Discussion:
HeartBleed OpenSSL security flaw exposes millions of passwords
(too old to reply)
Thad Floryan
2014-04-09 02:21:09 UTC
Permalink
http://www.sfgate.com/business/technology/article/Passwords-vulnerable-after-security-flaw-found-5386933.php

By MICHAEL LIEDTKE and ANICK JESDANUN, AP Technology Writers
7:01 pm, Tuesday, April 8, 2014

SAN FRANCISCO (AP) — An alarming lapse in Internet security has exposed
millions of passwords, credit card numbers and other sensitive bits of
information to potential theft by computer hackers who may have been
secretly exploiting the problem before its discovery.

The breakdown revealed this week affects the encryption technology that
is supposed to protect online accounts for emails, instant messaging and
a wide range of electronic commerce.

Security researchers who uncovered the threat, known as "Heartbleed,"
are particularly worried about the breach because it went undetected for
more than two years.

Although there is now a way to close the security hole, there are still
plenty of reasons to be concerned, said David Chartier, CEO of
Codenomicon. A small team from the Finnish security firm diagnosed
Heartbleed while working independently from another Google
Inc. researcher who also discovered the threat.

"I don't think anyone that had been using this technology is in a
position to definitively say they weren't compromised," Charier said.

Chartier and other computer security experts are advising people to
consider changing all their online passwords.

"I would change every password everywhere because it's possible
something was sniffed out," said Wolfgang Kandek, chief technology
officer for Qualys, a maker of security-analysis software. "You don't
know because an attack wouldn't have left a distinct footprint."

But changing the passwords won't do any good, these experts said, until
the affected services install the software released Monday to fix the
problem. That puts the onus on the Internet services affected by
Heartbleed to alert their users to the potential risks and let them know
when the Heartbleed fix has been installed so they can change their
passwords.

"This is going to be difficult for the average guy in the streets to
understand, because it's hard to know who has done what and what is
safe," Chartier said.

Yahoo Inc., which boasts more than 800 million users worldwide, is among
the Internet services that could be potentially hurt by Heartbleed. The
Sunnyvale, Calif., company said most of its most popular services —
including sports, finance and Tumblr — had been fixed, but work was
still being done on other products that it didn't identify in a
statement Tuesday.

"We're focused on providing the most secure experience possible for our
users worldwide and are continuously working to protect our users'
data," Yahoo said.

Heartbleed creates an opening in SSL/TLS, an encryption technology
marked by the small, closed padlock and "https:" on Web browsers to
signify that traffic is secure. The flaw makes it possible to snoop on
Internet traffic even if the padlock had been closed. Interlopers could
also grab the keys for deciphering encrypted data without the website
owners knowing the theft had occurred, according to security
researchers.

The problem affects only the variant of SSL/TLS known as OpenSSL, but
that happens to be one of the most common on the Internet.

About two-thirds of Web servers rely on OpenSSL, Chartier said. That
means the information passing through hundreds of thousands of websites
could be vulnerable, despite the protection offered by
encryptions. Beside emails and chats, OpenSSL is also used to secure
virtual private networks, which are used by employees to connect with
corporate networks seeking to shield confidential information from
prying eyes.

Heartbleed exposed a weakness in encryption at the same time that major
Internet services such as Yahoo, Google, Microsoft and Facebook are
expanding their usage of technology to reassure the users about the
sanctity of their personal data. The additional security measures are
being adopted in response to mounting concerns about the
U.S. government's surveillance of online activities and other
communications. The snooping has been revealed during the past 10 months
through a series of leaked documents from former NSA contractor Edward
Snowden.

Despite the worries raised by Heartbleed, Codenomicon said many large
consumer sites aren't likely to be affected because of their
"conservative choice" of equipment and software. "Ironically, smaller
and more progressive services or those who have upgraded to (the) latest
and best encryption will be affected most," the security firm said in a
blog post.

Although it may take months for smaller websites to install the
Heartbleed fix, Chartier predicted all the major Internet services will
act quickly to protect their reputations.

In a Tuesday post announcing it had installed the Heartbleed fix, Tumblr
offered its users some blunt advice.

