Heartbleed Bug: Millions of Internet Sites Compromised

[Teelie]

How do I know this list is legit and I can safely change my password at these sites?

The list is reputable. Several other news sites and security sites have lists that have the safe/unsafe sites already listed.

 

[NickNitro]

I don't trust anything on the internet now. Everything has been compromised.

How do we know thats actually you Teelie?

 

[Teelie]

It's me, Dave. I mean Sawyer... er ComicChick? Ah, yes, Teelie.

 

[NickNitro]

Run away!

 

[DJ_KiDDvIcIOUs]

How do I know this list is legit and I can safely change my password at these sites?

Just follow the link they have the full list of sites that have fixed the problem now. You can bet your bottom dollar the big boys are going to fix it asap. Would be some horrible PR if millions had their ish hacked

 

[DJ_KiDDvIcIOUs]

Heartbleed Affects Routers, Too

Some more heartache from Heartbleed: it affects routers, too. Cisco Systems and Juniper Networks have announced that the security hole that is Heartbleed has been found in their networking equipment.

It's perhaps not too surprising that the bug—basically a simple flaw in OpenSSL that allows attackers to bypass the usual security protocols used by many sites—is present in networking devices. After all, they use SSL too, and older devices naturally use an older version.

It is, however, a laborious task to check hardware for the flaw. Fortunately, not all networking hardware is affected, because they don't all use the same version of OpenSSL. So far, only Cisco Systems and Juniper Networks had admitted that their devices are at risk.

You can check to see if your Juniper Networks device is affected here and here, or your Cisco Systems device here. Both companies are working on patches for the affected hardware, which you'll want to download and install ASAP.

http://www.engadget.com/2014/04/10/the-heartbleed-bug-is-affecting-routers-too/?ncid=rss_truncated

Well that sucks, just keeps getting worse and worse. I have a feeling this wont be the last thing we hear that it affects

 

[DJ_KiDDvIcIOUs]

How to Check If Your Android Device Could Be Hacked via Heartbleed

Heartbleed is causing heartache on hundreds of servers all over the internet, but security researchers have also warned that the bug could allow direct hacks of Android, too. Here's how to check if your device is at risk.

While researchers at security firm Symantec happily report that the major browsers don't rely on the OpenSSL cryptographic library to implement HTTPS—so are unaffected by Heartbleed—the same isn't true of the Android OS. Ars Technica explains how your Google-powered device could be compromised:

[T]he most likely scenario for an attacker exploiting a vulnerable Android device is to lure the user to a booby-trapped website that contains a cross-site request forgery or similar exploit that loads banking sites or other sensitive online services in a separate tab. By injecting malicious traffic into one tab, the attacker could possibly extract sensitive memory contents corresponding to the sites loaded in other tabs, he said. A less sophisticated version of the attack—but also one that's easier to execute—might simply inject the malicious commands into a vulnerable Android browser and opportunistically fish for any sensitive memory contents that may be returned.
With so many tweaked and forked version of Android out there, though, it's tough to provide a conclusive list of exactly which devices are affected. But good news: Heartbleed Detector, a free app developed by Lookout Mobile, will tell you if your device is at risk.

So, go download the app and run it. It will tell you if your device contains the vulnerable version of OpenSSL that Heartbleed affects. It will also tell you if the Heartbeat extension that hosts the coding bug is enabled. If you don't have the vulnerable version, or you do but but the extension isn't enabled, you should be just fine. Otherwise, you better hold tight and act carefully until your OS is patched.

http://arstechnica.com/security/201...tes-millions-of-android-phones-other-devices/

Just thought some of you may want to see if your vulnerable on your device

 

[BrollySupersj]

My droid phone is affected apparently, but the "vulnerable behavior" is not enabled. So everything is good.

 

[enterthemadness]

My droid phone is affected apparently, but the "vulnerable behavior" is not enabled. So everything is good.

My poor about 1 month old Virgin Mobile Awe is affected, but it's also not enabled like yours.


you would think **** like this would leave Sprint alone since their in last place.

 

[RetrogradeOrbit]

I think we need to close the Internet until all vulnerable equipment is fixed...

 

[Lily Adler]

I sense a new Internet doomsday movie coming out.

 

[DJ_KiDDvIcIOUs]

Canadian Teen Is the First Arrested for Stealing Data With Heartbleed

In what's sure to be the first of many to come, a 19-year-old Canadian man was arrested for exploiting the Heartbleed bug to lift taxpayer data from a government website, making this the first official Heartbleed-related arrest.

