Don't log on to your bank today? (SSL Vulnerability)

[Virgil Showlion]

It's legitimate.

It would have an extremely low chance of revealing your financial information in particular, but you might want to hold off banking (or online transactions in general) for a few days until banks/retailers patch the software, unless it's critical.

The problem is that an attacker is able to see small, random blocks of data that reside in various buffers on the compromised servers. It's like tiny random peepholes appearing in the walls of people's houses for a short while each. Many of those peepholes would show nothing interesting, but every once in a while one might look into someone's home study at an angle that gives a peeping tom a view of the owner's bank account passwords or personal info.

Since most institutions aren't in the habit of giving out details on their software or security setup, it's next to impossible to determine which institutions are affected without inside knowledge. What you might see is institutions announcing that they are patched against the vulnerability--which of course they'll only announce after they've patched their software.

[movingforward]

Well crap... too late for me... I logged on this morning

[milee]

Great.   Of course I've been working on taxes and have been in all our accounts extensively over the last few days - business, personal, obscure ones we only touch once or twice a year... fantastic. 

[Virgil Showlion]

Apr 8, 2014 18:07:47 GMT -5 @wrongsideof30 said:

Apr 8, 2014 17:48:38 GMT -5 milee said:

Great.   Of course I've been working on taxes and have been in all our accounts extensively over the last few days - business, personal, obscure ones we only touch once or twice a year... fantastic. 

From my understanding, this vulnerability was realized through "proof of concept", rather than an actual data breach. So as far as anybody knows, nobody has ever used this exploit to hack anything. Is this right, Virgil Showlion?

They don't know how often it's been used. They had no way of detecting the exploit.

If the flaw had thus far been widely discovered and used by hackers, institutions would eventually know "something" was up by a flood of customers complaining about unauthorized activity on their accounts (and perhaps this was the case, thus triggering an investigation and the discovery of the vulnerability). But if only a few hackers knew about it and used it sparingly, they might have compromised quite a few accounts. The vulnerability has apparently been around for years.

What we do know is that the vulnerability was discovered by a "good guy", who released the news to select security groups, etc.  One of the groups (unnervingly, the company that Proboards uses for a lot of its content hosting) jumped the gun and blabbed about the flaw "early", which will of course have caught the attention of every hacker and his dog that didn't know about it. These hackers will now likely try to exploit the flaw as much as possible before the window of opportunity closes.

Part of the problem is that the data being exposed by the vulnerability isn't necessarily restricted to people's recent transactions.

Hence the short answer is: We have no idea how often the vulnerability has been exploited. We only know that it wasn't exploited so much that affected institutions suspected a major breach before now.

[chiver78]

oy. I had to log in to a CC site a couple times today for BS fraud red flags (they were actually me, in places I don't ordinarily go)

not happy with the CC world in general ove rthe past week or so, this isn't helping matters.

[Virgil Showlion]

Apr 8, 2014 22:01:32 GMT -5 @wrongsideof30 said:

Do you think there is any merit to this, or is it tinfoil hat type stuff?

Although I wouldn't put anything past the NSA, this really doesn't seem like their "style".

All of the NSA data spying schemes thus far exposed by Mr. Snowden have been highly efficient, streamlined affairs, perpetrated with the complicity of various institutions, ISPs, etc.  The NSA is powerful enough that its agents can go to company X and say "We're going to monitor packets being sent to your site. National security." or "We're going to read e-mails passing through your routers on their way to their destinations. National security.", and company X basically has no choice but to say "Yes, sir. Right away, sir."

There have been a few cases where the NSA and their British counterparts have exploited software vulnerabilities. For example (and I'm not kidding about this) remotely capturing and storing footage from million of computer webcams, which even I thought was tinfoil until a few months ago. But even these programs yielded relatively highly specific data associated to specific accounts that could easily be mined and cataloged en masse without any human supervision.

This current vulnerability is like the random peephole in the wall analogy I gave earlier. The data that you could read off a server would be, at best, a mashup of unsorted fragments of data of unknown nature and composition, very likely to be from multiple sources. Hence in the peephole analogy, imagine that what you can see through the peephole is a random collection of bits and pieces of many different rooms from many different houses, all mashed together without rhyme or reason.