"This still means that the little lock icon (HTTPS) we all trusted to
keep our passwords, personal emails, and credit cards safe, was actually
making all that private information accessible to anyone who knew about
the exploit," Tumblr said. "This might be a good day to call in sick and
take some time to change your passwords everywhere — especially your
high-security services like email, file storage, and banking, which may
have been compromised by this bug."
Keith Keller
2014-04-09 02:51:20 UTC
Permalink
Post by Thad Floryan
http://www.sfgate.com/business/technology/article/Passwords-vulnerable-after-security-flaw-found-5386933.php
"I would change every password everywhere because it's possible
something was sniffed out," said Wolfgang Kandek, chief technology
officer for Qualys, a maker of security-analysis software. "You don't
know because an attack wouldn't have left a distinct footprint."
This is the worst part of the vulnerability.
Post by Thad Floryan
But changing the passwords won't do any good, these experts said, until
the affected services install the software released Monday to fix the
problem. That puts the onus on the Internet services affected by
Heartbleed to alert their users to the potential risks and let them know
when the Heartbleed fix has been installed so they can change their
passwords.
...no, actually, *this* is the worst part. We're going to have to wait
for every single service provider to tell us when their servers are
secure and up to date before changing anything, and in the meantime our
current passwords are sitting there waiting to be eaten. In fact it's
*worse* to log in now, even to change the password, because the
likelihood that the server has expired our password from our previous
login is high, especially for a high-traffic site. But if we log in
now, our creds will be fresh in the service's cache, ripe for the
eavesdropping.
Post by Thad Floryan
The problem affects only the variant of SSL/TLS known as OpenSSL, but
that happens to be one of the most common on the Internet.
..actually, *this* might be the worst part, because people are going to
blame all open source software for the problem, and start downgrading
back to Windows in reaction.
Post by Thad Floryan
Beside emails and chats, OpenSSL is also used to secure
virtual private networks, which are used by employees to connect with
corporate networks seeking to shield confidential information from
prying eyes.
Fortunately for many of us, OpenSSH is not vulnerable, because it does
not use SSL/TLS.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
David Kaye
2014-04-09 05:02:33 UTC
Permalink
Post by Keith Keller
..actually, *this* might be the worst part, because people are going to
blame all open source software for the problem, and start downgrading
back to Windows in reaction.
But the thing about paying a company rather than relying on open source is
that the company is liable for errors and omissions and can be successfully
sued, or at least be compelled to fix the problem. Good luck doing that
with open source.
Keith Keller
2014-04-09 05:41:07 UTC
Permalink
Post by David Kaye
But the thing about paying a company rather than relying on open source is
that the company is liable for errors and omissions and can be successfully
sued, or at least be compelled to fix the problem. Good luck doing that
with open source.
Good luck extracting damages from Yahoo after they've exposed your
passwords.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
David Kaye
2014-04-09 19:21:00 UTC
Permalink
Post by Keith Keller
Good luck extracting damages from Yahoo after they've exposed your
passwords.
--keith
THAT was my point, and it's not just your kicking boy, Yahoo, either. When
you pay for something the seller enters into a contract saying that what
they're selling you is fit for use. When they give you something for free,
there is no such contract, so there is no liability.

Oh, and the contracts that say that a particular piece of software is not
licensed "for any particular purpose" was bogus from the start. Companies
thought that it somehow protected them because they weren't offering, say,
an accounting program as an accounting program, so don't blame them if it
doesn't work right. Nonsense, said the courts. You market the thing as an
accounting program and the customer buys it, assuming that it's an
accounting program. The contract wording is invalid.

But open source code is different. Everybody enters the door knowing that
the code is publicly available, and thus might get hacked. People THINK
that coders are all honest and that they're all going to check each other's
work and keep malware out of the code. Hardly. Nobody is going to sit down
and analyze millions of lines of code unless they're being paid for it, and
even then there will be errors and omissions.

I had no idea that use of open source for encryption was so widespread. I'd
have told anybody who would listen that this was a STOOPID idea.

Heck, where is that piece of code with the if/then/elses in it that left off
1 line of code and failed to throw an error message, allowing people to get
in? The code was barely more than a dozen lines and went undetected for
years -- and it was gateway code, not some arcane encryption code buried
somewhere.
Keith Keller
2014-04-09 19:40:28 UTC
Permalink
Post by David Kaye
Post by Keith Keller
Good luck extracting damages from Yahoo after they've exposed your
passwords.
THAT was my point, and it's not just your kicking boy, Yahoo, either. When
you pay for something the seller enters into a contract saying that what
they're selling you is fit for use. When they give you something for free,
there is no such contract, so there is no liability.
You've clearly missed my point, which is that you will never see these
damages. Either you will lose your suit, or you'll get a $10 gift
certificate from a class action. You certainly won't get protection
from crackers who have stolen your credentials.
Post by David Kaye
I had no idea that use of open source for encryption was so widespread. I'd
have told anybody who would listen that this was a STOOPID idea.
It's so true! Let's use commercial encryption, so we can suffer from
the goto fail bug instead.

