Change all your passwords, everywhere

[phongn]

TL;DR: A huge portion of the Internet's servers suffer from a catastrophically bad security bug that exposed cleartext passwords, encryption keys and other goodies. Change your passwords once the websites you use are fixed (you can use this tool to check).

Lest readers think "catastrophic" is too exaggerated a description for the critical defect affecting an estimated two-thirds of the Internet's Web servers, consider this: at the moment this article was being prepared, the so-called Heartbleed bug was exposing end-user passwords, the contents of confidential e-mails, and other sensitive data belonging to Yahoo Mail and almost certainly countless other services.

(SDN is not affected as it uses a very old version of OpenSSL)

[Simon_Jester]

How long has this bug existed?

[Broomstick]

About two years, from what I've read.

Check a website before you change your passwords so you're sure you're updating it after the bug is fixed.

[Gaidin]

Uhh, If I understand correctly, at least a year, probably two. Plus or minus.

[Wild Zontargs]

Confirmed attempted exploits were logged last month by pure chance, and apparently it may have been targeted by botnets as early as last November if people are reading their logs right. At this point, assume that everything has been compromised.

[Guardsman Bass]

Here's a list of the Top 1000 sites as of April 8th that have been tested with a tool they developed over at Github to see which sites were vulnerable.

[Kitsune]

One I see that many people may be on is steam

[Borgholio]

As widespread as this is, I don't know if changing passwords everywhere now is a good thing. I mean sure we can keep tabs on the big banks and ISPs but people have passwords for all sorts of things. What's the point of changing passwords on a hundred websites if even just one of them is still vulnerable and making the other 99 moot?

[Steel]

Make sure you don't have the same password everywhere!

To get around this I moved to using lastpass, which allows you to have a vault of passwords and a separate one for each site which it will autofill for you.

Of course lastpass was caught in this so I have to change the password to it in addition to everywhere else.

[Borgholio]

I have always wanted to use lastpass but I have been afraid of needing to access something remotely or on the road when I don't have lastpass available.

[Broomstick]

I've pretty much used unique passwords for important sites for the past decade or so.

My computer passwords I never keep on anything that ever connects to the internet. I keep a hardcopy of them in a safe place.

[Torben]

LastPass has a mobile version that works on Android, iOS, Windows Phone, and maybe some others. It does require a paid subscription to their premium service. Cost is $12/year. You can also download an offline copy of your vault. One very nice feature about lastpass is that all data sent to them is pre-internet encrypted with locally derived keys that they do not have access to - so even they cannot access your password data (caveat, do NOT lose your master password). And they recently added a feature to the mobile app that allows them to autofill usernames/passwords in other mobile apps.

Also, in a recent blog post, they've added a tool that searches your vault and shows you a list of sites for which you have an account, whether that site was affected, and the last time they changed their security certificates.
http://blog.lastpass.com/2014/04/lastpa ... s-are.html

As others have said, at this point, don't change your passwords until you know the sites are A) affected by this, and B), have updated their SSL certificates. Otherwise you are just spinning your wheels. In fact, since this bug allows reading of random-access memory, you are safer not even attempting to log in to affected sites until they update their certs. If you don't log in, your information won't be resident and can't be obtained - unless, of course, it already has been.

[Eternal_Freedom]

Here's a list of the Top 1000 sites as of April 8th that have been tested with a tool they developed over at Github to see which sites were vulnerable.

Thanks for posting this, I was worried until I saw that only the Steam community was listed as "vulnerable" everything else I use with a password is "no vulnerable" which will save a LOT of time.

[Irbis]

So, let's see, here is this open source bit of data that is massively important for well being of entire internet and has thousands of programmers looking at it every moment.

And there is huge bug in it.

No one spotted for two years.

Yet, somehow, open source fanatics always protest when you point of to them stuff being open source doesn't exactly make it magically bug free or high quality, and it often is less, not more secure.

But pardon me this tangential remark, here's one important question. We have this massive vulnerability someone had to spot, then not told anyone. If we're being paranoid, we'd even say a vulnerability someone put there in the first place. If so, who? Net criminals?

Or maybe Prism had a brother, little brother that was supposed to go after encrypted informations Prism couldn't reach. Maybe it was some humourless three-letter agency that created it then tried to pretend it doesn't exist. Hmm. I wonder what else Snowden's colleagues could tell us.

Of course, the above scenario is silly. It's not like any government would do that, right? Right?

