediately.. if you use that same password on any other site, then also change that…

I’d also recommend using something like lastpass or other reputable online password tracker, and then use lengthy random character generated passwords (different) for each important site …

The Rev Dodgson said:

rumpole said:

- especially on high-security services like email, file storage and banking”.

I’m certainly not going to worry about having my e-mail hacked.

Banks are another matter. I’ll wait and see for now.

This particular bug is nasty as it may have exposed private keys, which would allow a nefarious person to decrypt FUTURE traffic (even after the exploit has been fixed), as well as impersonate trusted certified sites such as banks etc.

A proper clean up from this fk up would involve blacklisting any trusted certificate which has been issued to a site which used the OpenSSL libraries, but this won’t ever be done unfortunately.. it’s just too hard.. So going forward we may well have phishing sites that can properly impersonate https sites pretty much forever ;(

I’ve done some more reading.

There is no direct evidence this vulnerability has been used in the wild
But

It has been around for a couple of years now, and use would most probably leave no trace.

It’s also important that changing your password will only be effective on sites that have fixed the vulnerability..

So if you’ve got no Yahoo accounts your home free, yeah.

Dropbear said:

I’d also recommend using something like lastpass or other reputable online password tracker, and then use lengthy random character generated passwords (different) for each important site …

What’s the best way to keep track of these lengthy random passwords so we know which password is assigned to which website?

Divine Angel said:

Dropbear said:

I’d also recommend using something like lastpass or other reputable online password tracker, and then use lengthy random character generated passwords (different) for each important site …

What’s the best way to keep track of these lengthy random passwords so we know which password is assigned to which website?

With Lastpass or similar.

Riiiiiight, I understand how it works now. I was thinking of stupid sites that generate a password but keep no record of it so you have to do all the recording. Those kinds of sites were popular ~10 years ago.

Divine Angel said:

Riiiiiight, I understand how it works now. I was thinking of stupid sites that generate a password but keep no record of it so you have to do all the recording. Those kinds of sites were popular ~10 years ago.

I don’t understand.

Divine Angel said:

Dropbear said:

I’d also recommend using something like lastpass or other reputable online password tracker, and then use lengthy random character generated passwords (different) for each important site …

What’s the best way to keep track of these lengthy random passwords so we know which password is assigned to which website?

You just quoted the very answer..

Use lastpass or 1password

Divine Angel said:

What’s the best way to keep track of these lengthy random passwords so we know which password is assigned to which website?

Here’s a password generator written in JavaScript by Xanthir, a Google programmer who hangs out on xkcd.
(FWIW, Xanthir works on the Chrome browser, he also contributes to the CSS3 Web styling standard.)

http://www.xanthir.com/password/

Hopefully, that page is self-explanatory, but just in case…

Just paste the website URL into the Site Tag box, your master password into the Master Key box, then the Long button to generate a nice long random password. If the site (foolishly) requires a short password of no more than 8 characters, you can press the Short button instead.

If the site has special requirements for the passwords it accepts, then select them from the options in the lower section of the page and click Generate Custom.

Note that you don’t have to put the URL into the Site Tag box: any unique string that identifies the website for you can be used, but I reckon using the URL is the simplest option.

---

The password generator does NOT store any of the information you type in: it re-generates the password(s) each time you use it. It’s a self-contained JavaScript program, so it actually does all the calculations locally inside your browser – no sensitive info is being sent to his website. And if you don’t want to run it off his website you can save the JavaScript file and run it from your hard drive, a USB stick, etc.

Ta. I’ll play around at my earliest convenience.

Generated strong passwords are rather pointless unless you protect them properly..

Dropbear said:

It’s also important that changing your password will only be effective on sites that have fixed the vulnerability.

Indeed!

Dropbear said:

Generated strong passwords are rather pointless unless you protect them properly..

Sure. And your passwords aren’t exactly safe on sites that haven’t fixed this vulnerability. But a password generator, like Xanthir’s, is a handy way to have a bunch of decent passwords that can be changed fairly frequently without too much hassle.

Of course, you do need to have a good, long, master password (or should I say pass phrase) that you can remember exactly so that nothing needs to be written down or saved to disk. You just re-generate the passwords each time you need them.

…

This Heartbleed bug is somewhat scary, but as you said earlier, there’s no evidence that it’s ever been exploited “in the wild”. And a hacker wanting to exploit it still has to get into the site itself and then use this bug to get access to the encrypted password data. So it shouldn’t be too much of a problem for most sites, unless the site security is crap or the hacker already has access to the site, eg it actually belongs to them or they work in the IT department of the site owner.

But I Am Not A Digital Security Expert.

> I’d also recommend using something like lastpass or other reputable online password tracker, and then use lengthy random character generated passwords (different) for each important site …

I minimise my use of sites and software that need passwords, but despite that already have 130 passwords.

This is pretty accurate

http://xkcd.com/1354/

Dropbear said:

This is pretty accurate

http://xkcd.com/1354/

The comic discussion thread is pretty good, too, although I guess it’s probably a bit technical if you’re not a programmer.