https://www.imperialviolet.org/2014/02/22/applebug.html

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
David Kaye
2014-04-09 21:27:32 UTC
Permalink
Post by Keith Keller
You've clearly missed my point, which is that you will never see these
damages. Either you will lose your suit, or you'll get a $10 gift
certificate from a class action. You certainly won't get protection
from crackers who have stolen your credentials.
MY SUIT? Obviously you don't know how to read. I have no intention of
suing anybody. And I don't expect for my email to be private, if for no
other reason than that the email providers (especially Google) look over the
emails in order to target ads. Thus, if a person gets targeted email, there
is a file being save somewhere that indicates the person's interests and
possibly a lot of other information.
Steve Pope
2014-04-09 21:02:02 UTC
Permalink
Post by David Kaye
I had no idea that use of open source for encryption was
so widespread. I'd have told anybody who would listen that
this was a STOOPID idea.
The theory is that if your encryption code is open-source,
then a wide range of experts (both cryptographers and software
engineers) can examine it for correctness.

In practice, this hasn't happened.

PGP, SSH, and SSL have all been plagued with recurrent flaws
and weaknesses. (And that's even without "help" from the NSA.)

Steve
David Kaye
2014-04-09 21:32:03 UTC
Permalink
Post by Steve Pope
The theory is that if your encryption code is open-source,
then a wide range of experts (both cryptographers and software
engineers) can examine it for correctness.
Well, yes, except that the code is so massive that nobody is going to sit
down without pay and go through all the routines and the callbacks and
whatnot to see what the code is doing. When I wrote software it was about
20% writing code and 80% bug testing. Bug testing is not glamorous, and
there are not many people who are going to sit there and debug unless they
can make a good amount of money doing so.
Steve Pope
2014-04-09 21:35:15 UTC
Permalink
Post by David Kaye
Post by Steve Pope
The theory is that if your encryption code is open-source,
then a wide range of experts (both cryptographers and software
engineers) can examine it for correctness.
Well, yes, except that the code is so massive that nobody is going to sit
down without pay and go through all the routines and the callbacks and
whatnot to see what the code is doing. When I wrote software it was about
20% writing code and 80% bug testing. Bug testing is not glamorous, and
there are not many people who are going to sit there and debug unless they
can make a good amount of money doing so.
Yes, you've summed up why the existing approach cannot work well.

Steve
Mike Stump
2014-04-10 19:52:38 UTC
Permalink
Post by David Kaye
I had no idea that use of open source for encryption was so widespread.
It's actually more widely spread than you realize, even now.
Post by David Kaye
I'd have told anybody who would listen that this was a STOOPID idea.
Actually, it isn't a stoopid idea. You just don't realize the
benefits of it...
Steve Pope
2014-04-10 20:11:09 UTC
Permalink
Post by Mike Stump
Post by David Kaye
I had no idea that use of open source for encryption was so widespread.
It's actually more widely spread than you realize, even now.
Post by David Kaye
I'd have told anybody who would listen that this was a STOOPID idea.
Actually, it isn't a stoopid idea. You just don't realize the
benefits of it...
It's not by itself a stupid idea, but is part of an overall
collections of ideas that hasn't worked out so well.

Some of the commentary over the last few days that I agree with
is that open-source software seems to be associated with an
abandonment of normal levels of software quality control and testing.

Steve
David Kaye
2014-04-10 23:22:24 UTC
Permalink
Post by Steve Pope
Some of the commentary over the last few days that I agree with
is that open-source software seems to be associated with an
abandonment of normal levels of software quality control and testing.
Coders want to do the zen stuff: coding. They don't want to do the
debugging unless they get paid for it.
Bhairitu
2014-04-11 18:54:23 UTC
Permalink
Post by David Kaye
Post by Steve Pope
Some of the commentary over the last few days that I agree with
is that open-source software seems to be associated with an
abandonment of normal levels of software quality control and testing.
Coders want to do the zen stuff: coding. They don't want to do the
debugging unless they get paid for it.
I have friends who worked at Microsoft and have great war tales of the
coding there. For instance they would need a function for something and
the coder would write a Swiss Army knife routine which did WAY too much
when all was needed was a simple routine.

One thing that always pissed me off about some proprietary and open
source SDKs were the example code. The author of the example was
obviously showing off to get his next gig and I would have to unwind his
code to just get the basic stuff I needed. On one proprietary embedded
platform the guy had C++ jumping between several files when a one file
example would have been ample.

