Posts Tagged ‘heartbleed’

Heartbleed

April 12, 2014

The heartbleed exploit has been getting a lot of press, but so far it’s only theoretical. The white hats who have tried haven’t yet succeeded in exploiting it.

Correction – according to this link, it has now been successfully exploited.

http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge

Here’s an explanation of heartbleed, courtesy of XKCD:

http://xkcd.com/1354/

 

By all means, do change your password once you know the website in question has fixed the exploit, if they had it.  (Banks for example, typically don’t use openssl, meaning they weren’t vulnerable in the first place)

Use a different password for each account. Use keepass to keep track of your passwords. http://keepass.info/

 

But what about … if you use Amazon in a coffeeshop it’s child’s play for someone to hijack your session and see the last four digits of your credit card. Which are the digits that Apple uses to confirm a remote wipeout of your computer and iPhone. All gone. Not just theoretical (although the attack vector in the below case was slightly different)

http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

a good layperson article on session hijacking:

http://technet.microsoft.com/en-us/magazine/2005.01.sessionhijacking.aspx

If you don’t see https:// in your browser bar, and you’re on a public network, assume that anyone can see what you’re transmitting and receiving on the network. Generally, password entry pages are protected with https:// but subsequent pages may or may not be. This has been an enormous problem with Yahoo mail. There seem to be a number of automated exploit scripts out there that will spam all of your connections on your behalf.  They have switched to using https:// for their mail, after several years of leaving this gaping hole open, but I’m still suspicious of their attitude about security.

Never use Amazon in a coffeeshop.

Gmail is cool.  Facebook CAN be set up to use a secure connection. I can’t find it in the settings anymore, so maybe they’ve made it the default. Anything from Yahoo is bound to be a huge security hole (e.g. Yahoo new, Flickr), though they are getting better. So avoid using Yahoo on a public network, or at least log out before you leave.

 

 

Advertisements