Jump to content
Neil Pate

Heartbleed

Recommended Posts

So, most of you here are probably aware of the Heartbleed bug in OpenSSL.

 

How seriously is everybody taking this? Seems like a good time to change my password; "12345" was probably due for an extra digit on the end by now ;-)

Share this post


Link to post
Share on other sites
So, most of you here are probably aware of the Heartbleed bug in OpenSSL.

 

How seriously is everybody taking this? Seems like a good time to change my password; "12345" was probably due for an extra digit on the end by now ;-)

 

Very seriously  :angry:

 

It is the only time I've ever heard that using encryption is worse than not using it.

 

Luckily, the binaries shipped with LabVIEW are not susceptible-they're too old :D

  • Like 1

Share this post


Link to post
Share on other sites
Very seriously  :angry:

 

It is the only time I've ever heard that using encryption is worse than not using it.

 

Luckily, the binaries shipped with LabVIEW are not susceptible-they're too old :D

It's a good thing NI never got around to making an SSH toolkit  :lol:

Share this post


Link to post
Share on other sites
It's a good thing NI never got around to making an SSH toolkit :lol:

OpenSSH is a different toolkit and, although it does use OpenSSL, the vulnerability only affects TLS (which OpenSSH doesn't use). OpenSSH is quite safe,but if you are using a TLS enabled process (like Apache) that has the heartbeat extension (i.e TLS 1.2) then they may get your SSH keys, your inside leg measurement and who you slept with last night :D.

Edited by ShaunR

Share this post


Link to post
Share on other sites

Very serious indeed. I am amused that in an era where major vulnerabilities and breaches are so publicized, I have not heard a peep from a single institution I deal with. In the past they've always been quick to alert clients, but not this time. Forget the important ones (banks, stocks, payroll, government entities) not even the technology companies I deal with have said a word. Amazing, I have absolute confidence that should some even more serious vulnerability arise to which there is no immediate fix, that we will be left in the dark lest any organization affect their image or stock price. Honesty and disclosure are only needed if the serve the bottom line or political gain.

Yes, I'm cynical, but I try my hardest to find evidence pointing me away from the cynicism. I'm just not finding any this time around.

Share this post


Link to post
Share on other sites
OpenSSH is a different toolkit and, although it does use OpenSSL, the vulnerability only affects TLS (which OpenSSH doesn't use)

 

 I was being a bit facetious, but I did not know about it only being TLS, so I forgive you.

 

I have a ten week old at home, I didn't get to sleep with anybody last night  :lol:

Share this post


Link to post
Share on other sites
Very serious indeed. I am amused that in an era where major vulnerabilities and breaches are so publicized, I have not heard a peep from a single institution I deal with. In the past they've always been quick to alert clients, but not this time. Forget the important ones (banks, stocks, payroll, government entities) not even the technology companies I deal with have said a word. Amazing, I have absolute confidence that should some even more serious vulnerability arise to which there is no immediate fix, that we will be left in the dark lest any organization affect their image or stock price. Honesty and disclosure are only needed if the serve the bottom line or political gain.

Yes, I'm cynical, but I try my hardest to find evidence pointing me away from the cynicism. I'm just not finding any this time around.

 

Well. When I logged into my bank account the other day I was met with this message :yes:

 

Customers may be aware of media interest in an external Internet related issue called 'Heartbleed'. we take the security of our banking services very seriously and we would like to reassure our customers that our online banking systems are not exposed to this vulnerability. As such customers are advised that there is currently no need for them to take any action with regards to changing passwords.

Do we believe them?

Edited by ShaunR

Share this post


Link to post
Share on other sites
Forget the important ones (banks, stocks, payroll, government entities)

 

I was actually quite pleased to discover that none of my financial institutions have bothered to update their security software the past few years, and as such, none were vulnerable to Heartbleed.

 

I've been cursing these institutions for years because they use incredibly old security systems (seriously, you're only going to let me use an 8 character password?). But in this case, their glacially slow tech adoption rate was a blessing in disguise.

 

This Mashable list has been helpful for me in determining which passwords I need to change. I'm extra paranoid, though, so I'll probably change all of them as I get around to logging into them.

 

I'd also like to take this opportunity to extol the virtues of KeePass as a password manager.

Share this post


Link to post
Share on other sites

I've been rocking 1Password for the last few years and I've finally lost patience with their pathetic Android implementation (other platforms are fantastic though). This weekend as I go through my passwords I've decided to look at KeePass and LastPass.

I agree, password managers are the way to go, but if you use Android, my recommendation is to avoid 1Password despite how much I like it.

Share this post


Link to post
Share on other sites

I would be very interested to hear from someone who is using LastPass. I've been on the fence for a few months and this very well could be the tipping point.

Edited by Jordan Kuehn

Share this post


Link to post
Share on other sites

I was nervous about LastPass operating over the internet. My paranoia seems to have been rewarded somewhat, as it's on the Mashable list as one of the "affected" sites.

 

They're claiming that users do not need to change their master passwords. However, I suspect that any passwords they stored on your behalf were vulnerable to Heartbleed (even if the websites you stored were not vulnerable).

Edited by Mike Le

Share this post


Link to post
Share on other sites
I've been rocking 1Password for the last few years and I've finally lost patience with their pathetic Android implementation (other platforms are fantastic though). This weekend as I go through my passwords I've decided to look at KeePass and LastPass.

I agree, password managers are the way to go, but if you use Android, my recommendation is to avoid 1Password despite how much I like it.

 

Using a man-in-the-middle attack for convenience is a flawed concept.

Share this post


Link to post
Share on other sites

I've been using Lastpass for the last year now and liked it. I've liked the multilocation/multiperson/Cloud access, since my I got my wife on it also. I do use the iOS app on occasion. They did say they were effected by the Heartbleed vulnerability I feel their response was quick and did provide a nice tool to check you stored passwords for other sites effected(Also part of the security check function). I will note I did change my master PW as soon as I heard anything. I'm not paranoid!

 

Oh and I LOVE the 100 Character password generator!

 

As a side note: I've also tried Dashlane, and thought it was pretty good, but Lastpass got me cause (at-least at the time) they had cloud access for free and Dashlane didn't.

Share this post


Link to post
Share on other sites
I've been rocking 1Password for the last few years and I've finally lost patience with their pathetic Android implementation (other platforms are fantastic though). This weekend as I go through my passwords I've decided to look at KeePass and LastPass.

I agree, password managers are the way to go, but if you use Android, my recommendation is to avoid 1Password despite how much I like it.

 

 

I would be very interested to hear from someone who is using LastPass. I've been on the fence for a few months and this very well could be the tipping point.

 

I highly recommend Lastpass, especially if you are on Android.  There is a security now episode by Steve Gibson that covers how Lastpass works, it is very secure even though it is cloud based.

 

The latest Android app update includes a "service" so you can "fill forms" just like you can on the desktop.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.