This was also a problem I complained about with the Google Android
examples. Fortunately we have programmers with blogs who unwound the
examples (not to mention long winded documentation which was just an
unedited engineer dump).

One thing I liked about the MSDN was that someone mandated SIMPLE
concise examples. It was probably a bunch of cranky Microsoft engineers
not willing to unwind incomprehensible code.
David Kaye
2014-04-10 23:24:57 UTC
Permalink
Post by Mike Stump
Actually, it isn't a stoopid idea. You just don't realize the
benefits of it...
Oh, the wishful thinking is that it's free and that there is all this group
wisdom coming into play that will make things better. Well, Firefox is the
result of such a group collaboration and look at what a bloated mess it
became.
Mike Stump
2014-04-11 04:44:50 UTC
Permalink
Post by David Kaye
Oh, the wishful thinking is that it's free and that there is all this group
wisdom coming into play that will make things better. Well, Firefox is the
result of such a group collaboration and look at what a bloated mess it
became.
But bloated mess describes soo much software on the planet. :-)

I do wish we got more value for the bloat, but, the bloat seems to
have diminishing returns. 2* the code, 1/8* added benefit.
Bhairitu
2014-04-11 19:01:01 UTC
Permalink
Post by Mike Stump
Post by David Kaye
Oh, the wishful thinking is that it's free and that there is all this group
wisdom coming into play that will make things better. Well, Firefox is the
result of such a group collaboration and look at what a bloated mess it
became.
But bloated mess describes soo much software on the planet. :-)
I do wish we got more value for the bloat, but, the bloat seems to
have diminishing returns. 2* the code, 1/8* added benefit.
My friend who worked at Microsoft was high level on the Visual Studio
project. They got a lot of programming candidates, fresh out of college,
who really didn't know how to code but just let the IDE build the code
for them. You see a lot of this nowadays.

I wanted to become familiar with Unity 3D. So I took one of my 1980s
small 2D games and used Unity's new 2D library. It was small as a web
application but for Android it made a 10 MB file which expanded to
around 20 MB when installed. Android coders complained about that as
most of the bloat was the Unity library.

So I tried a version with the open source AndGame Engine which wound up
being a little over 1 MB (most of that was graphics and audio). I also
had some fun making an HTML5 version using Javascript.
David Kaye
2014-04-09 04:54:25 UTC
Permalink
Post by Thad Floryan
Security researchers who uncovered the threat, known as "Heartbleed,"
are particularly worried about the breach because it went undetected for
more than two years.
So much for open source being a panacea.
Thad Floryan
2014-04-09 05:02:38 UTC
Permalink
Post by David Kaye
Post by Thad Floryan
Security researchers who uncovered the threat, known as "Heartbleed,"
are particularly worried about the breach because it went undetected for
more than two years.
So much for open source being a panacea.
Bingo!

Anyone who believes there are millions of extra eyes perusing
and poring over every line of open source code are dreaming
and deluding themselves.

If anyone, it's the criminal hackers who are reading the code
to determine how it can be exploited for financial gain and/or
for fun -- I doubt the exploits are the result of an errant
mouse click on a GUI.

Thad
Thad Floryan
2014-04-09 04:56:03 UTC
Permalink
Post by Thad Floryan
http://www.sfgate.com/business/technology/article/Passwords-vulnerable-after-security-flaw-found-5386933.php
By MICHAEL LIEDTKE and ANICK JESDANUN, AP Technology Writers
7:01 pm, Tuesday, April 8, 2014
SAN FRANCISCO (AP) — An alarming lapse in Internet security has exposed
millions of passwords, credit card numbers and other sensitive bits of
information to potential theft by computer hackers who may have been
secretly exploiting the problem before its discovery.
[...]
Additional article with more information, none of it good even after
the vulnerability is fixed:

http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

Thad
Roy
2014-04-09 05:07:02 UTC
Permalink
Note that two things are required for your data to be compromised:

1) The server you are accessing has to have the security hole

2) Someone has to have sniffed your data stream during the security exchange

While #1 is likely true, #2 is much more unlikely.

If you didn't use Wifi, someone has to have tapped the physical wires or
divereted traffic like the NSA).

If you did use Wifi, someone has to have been in the vicinity to sniff
the traffic.

