Heartbleed

Heartbleed April 11, 2014

Warning to All SkepticInk Users:

Heartbleed Bug is a Major Security Breach in OpenSSL Encryption

                It is extremely important that everyone be wary of any sites requiring user validation (e.g., social media, email, online banking, etc.) for the next few days until it is clear that the released patches to a recently exposed vulnerability in the OpenSSL cryptographic library have been applied.

                It is possible that any site using OpenSSL is programmatically vulnerable to a specific sort of exploitation that may allow malicious users to gather enough information to access your accounts—including your online banking institutions.

                SkepticInk users should know that Disqus is a known user of OpenSSL who has not updated their SSL Certificate in months; they are very likely to be unsafe.

                I will continue to update this, but here is the nuts and bolts.

                Read more at Heartbleed. And check to see if the sites you have accounts with are vulnerable at LastPass.

[Update]

What In the Hell is Going On?

                OpenSSL is a security layer used by many websites that store sensitive user information (e.g., username, password, personal identification, banking information, etc.). Its job is to keep that information protected—to keep your private information, well, private.

                It was recently discovered that there is a serious vulnerability in the code that makes OpenSSL work. This vulnerability—called the Heartbleed Bug—actually allows Internet users to access just that important, secret, information it is designed to mask by reading from the memory of these “protected” systems. This is particularly nefarious because pen-testers have found they are able to attack themselves, by exploiting this bug, without leaving a trace of their presence (YIKES!).

                By exploiting this bug a malicious user could do more than just read off cookies, emails, usernames, and passwords; they could potentially collect the encryption keys protecting the HTTPS traffic themselves. This would allow an attacker to fake the website or get any information given by users to the website.

Why Does This Matter To Me?

              hb  If you’re reading this it’s most likely because you’re on the Internet. If you’re on the Internet you should be concerned, because some estimates place the effect of the Heartbleed Bug at 2 out 3 web servers on the Internet. That means there’s a chance that at least one account you have online that you access could be compromised. And if you’re like a lot of people who use the same passwords at multiple sites, you could end up with multiple compromised accounts and important personal information in the wrong hands.

Skeptic Ink Disqus Users

                Disqus appears to have applied the patch and finished any necessary key-swapping. Disqus users should therefore change the passwords to their Disqus accounts immediately.

                There does appear to be an inherit flaw in this, though. If you’re not sure whether your email service provider has applied the patch, then you will not want to change your passwords just yet. This is so because most websites require authentication for account changes (including changing your password) via email.

                Engadget.com is reporting that Gmail is now safe (and this has been validated by Google here). Yahoo users are now safe. I couldn’t find anything from AOL, other than a potentially unsafe warning from LastPass.

What Should I Do To Protect Myself?

  • Keep an eye out for whether the websites and services you use have applied the patch to OpenSSL. If you’re not sure, or you see that the site is still unsafe, you’d be best to not sign into your account.
  • Major businesses and organizations (e.g., Google and Yahoo) have been much quicker to respond to this vulnerability, but small businesses and organizations that you may have accounts with do not have the resources of a Google or Yahoo—in fact, they may not even know about a bug in their OpenSSL. You should contact them (especially if it’s a small, local, bank you do online business with) to check if they’re aware of the threat and are acting to resolve it.
  • You should begin changing the passwords to sites that are safe. It is also highly recommended that you use a different password for every account, make your passwords long, and use symbols, upper- and lower-case letters, numbers—anything and everything to make a strong password.

Further Resources:

–          Heartbleed.com

Official website for the bug that gives a complete overview of the situation, and information on fixing the bug if you are a website administrator currently using OpenSSL.

–          LastPast.com/heartbleed

You can use LastPass to check to see if the website you have an account with is safe or unsafe. (I recommend doing a little more research, since this may not be completely accurate.)

–          EFF.org

The Electronic Frontier Foundation tracks all things related to privacy and security. This article gives further information on the Heartbleed Bug and the reason the web needs to implement Perfect Forward Secrecy as a standard.

HuffingtonPost.com

Further information and explanation of how the Heartbleed Bug works and can affect yo


Browse Our Archives

Follow Us!


TRENDING AT PATHEOS Nonreligious
What Are Your Thoughts?leave a comment
  • Good news: Disqus has further verified that they have patched the bug. You may have seen it in your notifications as well. If not, http://engineering.disqus.com/2014/04/10/heartbleed.html

  • Void L. Walker

    Phew….gave me a damn heart attack.

