Heartbleed Bug

This is being talked about on NPR right now (Wed 4/9, 2:35 PM CDT)

CRA update regarding the Heartbleed Bug - Wednesday, April 9, 3pm

The Canada Revenue Agency (CRA) places first priority on ensuring the confidentiality of taxpayer information.

After learning late yesterday afternoon about the Internet security vulnerability named the Heartbleed Bug that is affecting systems around the world, the CRA acted quickly, as a preventative measure, to temporarily shut down public access to our online services to safeguard the integrity of the information we hold. Applications affected include online services like EFILE, NETFILE, My Account, My Business Account and Represent a Client.

We are currently working on a remedy for restoring online services and, at this time, anticipate that services will resume over the weekend.

The CRA recognizes that this problem may represent a significant inconvenience for individual Canadians who count on the CRA for online information and services.

Recognizing this, the Minister of National Revenue has confirmed that individual taxpayers will not be penalized for this service interruption.

We continue to investigate any potential impacts to taxpayer information, and to be fully engaged in resolving this matter and restoring online services as soon as possible in a manner that ensures the private information of Canadians remains safe and secure.

This bug affects all websites that use OpenSSL. Yahoo is the least of my worry. I'm more worried about financial (online banking) and government websites that are affected and have not been fixed yet.

It is inconvenient but is necessary to safe guard the information of tax payers. It is tax season and I sent mine 2 days ago. Now I wish that it is safe.

Canadians are reminded that the CRA will not send information about personal refunds or benefit payments by email, will not ask for personal information by email, and will not leave any personal information on an answering machine. All phone calls or emails of this nature should not be answered and should be reported to the RCMP's Canadian Anti-Fraud Centre.

This link gives you some info: http://news.gc.ca/web/article-en.do?mthd=tp&crtr.page=1&nid=...

Have a nice day.

Check the sites at http://filippo.io/Heartbleed/

Oh, it's been posted. Was even Tuesday's XLCD comic subject:
http://xkcd.com/1353/

I reviewed POI Factory's server configurations and confirmed that they're not running any of the versions of OpenSSL that are vulnerable to the hearbleed bug.

Jonathan

Thanks, I guess I'll keep my current password then

Ah, I see. Since logging in to The Factory is done via http rather than https, OpenSSL issues don't apply here.

Wait... this site offers SSL sign in? I have been signing in unencrypted (http) since I signed up.

I meant posted at POI factory.

Noted computer security guru Bruce Schneier said that this one, rated on a scale of 1 to 10, is an 11 -- a catastrophe...

But before you go out and change all your passwords...

We're already seeing scam e-mails telling people to *click right here* to change your password (some times to services you didn't even know you had). DON'T DO IT!

When you decide to change your password, go directly to the site in question -- don't follow some random link in an e-mail, please!

Some sites/services aren't affected. Poi-factory isn't affected.

And some sites/services haven't gotten their act together yet and patched the problem.

A good test site is from Qualsys, https://www.ssllabs.com/ssltest/

You should probably be thinking about changing passwords on important sites, once those sites have their act together.

And now is a good time to be sure you're not using the same password on multiple sites -- especially multiple important sites. Yes, this is a pain in the ***, but it's important.

What a mess.

Once again, how can this site be affected if secure sign in is not even available?

If the server hosting this site also hosted another site that used Open SSL, an attacker could dump the server's memory via the other site, and still get information from this site.

http://www.cnet.com/news/which-sites-have-patched-the-heartb...

http://heartbleed.com/

~SNIP~

What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

How common are the vulnerable OpenSSL versions?
The vulnerable versions have been out there for over two years now and they have been rapidly adopted by modern operating systems. A major contributing factor has been that TLS versions 1.1 and 1.2 came available with the first vulnerable OpenSSL version (1.0.1) and security community has been pushing the TLS 1.2 due to earlier attacks against TLS (such as the [url=http://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack]BEAST[/url]).

How about operating systems?
Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)
Operating system distribution with versions that are not vulnerable:
Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
SUSE Linux Enterprise Server
FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

~SNIP~

Were websites which **don't** have https: in their login website addresses ever vulnerable to Heartbleed?

Examples:
http://www.poifactory.com
http://www.lq.com/lq/ (LaQuinta Inns)
http://hhonors3.hilton.com/en/index.html (Hilton Honors)
etc.
(I'm traveling now and need to be able to login and make credit-card-guaranteed reservations on hotel websites as I go.)

I realize it isn't accurate to assume that every https: website is vulnerable to this bug, but are all login web addresses without https: and just http: safe from Heartbleed?

