Singapore Expats Forum

Heartbleed: Please change your passwords of affected sites

Discuss about any latest news or current affairs in Singapore or globally. Please DO NOT copy and paste news articles from other sources without written permission.
User avatar
the lynx
Governor
Governor
Posts: 5239
Joined: Thu, 09 Dec 2010
Location: Midgar

Heartbleed: Please change your passwords of affected sites

Postby the lynx » Fri, 11 Apr 2014 10:28 am

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Namely, Facebook, Google, Yahoo!, Dropbox, Soundcloud, Box etc. Other sites are either not affected or not confirmed of status.

Steve1960
Editor
Editor
Posts: 1106
Joined: Mon, 13 Aug 2012
Location: Singapore

Postby Steve1960 » Fri, 11 Apr 2014 10:58 am

So now my long standing decision to avoid using almost all of those services has some benefits :-)

I have a gmail account which I hardly ever use that's it :-)

User avatar
x9200
Moderator
Moderator
Posts: 9162
Joined: Mon, 07 Sep 2009
Location: Singapore

Postby x9200 » Fri, 11 Apr 2014 11:54 am

They are just big providers and I bet you used also dozens of small providers. The problem is on the server side so whenever you used the ssl (tls) connection for buying something or handling sensitive data it might have been possible to capture it, be it on the FB giant or a single person run online-shop using the open-ssl implementation.

BTW, I wonder how the local banks are doing. IMHO it would be completely devastating for their reputation if they used such open implementation but on the other hand I would not be that surprised some of them did or do.

Steve1960
Editor
Editor
Posts: 1106
Joined: Mon, 13 Aug 2012
Location: Singapore

Postby Steve1960 » Fri, 11 Apr 2014 1:53 pm

Yes I appreciate the impact could be much deeper, just my cheap shot at social web sites :wink:

It's not only here I could be attacked. I took a look at the document where I store all my account details be it a bank, Tesco club card or airline loyalty. I have 49 accounts all with card numbers or user names and passwords. I have to keep a record because I cannot possibly remember them all even having, as far as possible, replicated the same details across accounts (the worst thing you can do of course!).

We are so open to attack these days because we can no longer keep the PIN or password or account details in our heads the numbers to remember have increased exponentially.

User avatar
sundaymorningstaple
Moderator
Moderator
Posts: 34262
Joined: Thu, 11 Nov 2004
Location: Still Fishing!
Contact:

Postby sundaymorningstaple » Fri, 11 Apr 2014 1:55 pm

Local banks sites DBS, OCBC, StanChart are okay (I've not checked any others). Same for my US bank/CCs. But I've changed them all and Google Drive, Google+, Dropbox. Will get to the others as they crop up and I see okay's posted.

Remember, even if a site is okay, if you happened to use the same password as was used on a susceptible site. You still need to change it on the secure site as well.

WillF
Newbie
Newbie
Posts: 3
Joined: Fri, 11 Apr 2014

Postby WillF » Fri, 11 Apr 2014 3:05 pm

sundaymorningstaple wrote:Local banks sites DBS, OCBC, StanChart are okay (I've not checked any others). Same for my US bank/CCs. But I've changed them all and Google Drive, Google+, Dropbox. Will get to the others as they crop up and I see okay's posted.

Remember, even if a site is okay, if you happened to use the same password as was used on a susceptible site. You still need to change it on the secure site as well.


Thanks. Looks like the internet banking scene here are not using OpenSSL. There are tools in the below link to check specific sites for vulnerability to the bug:

http://sgtechtrooper.blogspot.sg/2014/04/heartbleed-in-singapore-are-singapore.html

User avatar
sundaymorningstaple
Moderator
Moderator
Posts: 34262
Joined: Thu, 11 Nov 2004
Location: Still Fishing!
Contact:

Postby sundaymorningstaple » Fri, 11 Apr 2014 3:44 pm

tic...toc...tic...toc...

User avatar
x9200
Moderator
Moderator
Posts: 9162
Joined: Mon, 07 Sep 2009
Location: Singapore

Postby x9200 » Fri, 11 Apr 2014 5:35 pm

WillF wrote:
sundaymorningstaple wrote:Local banks sites DBS, OCBC, StanChart are okay (I've not checked any others). Same for my US bank/CCs. But I've changed them all and Google Drive, Google+, Dropbox. Will get to the others as they crop up and I see okay's posted.

Remember, even if a site is okay, if you happened to use the same password as was used on a susceptible site. You still need to change it on the secure site as well.


Thanks. Looks like the internet banking scene here are not using OpenSSL. There are tools in the below link to check specific sites for vulnerability to the bug:

http://sgtechtrooper.blogspot.sg/2014/04/heartbleed-in-singapore-are-singapore.html


It is pretty useless. It only tells you if it is vulnerable NOW but even if it is not, it still could have been just a while ago and your password might have been compromised.

...and if you are unlucky you could get accused for an attempt of hacking a site.

User avatar
zzm9980
Governor
Governor
Posts: 6837
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Postby zzm9980 » Fri, 11 Apr 2014 11:33 pm

Image

User avatar
Strong Eagle
Moderator
Moderator
Posts: 10411
Joined: Sat, 10 Jul 2004
Location: Off The Red Dot
Contact:

Postby Strong Eagle » Sat, 12 Apr 2014 12:49 am

@zzm - is it really a buffer overrun exploit? I thought these kinds of things would have been patched up years ago.

AngMoG
Reporter
Reporter
Posts: 609
Joined: Wed, 17 Apr 2013

Postby AngMoG » Sat, 12 Apr 2014 1:33 am

'tis as good a time as any to switch on two-factor authentication on web services that support it. Google has it, afaik. FB notifies you when you're logged in from somewhere else. Not sure about others; outlook.com (formerly hotmail) has two-factor as well now.

User avatar
x9200
Moderator
Moderator
Posts: 9162
Joined: Mon, 07 Sep 2009
Location: Singapore

Postby x9200 » Sat, 12 Apr 2014 7:08 am

Strong Eagle wrote:@zzm - is it really a buffer overrun exploit? I thought these kinds of things would have been patched up years ago.

Technically it just reads too much without modifying anything in memory. Buffer overflow writes over some data often to execute specific tasks.

User avatar
Strong Eagle
Moderator
Moderator
Posts: 10411
Joined: Sat, 10 Jul 2004
Location: Off The Red Dot
Contact:

Postby Strong Eagle » Sat, 12 Apr 2014 7:41 am

x9200 wrote:
Strong Eagle wrote:@zzm - is it really a buffer overrun exploit? I thought these kinds of things would have been patched up years ago.

Technically it just reads too much without modifying anything in memory. Buffer overflow writes over some data often to execute specific tasks.


It's really the same difference, though, isn't it. Any given data field that has been malloc'ed contains the length of the field. Anything asking for more, could, and should be rejected. Seems like a big coding oversight.

User avatar
x9200
Moderator
Moderator
Posts: 9162
Joined: Mon, 07 Sep 2009
Location: Singapore

Postby x9200 » Sat, 12 Apr 2014 8:10 am

Not malloc, memcpy, but yep, it's the same human type of coding error.

User avatar
x9200
Moderator
Moderator
Posts: 9162
Joined: Mon, 07 Sep 2009
Location: Singapore

Postby x9200 » Sat, 12 Apr 2014 8:20 am

http://www.bloomberg.com/news/2014-04-1 ... umers.html

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.


  • Similar Topics
    Replies
    Views
    Last post

Return to “Latest News & Current Affairs”

Who is online

Users browsing this forum: No registered users and 0 guests