    • I can’t tell, but I’m assuming that’s sarcasm. This is a serious problem, and I find it fascinating that so few people care about their privacy online. I think people assume that, because they can’t see the processing behind what they do online, there really isn’t much to worry about. We hand over loads of information about ourselves–for the most part completely unaware–simply by connecting to someone else’s server (such as by typing in a web address to our favorite website).

      Outside of the Internet we don’t typically announce personal information (such as who we are, where we live, etc) so flippantly; we would be upset were someone to lie to our face in order to extract critical personal information; and even more upset were someone to physically steal such information about us; so why do we not seem to care when it’s happening online?

      • Void L. Walker

        Oh no, no sarcasm intended. I’m very apprehensive about giving *any* info out online, so the thought of someone jacking my info gave me a very real scare. Is the problem fully resolved?

        • Haha, it’s hard to interpret Internet emotions sometimes.

          Is the problem fully resolved?

          The problem has a resolution, but has not necessarily been fully resolved. It’s difficult to say when and if it will be fully resolved. Website administrators need to apply the patch that has been released to their website. Only when the patches are in place is the site secure. Smaller businesses and such using OpenSSL may not even know about the bug, so it’s important to ask them.

          More importantly, is there a potential for recurrence?

          Most definitely. The bug in OpenSSL has been there for over two years (hopefully completely) unnoticed. The problem was a human error: the coding behind the protocol itself. It is certainly possible that future updates or new security protocols will (hopefully accidentally rather than intentionally) lack lines of code or have misplaced lines of code that allow for the same or similar types of bugs.

          What’s ridiculous is that this bug may have been maliciously exploited time and again without anyone ever having known, because this form of data retrieval left no trace of the attacker.

          • Void L. Walker

            This shit scares me. Privacy is a vestige of the past anymore.

          • It’s only getting worse. I ought to write a paper on the Third-Party Doctrine and how it’s completely undermining any reasonable expectation of privacy that is expected when online (in the U.S.A.)–it’s outrageous.

            But what is particularly distressing is even for people who are taking steps to learn about how computers, networks, servers, data, etc., work; and even though they may be taking steps toward improving their online privacy by, for example, using TOR, proxies, or VPN’s, it is bugs like this that can make those efforts completely futile. There are countless individuals lives at stake who could be ousted because of utilizing a tool like TOR that allows Chinese users a route around the Great Firewall of China, or journalists to conduct private communications. These are not necessarily malicious individuals, but they need privacy to keep those with malicious intent away from them. If these communications have been left open to view there is no telling how many lives have been affected without anyone’s knowledge.

          • Void L. Walker

            That’s what alarms me the most, that much of this activity is unknown to the masses.

            I had a friend some years back who’s Amazon account was hacked. He didn’t even know that it happened until his credit card bill arrived in the mail: 412 dollars worth of merchandise charged in only 3 days time.

            In your opinion, is spreading awareness of the issue a cogent solution, or should additional measures be taken? If so, what do you have in mind?

          • I wish there was greater awareness, honestly. But I do think the problem is more fundamental. Firstly, privacy is being violated in a less tangible way–it’s much more difficult to relate to, especially for generations outside of x and y. Discussions of privacy need to start taking place on more open platforms in ways that relate to the everyday person.

            Secondly, computer science is a subject that is completely necessary, but thoroughly lacking. Kids should receive an acquaintance with programming logic and languages, and hopefully, by graduation, have an understanding of databases, debugging, and security. Anything is better than nothing. Teaching a kid Word processor is not teaching her how to use a computer.

          • Void L. Walker

            The manner in which I learned about computers was a slightly less efficient one. I was….(drum roll, please) HOME SCHOOLED….

            I certainly agree with what you said above. Some people seem to think that managing a facebook account or learning how to upload videos to youtube is somehow “education” in any way. Well, it is, to an extent. Just not the kind of awareness that we are in dire need of.

            I’m assuming, based upon your impressive knowledge, that you work with computers?

          • Hey, like I said, anything is better than nothing in this case. And you’re absolutely right about the misconceptions surrounding “knowing how to use a computer.” A great article written by a teacher of Computing explains very well why kids can’t use computers: http://www.coding2learn.org/blog/2013/07/29/kids-cant-use-computers/

            I certainly don’t claim any impressive knowledge on any single subject within this domain, but I do work with computers. After the Snowden revelations I became heavily interested. It started out as hardware repair on computers and phones, and moved to network analysis, security, and programming. I probably know just enough to get me in trouble, but I think these subjects are important if we hope to have control over our experiences online.