According to the Canada Revenue Agency (CRA), the suspect, Stephen Solis-Reyes lifted at least 900 social insurance numbers by exploiting the Heartbleed vulnerability. While the agency has yet to determine whether or not that was the extent of the theft, Solis-Reyes is being charged with unauthorized use of computer and mischief in relation to data.

Since Heartbleed is undetectable by definition, this arrest raises the question of how exactly he was caught. Maybe he was using the data he stole, but so far the details aren't clear. What's more, we also have no idea whether the exploit happened before or after the bug went public. Either way, though, it's highly unlikely this is going to be an isolated case. So if you haven't already, please, let this be a reminder—change your damn password.

http://www.reuters.com/article/2014/04/16/us-cybersecurity-heartbleed-arrest-idUSBREA3F1KS20140416

Surprised it took this long before someone got busted, I would also like to know just how they figured out he was doing this

 

[Kaleb]

Its also making an impact in ''Person of Interest''

 

[DJ_KiDDvIcIOUs]

Developers: Heartbleed-Affected OpenSSL Code Is Beyond Repair

OpenSLL is screwed, and as a result we've got Heartbleed. But now a team of developers working to overhaul the code have deemed it beyond repair—and are instead creating an alternative, forked version.

Ars Technica reports that Theo de Raadt and his team have been probing OpenSSL and found it in an absolute mess. In an email to Ars, he explained:

"Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers. The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself."
So, he and his team have created the LibreSSL code base—a forked version of OpenSSL which essentially starts over. In a little over a week, they've removed 90,000 lines of C code without affecting functionality, which just goes to show how awfully written the OpenSSL standard was.

Still a work in progress, the LibreSSL project has a bare bones website that is left appealing on purpose, declaring that "this page scientifically designed to annoy web hipsters." They're seeking funding and hoping to build an alternative to OpenSSL that doesn't screw us all. Sound pretty great, even if you are a web hipster.

http://arstechnica.com/information-...eyond-repair-claims-creator-of-libressl-fork/

Man I can't believe how totally screwed up this thing is

 

[NickNitro]

If the internet goes down, the world stops period. Everything revolves around us being able to do **** like this. If I couldn't get on the internet I'd put my pants on my head, grab a gun and start running around in the streets screaming ANARCHY! Many would follow.

 

[Teelie]

It won't be that bad although it should never have gotten as bad as it was except for the cheapsake sites with billions of dollars who couldn't even fork over a few grand to fund the developers.

 

[NickNitro]

It will get that bad Teelie


ANARCHY!!!!!!!!

 

[DJ_KiDDvIcIOUs]

The Team in Charge of OpenSSL: Two Guys Named Steve

Earlier this month, we found out that OpenSLL was screwed in the worst possible way: we all got Heartbleed. But fortunately there's an expert team working to solve the problems: err, two guys named Steve.

Buzzfeed has an excellent feature about Steve Marquess and Stephen Henson, the two men who have been primarily responsible for OpenSSL for more than a decade. The feature reveals that the open source protocol is severely understaffed and underpaid—so it's perhaps no surprise that a simple flaw like Heartbleed made it into the code. From Buzzfeed:

Something needs to change, and goodwill and fond words alone won't cut it. Right now significant parts of the internet's cryptographic security rely on a tiny handful of people who are already stretched to the limits. If that fails, the modern world as we know it could cease to work as it should.
Damn. Straight. Good news, then, that there are already efforts to secure more funding for the project, and, as BuzzFeed reports, the OpenSSL team is already planning on bringing a second full-time developer to the mix. Phew. You should go read the feature, it's great.

http://www.buzzfeed.com/chrisstokelwalker/the-internet-is-being-protected-by-two-guys-named-st

Lets give it up for the Steve's! Man this has been one crazy story

 

[DJ_KiDDvIcIOUs]

More than Half of Heartbleed-Vulnerable Servers Are Still Exposed

Over 300,000 servers out of the 600,000 that were vulnerable to Heartbleed are still unpatched two months after the nasty vulnerability in OpenSSL was discovered by a Google engineer.

The numbers were announced by security researcher Robert David Graham who found that although half of the 600,00 servers were patched a month after Heartbleed was discovered, only about 9,000 were patched in the last month.

It's safe to assume that most of the bigger sites have been patched. But the fact that more than half the servers haven't bothered to implement the fix should give you cause for concern. Heartbleed, after all, was little more than a dumb coding mistake that could easily be exploited by hackers to get all sorts of sensitive information like usernames, passwords, encryption keys and more from websites.

Moral of the story: even if you changed your passwords, you might still be unsafe.

http://www.theverge.com/2014/6/22/5...ers-vulnerable-to-heartbleed-two-months-later

Some sites are just stupid lazy