The Heartbleed Hit List
http://mashable.com/2014/04/09/heartbleed-bug-websites-affec…
I received a call from Citibank credit cards yesterday and they said my card may have been compromised and wanted to issue a new one. The lady on the phone couldn't really provide much details but she said that it was likely that I dealt with a merchant who was attacked and visa had instructed them to issue new cards.
Was anyone else affected by the Heartbleed bug ?
appreciate you being upfront about it… unlike banks which are all safe
Banking security is actually rather insane. Layers upon layers.
I work previously in financial software industry so yeah I know they do appear to have insane security policy. Every change request has to be passed through so many hands, etc. Layers upon layers — yes. Although some layers are a bit like house of cards…
+1.
To explain the Heatbleed vulnerability a bit:
Heartbeat extension is a capability that is something like the "TRACE" HTTP method. This is used to ensure that the server/client/peer is active. So a request is sent with a payload, which is then sent back to the requester in a new response by the server.
This is exploited by sending a malformed heartbeat message to the server. The malformed payload is a tiny payload that masquerades as a larger payload. When this is sent to the server, the server extracts it and puts it into the response. However, what happens is that since the server expects a big payload, it thinks the payload is = requested payload+ some other data resident in the memory.
So as a crude example, if the request has a payload of 100bytes masquerading as 400bytes (say), the server will be tricked into sending payload+300bytes of memory contents back to the requester.
This allows an attacker to retrieve TLS keys, session cookies, configuration info and other sensitive information resident in the memory.
Edit:
Recommendations to prevent this (aimed at people hosting):
If anything it serves as a gentle nudge to change all your passwords - something we all don't do often enough and take for granted.
I don't think it is necessary. There are millions of websites out there still allow you to access over port 80 unencrypted. OzBargain was like that prior to us going HTTPS only last December. We didn't ask people to reset their passwords every single day because their credentials can be potentially captured back then. I don't know why we would do that now simply as a reaction to this new found issue. Mind you that it is still a lot harder to get someone's password with heartbleed bug comparing to packet sniffing over port 80.
It would only be a problem if you are the type of person who uses the same username and password on every site.. (which would be nuts in my eyes). If anyone had my ozbargain username/password combo, they won't be getting into any other site I access. Sadly, not everyone follows that practice.
All I can say that there is a lot of media beatup and misunderstanding here. First of all, IS OZBARGAIN AFFECTED BY HEARTBLEED BUG?
Yes. We migrated from Debian 6 to Debian 7 Wheezy on 17 February. Debian 6 uses openssl 0.9.8o whereas Debian 7 uses openssl 1.0.1e — so in theory we are vulnerable since mid-February. When I read about heartbleed yesterday morning the first thing I did was applying security updates, but it still left around 6-7 weeks window where data transmitted between your computer and OzBargain could have been compromised.
However are we all safe now? Not so sure. The biggest issue with heartbleed is not that the attacker is able to obtain the TLS session key to decrypt your data. The attacker is also able to obtain server's private key and certificates. The attacker can then set up his/her own website with the stolen key/certificate, and can attempt Men-In-The-Middle attacks even when the website is now all fully patched. The proper fix for website operator is to issue a certificate revocation (saying the old key/cert pair is bad), create a new private key and get a new certificate from CA. Only after that you can feel more safe.
Not many websites have done it though. You can check the Issue Date of the certificate to see whether a new one is in place. We don't — I have my finger crossed that we didn't get targeted :) From the list of providers that said they have patched up the software — some do, but not many of them get the new certificates though.