A human could, with a fair bit of probing, possibly root out some juicy tidbits of data like a CC number or an account password. But computer AI is presently nowhere near this degree of sophistication. At the very least, data of this nature would need to mined with the constant supervision of a human operator, and it would be incredibly labour-intensive work just to obtain some dubious, low-quality data.

A lone hacker wouldn't care, because even if 99% of his attempts fail, all he needs to do is properly interpret one or two juicy tidbits of data to get his payoff. The NSA on the other hand is presumably in the business of collecting a lot of solid data about a large number of people. So this kind of approach would be more or less useless to them. It would require an army of human operators, and even then, the data being collected would be questionable to the point of being useless.

Hence my conclusion is that although the NSA certainly could have exploited something like this to gather data on Americans, I highly doubt they did. Too shoddy and low-brow for them. Like Bernie Madoff scamming kids at a carnival with a rigged shell game.

[8 Bit WWBG]

Count me in on "accessed all my good stuff for finishing taxes".

It really reminds me of that line in MIB "there's ALWAYS an intergalactic destroyer, or a correlian death ray, or an intergalactic ray poised to wipe out life on this miserable little planet.  The only thing that lets these people go on with their sad little lives is that they do.  not.  know. about it.".

[Virgil Showlion]

Apr 11, 2014 14:36:36 GMT -5 @wrongsideof30 said:

Apr 8, 2014 23:09:20 GMT -5 Virgil Showlion said:

Although I wouldn't put anything past the NSA, this really doesn't seem like their "style".

I'm going to dig that tinfoil hat I was working on out of the garbage.

"It's true. After days of speculation over whether the NSA knew about the Heartbleed vulnerability that affected as many as two thirds of the websites on the internet, two anonymous sources tell Bloomberg that the NSA didn't just know about it, they used it to gather intelligence."

gizmodo.com/nsa-used-heartbleed-to-spy-on-people-for-years-1562307207?utm_campaign=socialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow

and

www.zerohedge.com/news/2014-04-11/nsa-abused-heartbleed-bug-years-left-consumers-exposed-attack

Two anonymous sources isn't exactly a gold standard of proof, but if they materialize into something more tangible, count me once again stupefied by the depths to which the NSA would plunge to spy on private data (and at the expense of leaving the world exposed to a gaping security vulnerability).

If somebody can actually make something stick, whoever ran the program is going to be crucified.

[Deleted]

Thankfully we run Windows IIS instead of this open source crap.

[NoNamePerson]

Apr 11, 2014 14:48:55 GMT -5 8 Bit WWBG said:

Count me in on "accessed all my good stuff for finishing taxes".

It really reminds me of that line in MIB "there's ALWAYS an intergalactic destroyer, or a correlian death ray, or an intergalactic ray poised to wipe out life on this miserable little planet.  The only thing that lets these people go on with their sad little lives is that they do.  not.  know. about it.".

I love that movie!!!

[8 Bit WWBG]

And it was so smart, in many ways!  Did you notice that Al Roker was one of the people being monitored as being an alien?

[NoNamePerson]

And the worm guys leaving with their luggage and cigarettes cracks me up everytime. Ok now back to the serious subject at hand  

[Deleted]

Family member in IT sent me the following link which was helpful to understand which passwords might be at risk.

mashable.com/2014/04/09/heartbleed-bug-websites-affected/

[NoNamePerson]

Did anyone look at this link posted? Change password Yahoo Mail NO Yahoo YES - that story confused the hell out of me but I confuse easily       

[Deleted]

The link I put up says Yahoo & Yahoo Email = YES.

"As soon as we became aware of the issue, we began working to fix it... and we are working to implement the fix across the rest of our sites right now." Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr were patched. More patches to come, Yahoo says.

[NoNamePerson]

You're right I misread the Yahoo thing. Interesting that Financial/Tax related site had NO beside them. Why not say change passwords on all sites you access by password? We'll probabaly find out the "experts" telling which sites are affected are the ones doing the hacking