          • Void Walker

            Not to divert the discussion, but I’ve been conversing with theists for SO fucking long now I forgot what it feels like to share an intellectually stimulating dialogue with a fellow atheist.

            If you’re game, pick a topic of discussion that interests you and we’ll go from there. Otherwise, no worries.

          • I know what you mean, I have no atheist friend’s where I live!

            Okay, so from one non-religious thinker to another, what are your thoughts on the whole atheist church movement (if it can be called a movement: http://www.huffingtonpost.com/2013/11/10/atheist-mega-church_n_4252360.html)? Do you think this is the best route for atheism to trend towards?

            I got back and forth with myself on this question. Atheist’s need to interact in a community setting–it’s healthy; but should it mirror religious services? Maybe. It’s true that people are accustomed to it. Music, inspiring talks, and meeting like-minded people, do bring people together.

            What I see myself not liking is how it assumes atheism is a worldview. So maybe my disagreements with it are semantic? I don’t know.

          • Void Walker

            Interesting topic, I’ve never really discussed this with anyone before.

            In my opinion, atheist “churches” are basically painting massive bullseyes on atheists. Christians always try to find *something* wrong with us, often straining to do so, and how much would they love to call atheism a dogma? Well, many of them already do this *face palm*.

            I think the idea is interesting. On the one hand, we are highly social beings (more so, in my opinion, than just about any other animal on the planet). It therefore only makes sense for us to “congregate” and discuss our ideas/philosophies. On the other hand, as noted above, this could conceivably supply fundies with much needed ammunition.

            I also agree with what you said about this act opening the doors to labeling. Atheism is *not* a religious position, but coming together in makeshift churches kinda makes that assertion untenable.

          • Void Walker

            Thanks, Jonathan. Hadn’t realized you made a post about this.

          • Hey, I’ve posted about EVERYTHING….

            Well, quite a bit…

          • Void Walker

            You post about actually interesting topics, unlike Randal Rauser….

          • Andy_Schueler

            Void, a completely unrelated issue – I just saw your motto “Kenntnisse ist Macht” in a pop up, substitute “Kenntnisse” with “Wissen”, that makes more sense ;-).

          • Void Walker

            Oh! Thank you for the correction :)

          • Void Walker

            Oh by the way Andy, how do you pronounce your last name? I like it.

          • Andy_Schueler

            Go to http://www.duden.de/rechtschreibung/Schueler – and click on the loudspeaker. In my experience, americans cannot pronounce it properly unless you have at least some experience with german Umlaute, if you are a heavy metal fan for example. If you can pronounce “Mötley Crüe” correctly, you can also pronounce my name ;-)

          • Void Walker

            Fascinating :) I’m of German descent, actually. My ancestors on my fathers side relocated to Russia roughly 140 years ago, and the states within the last 100 years.

            I actually thought you may be German. Thanks again for the correction. I did the typical american move: look up words, disregard grammatical structure :-p

          • Andy_Schueler

            I did the typical american move: look up words, disregard grammatical structure :-p

            It´s a very understandable mistake – the difference between “Kennen” / “Kenntnis” (“Kenntnisse” is plural) and “Wissen” is subtle and doesn´t exist in english – both words are translated to “knowledge” but they mean different kinds of knowing stuff, “wissen” means knowledge of facts and “kennen” means something like “being familiar with”, so you would use “wissen” when you talk about scientific (for example) things you know, and “kennen” for people or locations that you are familiar with.

          • Void Walker

            Ah, interesting. Thanks for the insight. I have actually considered learning German, but I always manage to put it off…

          • Andy_Schueler

            It´s not easy I guess – German has much fewer words than English and the pronounciation of words is generally more consistent and logical in German – but everything else is more complicated than it is in English.

            Mark Twain really nails it IMO:
            http://www.crossmyt.com/hc/linghebr/awfgrmlg.html

            => despite the title of the essay (“The Awful German Language”), it´s obvious that Twain had a love-hate relationship with German ;-)

          • Void Walker

            Ha! I love Mark…so frank. This is fun: http://www.twainweb.net/reviews/bible.html

          • Ich bin ein Mann.

            I’m learning German now. As you can tell, I’m getting pretty freakin advanced :p