Its much more likely that compromises will occur now that the hole has
been exposed.
Keith Keller
2014-04-09 05:50:11 UTC
Permalink
Post by Roy
2) Someone has to have sniffed your data stream during the security exchange
If you didn't use Wifi, someone has to have tapped the physical wires or
divereted traffic like the NSA).
This is absolutely and completely not true. The whole point of the
vulnerability, and why it's so awful, is that an attacker can gain
access to the process' memory simply by sending carefully crafted
heartbeat packets to the service. An attacker does *not* need any
special physical access whatsoever. To quote heartbleed.com:

"The Heartbleed bug allows anyone on the Internet to read the memory of
the systems protected by the vulnerable versions of the OpenSSL
software."

The exchange does *not* need to be sniffed in transit: if the daemon
still has your credentials in memory, they are available to attackers.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Bhairitu
2014-04-09 19:46:23 UTC
Permalink
Post by Thad Floryan
http://www.sfgate.com/business/technology/article/Passwords-vulnerable-after-security-flaw-found-5386933.php
By MICHAEL LIEDTKE and ANICK JESDANUN, AP Technology Writers
7:01 pm, Tuesday, April 8, 2014
SAN FRANCISCO (AP) — An alarming lapse in Internet security has exposed
millions of passwords, credit card numbers and other sensitive bits of
information to potential theft by computer hackers who may have been
secretly exploiting the problem before its discovery.
<snip>

We're headed for a time that the Internet will be become completely
unusable because of things like this. Something that the elite would
love to see happen as they hate us peeing on their arrogance with our
comments about them.
Jeff Liebermann
2014-04-09 20:17:18 UTC
Permalink
Post by Bhairitu
We're headed for a time that the Internet will be become completely
unusable because of things like this.
For a while, I was collecting all the various reasons that the
internet will roll over and die. Every new innovation has produced
prediction of imminent doom. File sharing, spam, kiddie porn raids,
IP video, etc have all had their attendent doomsday prophets. Internet
2 was suppose to clean up the mess and start over. It didn't. None
of them will happen because the topology and capacity of the internet
is amazingly versatile and flexible. At best, what you'll see out of
this are various forms of secondary security, like rolling code number
generators, X.509 certificates on USB things, and maybe one-time
password generators. However, that will only happen once the victims
of Heart Bleed start to appear, which so far, I've seen none.
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
David Kaye
2014-04-09 21:29:30 UTC
Permalink
Post by Bhairitu
We're headed for a time that the Internet will be become completely
unusable because of things like this. Something that the elite would love
to see happen as they hate us peeing on their arrogance with our comments
about them.
Huh? The elite would like nothing better than to eliminate as many jobs as
they can via automation. This is why there is no job growth in America; the
elite are encouraging people to shop online and bucking any legislation
requiring them to pay sales taxes, etc.
Bhairitu
2014-04-10 18:33:45 UTC
Permalink
Post by David Kaye
Post by Bhairitu
We're headed for a time that the Internet will be become completely
unusable because of things like this. Something that the elite would love
to see happen as they hate us peeing on their arrogance with our comments
about them.
Huh? The elite would like nothing better than to eliminate as many jobs as
they can via automation. This is why there is no job growth in America; the
elite are encouraging people to shop online and bucking any legislation
requiring them to pay sales taxes, etc.
So now is the time for the guaranteed minumum income. ;-)

Yes, I agree that the elite have a problem because they too make money
off the Internet.
David Kaye
2014-04-10 20:04:15 UTC
Permalink
Post by Bhairitu
So now is the time for the guaranteed minumum income. ;-)
It's coming. The Republicans are actually proposing it, if all the existing
welfare bureaucracy can be eliminated. I'm actually inclined to support
them on this.
Mike Stump
2014-04-10 19:35:44 UTC
Permalink
Post by Bhairitu
We're headed for a time that the Internet will be become completely
unusable because of things like this.
:-) You must be new around here... Are you so naive as to actually
believe that? Or put another way, the net's, the internet's immanent
death is upon us, always has been, always will be. Each year, we
close half the distance to total destruction.
Bhairitu
2014-04-11 19:05:59 UTC
Permalink
Post by Mike Stump
Post by Bhairitu
We're headed for a time that the Internet will be become completely
unusable because of things like this.
:-) You must be new around here... Are you so naive as to actually
believe that? Or put another way, the net's, the internet's immanent
death is upon us, always has been, always will be. Each year, we
close half the distance to total destruction.
LOL! Hardly, pal. I've been coding for over 30 years. Used pre-Internet
CompuServe, BIX, Genie and most of that to be in a remote location and
get information like I was in Silicon Valley way back in the 1980s. If
I had packed up six months after buying my first computer in 1983 and
come down here I would have had a job in days. I didn't know that until
in the 1990s I was the technical director at a major Bay Area game
company and found how difficult it was to find people with the
appropriate knowledge.

Loading...