Heartbleed: Please change your passwords of affected sites

[the lynx]

http://mashable.com/2014/04/09/heartble ... -affected/

Namely, Facebook, Google, Yahoo!, Dropbox, Soundcloud, Box etc. Other sites are either not affected or not confirmed of status.

[Steve1960]

So now my long standing decision to avoid using almost all of those services has some benefits

I have a gmail account which I hardly ever use that's it

[x9200]

They are just big providers and I bet you used also dozens of small providers. The problem is on the server side so whenever you used the ssl (tls) connection for buying something or handling sensitive data it might have been possible to capture it, be it on the FB giant or a single person run online-shop using the open-ssl implementation.

BTW, I wonder how the local banks are doing. IMHO it would be completely devastating for their reputation if they used such open implementation but on the other hand I would not be that surprised some of them did or do.

[Steve1960]

Yes I appreciate the impact could be much deeper, just my cheap shot at social web sites

It's not only here I could be attacked. I took a look at the document where I store all my account details be it a bank, Tesco club card or airline loyalty. I have 49 accounts all with card numbers or user names and passwords. I have to keep a record because I cannot possibly remember them all even having, as far as possible, replicated the same details across accounts (the worst thing you can do of course!).

We are so open to attack these days because we can no longer keep the PIN or password or account details in our heads the numbers to remember have increased exponentially.

[sundaymorningstaple]

Local banks sites DBS, OCBC, StanChart are okay (I've not checked any others). Same for my US bank/CCs. But I've changed them all and Google Drive, Google+, Dropbox. Will get to the others as they crop up and I see okay's posted.

Remember, even if a site is okay, if you happened to use the same password as was used on a susceptible site. You still need to change it on the secure site as well.

[WillF]

Local banks sites DBS, OCBC, StanChart are okay (I've not checked any others). Same for my US bank/CCs. But I've changed them all and Google Drive, Google+, Dropbox. Will get to the others as they crop up and I see okay's posted.

Remember, even if a site is okay, if you happened to use the same password as was used on a susceptible site. You still need to change it on the secure site as well.

Thanks. Looks like the internet banking scene here are not using OpenSSL. There are tools in the below link to check specific sites for vulnerability to the bug:

http://sgtechtrooper.blogspot.sg/2014/0 ... apore.html

[sundaymorningstaple]

tic...toc...tic...toc...

[x9200]

Local banks sites DBS, OCBC, StanChart are okay (I've not checked any others). Same for my US bank/CCs. But I've changed them all and Google Drive, Google+, Dropbox. Will get to the others as they crop up and I see okay's posted.

Remember, even if a site is okay, if you happened to use the same password as was used on a susceptible site. You still need to change it on the secure site as well.

Thanks. Looks like the internet banking scene here are not using OpenSSL. There are tools in the below link to check specific sites for vulnerability to the bug:

http://sgtechtrooper.blogspot.sg/2014/0 ... apore.html

It is pretty useless. It only tells you if it is vulnerable NOW but even if it is not, it still could have been just a while ago and your password might have been compromised.

...and if you are unlucky you could get accused for an attempt of hacking a site.

[zzm9980]

[Strong Eagle]

@zzm - is it really a buffer overrun exploit? I thought these kinds of things would have been patched up years ago.

[AngMoG]

'tis as good a time as any to switch on two-factor authentication on web services that support it. Google has it, afaik. FB notifies you when you're logged in from somewhere else. Not sure about others; outlook.com (formerly hotmail) has two-factor as well now.

[x9200]

@zzm - is it really a buffer overrun exploit? I thought these kinds of things would have been patched up years ago.

Technically it just reads too much without modifying anything in memory. Buffer overflow writes over some data often to execute specific tasks.

[Strong Eagle]

@zzm - is it really a buffer overrun exploit? I thought these kinds of things would have been patched up years ago.

Technically it just reads too much without modifying anything in memory. Buffer overflow writes over some data often to execute specific tasks.

It's really the same difference, though, isn't it. Any given data field that has been malloc'ed contains the length of the field. Anything asking for more, could, and should be rejected. Seems like a big coding oversight.

[x9200]

Not malloc, memcpy, but yep, it's the same human type of coding error.

[x9200]

http://www.bloomberg.com/news/2014-04-1 ... umers.html

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.