[Starglider]

C++ is just a bad idea for anything security critical. I mean, the design of this feature was stupid and possibly malicious in the first place (payload completely unnecessary), but if it had been written in an automatic memory managed language the exploit would be impossible.

Although on a side note the TCP protocol design is partially responsible, heartbeats are an application layer fix for something that should be handled properly at the transport layer.

[Irbis]

C++ is just a bad idea for anything security critical. I mean, the design of this feature was stupid and possibly malicious in the first place (payload completely unnecessary), but if it had been written in an automatic memory managed language the exploit would be impossible.

Upon thinking a bit more on the matter - yeah, I suppose it could have been simple stupidity, but it still sounds like exploit spy agency, not a criminal would like to have.

And yes, I agree some languages just aren't suited to tasks people try to kludge out of them. Perhaps we should talk less about 'good programming practices' and just enforce them automatically. It's not like performance hit would be noticable in most cases, and quality of programmers will only go down anyway.

[Formless]

Here's a list of the Top 1000 sites as of April 8th that have been tested with a tool they developed over at Github to see which sites were vulnerable.

Thanks for posting this, I was worried until I saw that only the Steam community was listed as "vulnerable" everything else I use with a password is "no vulnerable" which will save a LOT of time.

Indeed. Kinda makes the thread title seem... over the top. Still, should probably do something about the old yahoo account...

[phongn]

I have always wanted to use lastpass but I have been afraid of needing to access something remotely or on the road when I don't have lastpass available.

It does have offline caching support, there's a mobile client (for a $12/year fee) or you could use something like Keepass and sync via Dropbox.

C++ is just a bad idea for anything security critical. I mean, the design of this feature was stupid and possibly malicious in the first place (payload completely unnecessary), but if it had been written in an automatic memory managed language the exploit would be impossible.

C++? Try straight-C. Even C++ has some guards against this. It didn't help that OpenSSL guys wrote their own allocator because some malloc() implementations were slow, and then globally enabled it.

So, let's see, here is this open source bit of data that is massively important for well being of entire internet and has thousands of programmers looking at it every moment.

What? No. OpenSSL has a handful of developers and is badly underfunded.

But pardon me this tangential remark, here's one important question. We have this massive vulnerability someone had to spot, then not told anyone. If we're being paranoid, we'd even say a vulnerability someone put there in the first place. If so, who? Net criminals?

Or maybe Prism had a brother, little brother that was supposed to go after encrypted informations Prism couldn't reach. Maybe it was some humourless three-letter agency that created it then tried to pretend it doesn't exist. Hmm. I wonder what else Snowden's colleagues could tell us.

Of course, the above scenario is silly. It's not like any government would do that, right? Right?

You are being paranoid. We know who committed the change.

[Zaune]

On the other hand, if a bug this serious had been found in something that wasn't open-source then there's a good chance some REMF in the Marketing department would be trying to bury the news and shoot the messenger.

[phongn]

On the other hand, if a bug this serious had been found in something that wasn't open-source then there's a good chance some REMF in the Marketing department would be trying to bury the news and shoot the messenger.

Not necessarily. Microsoft, for example, is very good about security reporting.

[Irbis]

What? No. OpenSSL has a handful of developers and is badly underfunded.

The company, yes, but I meant a lot of programmers I know tend to look at source code of things they work with or similar to their projects as hobby or means of learning.

You are being paranoid. We know who committed the change.

Yes, we know who did it. Do we know if it was stupidity, laziness, or malice?

To elaborate: at the moment I said it could be intentional work, I saw a post stating the change was added right after Christmas 2011, rather curious time for work (and good time if you wanted everyone to not look too attentively). I didn't checked if it was the correct change personally, though, so take it with grain of salt, surely someone will do research and publish a story on that soon.

[phongn]

What? No. OpenSSL has a handful of developers and is badly underfunded.

The company, yes, but I meant a lot of programmers I know tend to look at source code of things they work with or similar to their projects as hobby or means of learning.

Only crazy people do that for OpenSSL.

Yes, we know who did it. Do we know if it was stupidity, laziness, or malice?

Guy made an honest mistake. The (sole) reviewer didn't see the bug.

[Beowulf]

The problem was and is that there weren't enough eyes on it. The solution should be for the companies that are incredibly dependent on this software to fork out a bit so that OpenSSL has more people to actually do development. And/or, have a serious competitor to OpenSSL so that 66% of servers that use SSL don't depend on OpenSSL.

[PainRack]

Just how does one go about checking whether the banks are affected?

