21 April 2014

Heartbleed

| Emily Morris
Join the conversation
11

I must confess that I am making an assumption in writing this. That is that many of you will be technologically minded…

What has been your take on heartbleed? Have you changed passwords and done this widely or just for banking etc?

I’m getting differing pictures on this – some are screaming heads ablaze to change passwords and others seem fairly unperturbed.

Join the conversation

11
All Comments
  • All Comments
  • Website Comments
LatestOldest
justsomeaussie9:58 am 22 Apr 14

Let’s just clarify some points. Using the same password for multiple sites is bad yet the majority of people do it. If you’ve been on the internet for a while and have used the same password for a long time you can consider it compromised and by compromised I mean likely added to gigantic dictionaries of known passwords which can be used to log into your accounts. Logging into accounts doesn’t mean a human attacker trying it can mean a “bot” throwing millions of email addresses and passwords combos against sites.

Typically professionals break passwords into two categories. Information you care about, Information you don’t care about.

For example, I’m not overly fussed if someone “hacked” RiotAct and stole my password as the most they’d be able to do is post on my behalf. However if I also used this username and password combo on another site then my information on that site is vulnerable.

The most manageable solution is to use a password manager for the information you care about. When property used they can be very effective.

Lastly when if you do have to create password yourself the best tip is to create a long sentence with some non words included for example: “oneWibblyjigWentWalking” “Wozzaisabigdramalama” the best password is something that you can actually remember.

What you *shouldn’t* be doing but what is very common is to simply add a one up number to your password.

For the government recommendations go here:

http://www.asd.gov.au/publications/index.htm#tabs-1

Roundhead89 said :

Changing your password won’t make any difference. My Yahoo Mail account has been repeatedly spammed despite changing my password several times. There are programs available on the Net which unlock any password and provide universal access so changing your password will be no barrier.

This really isn’t very good advice…

Firstly, those programs you’re talking about can’t simply unlock ‘any password’. Most of them are resorting to a brute force attack – ie, they attempt thousands of different passwords a second.

Check out https://howsecureismypassword.net/ and see how quickly passwords can be cracked (please don’t plug your real password in there…make up one that’s the same length, with any upper case / lower case, numbers, special characters etc. that your real one has).

If you create a password that’s secure, it’s virtually impossible for a brute force attacker to crack your password.

Ohh, and when it comes to passwords, length is what matters… http://xkcd.com/936/

StrangeAttractor said :

Change your passwords.

It boils down to this:

If a website you log in to was vulnerable to heartbleed, it’s possible your password was read by an attacker.

As to the likelyhood of your password being compromised, I won’t hesitate a guess, it’s safer to assume that it has been.

The advice I heard on an ABC tecchie show was that if you change your password at the moment, it will likely be harvested in any case.

enrique said :

Was RA vulnerable?

Not sure about in the past, but at least at the moment there is no https/port 443 response, so we’re all logging in with plain text anyway. 🙂

Tarinedier said :

The biggest risk comes when you are using the same username/password combination across multiple sites. If you have used your email as a username on some random forum somewhere, and always use the same password, then an hacker who grabs your details from that forum site now has access to your Facebook, email, etc.

Even if you are only partially compromised, the hacker can then use social engineering techniques to gain access to other services (see https://medium.com/cyber-security/24eb09e026dd for an example).

The most important thing is to have separate passwords for each site.

This is true – and also unfortunately a massive PITA! It used to be a lot easier before people had dozens of different sites that they’d need to manage account information for, but remembering 20 or 30 different passwords for different sites isn’t very practical. Of course now many sites let you log in using your Facebook (or some other socail media) credentials, but of course then once they know that central account, they can access the rest too.

I’m seriously considering using a password manager solution – something like http://keepass.info/ (which is free) to set and remember my passwords for me. There are stacks of others available, both free and paid. Basically, they’ll set a password for a site that’s extremely secure (and so would be a pain to enter yourself). The software then enters the password for you when you’re at a password entry screen. You just have to remember one ‘master password’ (which would itself be very strong) to manage your accounts. There are versions for PC’s, Macs, mobile and tablet devices. I’ve heard they can be annoying to configure and get going – but if I give it a shot, I’ll report back with my thoughts!

The biggest risk comes when you are using the same username/password combination across multiple sites. If you have used your email as a username on some random forum somewhere, and always use the same password, then an hacker who grabs your details from that forum site now has access to your Facebook, email, etc.

Even if you are only partially compromised, the hacker can then use social engineering techniques to gain access to other services (see https://medium.com/cyber-security/24eb09e026dd for an example).

The most important thing is to have separate passwords for each site.

Some banks don’t use SSL but I think it is safe to assume that a password change is probably the safest bet especially when sites like Google, Yahoo, Hotmail and Facebook were at risk.

What is a bit sad in all this is after the Edward Snowden revelations it appears the NSA with it’s built-in backdoor surveillance tactics (in an effort to avoid encryption) may also have made it easier for hackers in gaining access to many websites. This is not to say the NSA was responsible for this particular flaw relating to SSL but it is likely that if they were aware of it (and with all the expertise at hand why wouldn’t they be), they would have exploited it for their own ends.

Changing your password won’t make any difference. My Yahoo Mail account has been repeatedly spammed despite changing my password several times. There are programs available on the Net which unlock any password and provide universal access so changing your password will be no barrier.

The problem is this. Changing your password isn’t of much use unless the operator of the website has already patched their servers to fix this flaw.

This attack isn’t targeting your PC – it’s targeting the server you connect to, and there’s nothing you can do to make yourself safer until the servers are patched. So if you go ahead and change a password, but the server on the other end hasn’t been patched, then an attacker can just as easily grab your new password. The danger is if you go and do a wholesale password change, but some sites aren’t patched yet. You think you’re safe, but you’re not.

I’d suggest that on any site you have a password on, check to see if there’s a statement re heartbleed before doing the update. Only bother to change on those that declare they’re safe, and wait for the others to get their houses in order – or if you don’t actually need the account any more, cancel it.

Bare in mind that not all servers use the affected OpenSSL software either. Those sites were never affected.

Was RA vulnerable?

StrangeAttractor8:33 am 21 Apr 14

Change your passwords.

It boils down to this:

If a website you log in to was vulnerable to heartbleed, it’s possible your password was read by an attacker.

As to the likelyhood of your password being compromised, I won’t hesitate a guess, it’s safer to assume that it has been.

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.