If there is no https, then there is no encryption. All data is transmitted as straight text. Anyone with a packet sniffer (a tool to look as data as it goes through) can see usernames and passwords as they are being entered. They do have to be looking as the user is logging in.

I use http://hhonors3.hilton.com/en/index.html (Hilton Honors). I just tried the page and when you use the drop down log in on the top it sends it as https so your log in does not go as straight text.

When I check the site I receive
"All good, secure3.hilton.com seems fixed or unaffected!"
Change your password to be sure, they may have been ok all along or may have fixed it and if they fixed it you need to change your password.

Ok, that makes sense. Why does POI factory not offer secure browsing or at least secure the sign-in part then redirect to regular http to browse the site? SSL cert is cheap.

I'll look at implementing this as we upgrade our web platform this spring.

2 thumbs up!

JM, will the site stay up while you upgrade, or does this mean down time?
Glad to see some of the sites are already implementing the fix, but a lot either have not or have yet to respond to questions. Here's a list of who has patched, and who does not run the affected version.
http://money.cnn.com/2014/04/10/technology/security/heartble...

The platform upgrade we're doing later this spring will require a short period of downtime, which will happen in the late night or early morning hours. In the past, upgrades have taken less than an hour. The upgrade is not related to the heartbleed bug.

You can do a google search of Heartbleed bug and it will tell you which sites have been at risk. I changed a number of passwords, and it is a real pain. I guess it needed to be done.

lastpass offers a helpful list of sites with recommendations on whether to change passwords for specific sites due to the heartbleed bug:

http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your...

This is aimed at those using lastpass already, but I think a new user could check after starting to use the tool.

As has been mentioned above, using strong and unique passwords should help in minimizing the impact to you in case one site is compromised.

Changed our Google and FB passwords this weekend. What a mess. It totally hosed our contacts on my phone and her tablet. Had to re-sync, re-link, and re-categorize a hundred or so contacts. That alone wasted an hour.

And it ain't over yet.

We've changed the first round of account passwords (and yeah, that has fallout on different devices, and embedded services).

Also spent more time explaining this debacle. The XKCD comics help.

Getting people to move away from Explorer and to Chrome or Firefox, and HTTPS Everywhere.

And as some others have mentioned, there's the good news - bad news that some sites (such as POI Factory) aren't vulnerable to this issue, as they don't support HTTPS connections.

(There are many other sites and services that do not use the OpenSSL libraries and so do not have the problem, and provide secure connections. Also, OpenSSL versions older than a certain date do not have the propblem, so some older systems are safe as well.)

As I said, good news and bad news -- the good news is sites which do not support secure connections don't have the problem. But the bad news is that everything to and from those sites is sent in the clear.

You can also look at it with an advertising/marketing slant... Like the display of sliced turkey at a market with a sign proudly proclaiming "Gluten Free!" Well, yeah, turkey is going to be gluten free... And so is water, so why don't you ... no, I don't want to give anybody that idea!

And some sites are proudly saying "We are not affected by this problem," but not adding, "because we send everything in the clear."

And there is the evolving story about the large number of devices that have the vulnerability and will not get fixed -- think many generations of Android phones, and other electronics such as routers, WiFi access points, and who knows what in the industrial space.

In other threads we've seen comments that Windows XP will probably still be operating on some devices in 5 to 10 years. Similarly, there will be devices out there with this SSL flaw, probably embedded in devices, in the years to come.

And some enterprising individual is going to figure out how to make use of that flaw on a particular device. I'm sure we'll get to read about it after it happens.

(I'm an optimist -- I think this debacle is going to promote more review of code infrastructure, more funding, and better, more reliable and more secure code.)

I have been holding an order to Amazon. Was considering an order for some Corral boots direct from factory. Considering delaying a serious road trip ...

That fact is even if you change things like passwords, since the 'fix is not in,' why bother now? d/c ing everything but cash commerce (making heartbleed bleed business) will become the best incentive to get this whole matter addressed before the coming vacation season.

+1 That.

Many VPN implementations are also at risk, allowing VPN sessions and keys to be hijacked. Nasty.

It's so bad that systems that aren't vulnerable are vulnerable!

What???

While HP ilO (Integrated Lights Out, an admin feature on ProLiant servers) isn't vulnerable to heartbleed, many generations of them, if scanned by common heartbleed detection tools, lock up.

That's lock up requiring power to be physically removed from the server to clear the fault. Not just rebooting your server, but power cycling the sucker. That's nasty.

http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/pub...