Heartbleed Bug AKA Internet Apocalypse 2014 AKA CHANGE ALL THE PASSWORDS (EXCEPT PORN MAYBE)

[Mazmaz]

Security flaw in OpenSSL encryption means that up to 66% of the websites in the world are affected by this. They're calling it the biggest internet security threat ever. FYI it's been there for over 2 years and they just found it recently. Changing your password is only recommended for websites that have taken action to remove the security threat. Therefore, outside of the big popular websites, you'll have to contact the website/server and ask them if your information is in danger. Banks are not affected, but if your password is the same as something else, you should change those too.

Here's How To Protect Yourself From The Massive Security Flaw That's Taken Over The Internet

The Heartbleed Hit List: The Passwords You Need to Change Right Now

Testing site for vulnerability

[6souls]

It only affects servers that haven't been patched with the April 7th update, but it is still recommended to change passwords.

[Airenn]

Ah, fuck it at this point. Five hundred websites, at least 5 passwords, so so so many accounts. Dumb it down for me, should I really be worried about my nudies in my email? Fuck it.

[Mazmaz]

Depends on which email system you use, but this bug has been around for 2 years. So potentially, yes.

[hey]

I like on that hit list when they say they have no reason to believe any data was compromised, even though there would never be any evidence of it if it had been.

[Kaisha]

A reminder that password managers are awesome and you should be using one. Easiest way to keep track of which sites you have accounts on.

Still a horrible wake-up call for web servers across the world though

[The Stig]

Quick odd question but just trying to get my head around it.

This only affects sites using SSL (sites that have https in the url) right? So sites with no encryption are fine (such as BG)?

[hey]

Quick odd question but just trying to get my head around it.

This only affects sites using SSL (sites that have https in the url) right? So sites with no encryption are fine (such as BG)?

Yes. Not all sites using ssl either, just ones using any openssl version from the last 2 years or so. Older versions, or other ssl libraries are unaffected. However it's likely that most sites are.

[The Stig]

Thanks, that's great thanks for confirming. The severe doubts/worry/panic of people here got myself paranoid despite being self-assured that logically a lot of our stuff is unaffected (1: I checked through the tools available, 2: we use IIS, 3: openssl is a bit more unix based).

No one wants to trust me for some reason

[hey]

Not everything is affected, but probably like half of everything using ssl is/was. It's pretty serious.

[Kohan]

A reminder that password managers are awesome and you should be using one. Easiest way to keep track of which sites you have accounts on.

This is why I thought it was rather hilarious when I saw that LastPass was one of those affected.

[Dimmauk]

I just ran through the list and pornhub and xvideos are safe. Just an FYI

World of tanks is a different story lol

[Scizor]

I just ran through the list and pornhub and xvideos are safe. Just an FYI

oh thank god!

[Penthesilea]

wait, why do you guys have log ins to those...?

EDIT: just worried I'm missing out on some great porn and only have access to a partial library.

[Meresgi]

It only affects servers that haven't been patched with the April 7th update, but it is still recommended to change passwords.

While it only effects said servers, the greater issue is if the servers that are doing the updating are legit. Seeing as you can steal certificates using this bug it complicates a shit load. Basically even if the servers have patched, until they issue new certs, updating passwords isn't going to do shit if someone is using this in the wild.

Also the vuln checker may not work properly up there. Troy Hunt tweeted earlier showing how he checked the same site twice and had 2 different results spit back to him.

wait, why do you guys have log ins to those...?

lol this. Only account I have is to video.anonib since you have to have one to view some vids.

A reminder that password managers are awesome and you should be using one. Easiest way to keep track of which sites you have accounts on.

Google Chrome even has a password generator option for when it detects forms. You have to enable it by going into chrome://flags/ and turning it on. Pretty good if you use Chrome to save passwords, allowing you to use large passwords that a simple facebook scan/dictionary attack won't break

[Byrd]

wait, why do you guys have log ins to those...?

So you can make a list of your favorite videos without trying to remember which of the 6000 "Foot Job Threesome Interacial Bukakke" videos it was. You can do that with a free login, at least on Xhamster and pornhub.

[Dimmauk]

Need to add AKA YOUR PORN IS SAFE to the title

[Azull]

xkcd, which you should read anyways, seems to have the best summary of how the fuck this happens that I have seen.
http://xkcd.com/1354/

[Meresgi]

http://en.wikipedia.org/wiki/Data_validation

https://www.owasp.org/index.php/Inpu...on_Cheat_Sheet

This sort of shit happens all the time, but this is on a huge scale. Also like the comic states, it dispenses random sections of 16kb worth of memory, so I guess you can HOPE your shit wasn't in memory at the time of an attack if it was used in the wild! haha

Here's something else fun for people to do that are using windows if you want to fuck around with your memory!

http://carnal0wnage.attackresearch.c...z-via-bat.html

http://blog.gentilkiwi.com/securite/mimikatz/minidump

[Mazmaz]

900 Social Insurance Numbers stolen from Revenue Canada

Not sure how they know these were compromised. I thought the exploit didn't leave a trail. Also, I have a feeling this was incompetence, as it sounds like the information was stolen AFTER the exploit was made public, which means someone did it right before they patched it up.