Does the tool provided just check the website or?


Also, what are the implications of steamcommunity beeing affected? I ask because for convience sake, I actually left my credit card info on my steam account, making it easier to buy games.......

[Welf]

You are being paranoid. We know who committed the change.

From Bloomberg, the NSA knew about the issues with OpenSSL and exploited them instead of informing users. And if they risk the security of millions of companies and users it's not a big stretch to assume they may have put it there in the first place. Or if they haven't, that they try it next time.

NSA Said to Exploit Heartbleed Bug for Intelligence for Years
By Michael Riley 2014-04-11T18:58:48Z

April 11 (Bloomberg) -- Ghostery Senior Director of Research Andy Kahl and Bloomberg’s Michael Riley discuss the NSA’s knowledge of the Heartbleed bug on Bloomberg Television's “Street Smart.” (Source: Bloomberg)

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.


Controversial Practice

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. Experts say the search for flaws is central to NSA’s mission, though the practice is controversial. A presidential board reviewing the NSA’s activities after Edward Snowden’s leaks recommended the agency halt the stockpiling of software vulnerabilities.

The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.

The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

Free Code

While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.


In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

The NSA has faced nine months of withering criticism for the breadth of its spying, documented in a rolling series of leaks from Snowden, who was a former agency contractor.

The revelations have created a clearer picture of the two roles, sometimes contradictory, played by the U.S.’s largest spy agency. The NSA protects the computers of the government and critical industry from cyberattacks, while gathering troves of intelligence attacking the computers of others, including terrorist organizations, nuclear smugglers and other governments.

Serious Flaws

Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.

“If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the U.S. Secret Service. “Invariably when this has happened over time, the offensive mission wins.”

When researchers uncovered the Heartbleed bug hiding in plain sight and made it public on April 7, it underscored an uncomfortable truth: The public may be placing too much trust in software and hardware developers to insure the security of our most sensitive transactions.

“We’ve never seen any quite like this,” said Michael Sutton, vice president of security research at Zscaler, a San Jose, California-based security firm. “Not only is a huge portion of the Internet impacted, but the damage that can be done, and with relative ease, is immense.”

Flawed Protocol

The potential stems from a flaw in the protocol used to encrypt communications between users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.

Questions remain about whether anyone other than the U.S. government might have exploited the flaw before the public disclosure. Sophisticated intelligence agencies in other countries are one possibility.

If criminals found the flaw before a fix was published this week, they could have scooped up troves of passwords for online bank accounts, e-commerce sites, and e-mail accounts across the world.

Evidence of that is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park, California.

Ordinary Data

The fact that the vulnerability existed in the transmission of ordinary data -- even if it’s the kind of data the vast majority of users are concerned about -- may have been a factor in the decision by NSA officials to keep it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies.

“They actually have a process when they find this stuff that goes all the way up to the director” of the agency, Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”

Lewis said the NSA has a range of options, including exploiting the vulnerability to gain intelligence for a short period of time and then discreetly contacting software makers or open source researchers to fix it.

SSL Protocol

The SSL protocol has a history of security problems, Lewis said, and is not the primary form of protection governments and others use to transmit highly sensitive information.

“I knew hackers who could break it nearly 15 years ago,” Lewis said of the SSL protocol.

That may not soothe the millions of users who were left vulnerable for so long.

Following the leaks about NSA’s electronic spying, President Barack Obama convened a panel to review the country’s surveillance activities and suggest reforms. Among the dozens of changes put forward was a recommendation that the NSA quickly move to fix software flaws rather that exploit them, and that they be used only in “rare instances” and for short periods of time.

Currently, the NSA has a trove of thousands of such vulnerabilities that can be used to breach some of the world’s most sensitive computers, according to a person briefed on the matter. Intelligence chiefs have said the country’s ability to spot terrorist threats and understand the intent of hostile leaders would be vastly diminished if their use were prohibited.

To contact the reporter on this story: Michael Riley in Washington at michaelriley@bloomberg.net

To contact the editors responsible for this story: Sara Forden at sforden@bloomberg.net Winnie O’Kelley

Just how does one go about checking whether the banks are affected?

Does the tool provided just check the website or?


Also, what are the implications of steamcommunity beeing affected? I ask because for convience sake, I actually left my credit card info on my steam account, making it easier to buy games.......

Banks probably use different security measurements. The article above mentions that the problems with SSL are known for years and thus is not the prefered method for sensitive data.

Btw, XCKDexplains how the bug works: