HDS Systems        
Results 1 to 21 of 21

Thread: Heartbleed and CPF

  1. #1
    Administrator Greta's Avatar
    Join Date
    Apr 2002
    Location
    Arizona
    Posts
    15,432

    Lightbulb Heartbleed and CPF

    Just to let you all know -

    All of the CPF servers have been checked thoroughly and none of them have been infected or affected by the Heartbleed security bug. We're clean.

    So... carry on...

  2. #2
    HKJ's Avatar
    Join Date
    Mar 2008
    Location
    Copenhagen, Denmark
    Posts
    9,055

    Default Re: Heartbleed and CPF

    Heartbleed does not infect servers, but allows hackers to read memory from the server, this may mean they can get passwords.
    But if you do not use the affected libraries (for administrative access), there is no risk.
    My website with battery, charger, usb reviews, comparisons & information: https://lygte-info.dk/
    Latest addition is multimeter reviews

  3. #3
    Administrator Greta's Avatar
    Join Date
    Apr 2002
    Location
    Arizona
    Posts
    15,432

    Default Re: Heartbleed and CPF

    Quote Originally Posted by HKJ View Post
    Heartbleed does not infect servers, but allows hackers to read memory from the server, this may mean they can get passwords.
    But if you do not use the affected libraries (for administrative access), there is no risk.
    Po-tae-toe/Po-tah-toe ... ummm... we're good.

  4. #4
    Flashaholic* mcnair55's Avatar
    Join Date
    Oct 2009
    Location
    North Wales UK
    Posts
    4,449

    Default Re: Heartbleed and CPF

    Good to hear.In the UK many of the tech pundits have advised not changing passwords etc just yet.The companies who feel they have had issues will suggest directly to there customers if needed.
    Diagnosed with Grumpy Old Man Syndrome

  5. #5

    Default Re: Heartbleed and CPF

    Quote Originally Posted by mcnair55 View Post
    Good to hear.In the UK many of the tech pundits have advised not changing passwords etc just yet.The companies who feel they have had issues will suggest directly to there customers if needed.
    It's actually a bad idea to change your password if the server is vulnerable and hasn't been patched yet, as it makes it more likely your password will be in memory and thus discoverable as a result of the bug.

  6. #6
    Flashaholic* mcnair55's Avatar
    Join Date
    Oct 2009
    Location
    North Wales UK
    Posts
    4,449

    Default Re: Heartbleed and CPF

    Quote Originally Posted by robert.t View Post
    It's actually a bad idea to change your password if the server is vulnerable and hasn't been patched yet, as it makes it more likely your password will be in memory and thus discoverable as a result of the bug.
    Yes that is what the tech gurus said but i could not find my anorak so i left the details out.
    Diagnosed with Grumpy Old Man Syndrome

  7. #7

    Default Re: Heartbleed and CPF

    CPF doesn't use https, so all passwords are exposed anyway.

  8. #8
    Administrator Greta's Avatar
    Join Date
    Apr 2002
    Location
    Arizona
    Posts
    15,432

    Default Re: Heartbleed and CPF

    Quote Originally Posted by Arilou View Post
    CPF doesn't use https, so all passwords are exposed anyway.
    Uh... ok... whatever.

  9. #9

    Default Re: Heartbleed and CPF

    Quote Originally Posted by Greta View Post
    Quote Originally Posted by Arilou View Post
    CPF doesn't use https, so all passwords are exposed anyway.
    Uh... ok... whatever.
    Arilou is quite correct. However it's not something I would worry about personally. There's 'exposed' and there's 'exposed'. Lack of SSL is mostly a theoretical issue unless you are connected to a hotel or coffee shop wifi. In that case it's a real problem, because anyone else connected to the same wifi that knows what they are doing could easily steal your password (unless you are using a VPN or something like HTTPS Everywhere, which if you don't already know any of this, you probably are not). It's also a problem if someone is targeting you personally, but in that case you probably have bigger things to worry about as well.

    What I would say is that if you are using the same password for something important like your bank account or email address for something like a forum then that's asking for trouble. Either use unique passwords for everything (best option), or "layer" your passwords, so you have unique, strong passwords for high-value things, and one, or a few, passwords shared between the low value stuff like forums and don't worry about those too much. Then if anyone gets hold of a password from a forum like this, they won't be able to use it for anything important.

    It's generally best to assume that any details you have given to any website (apart from very secure sites like your bank) will, at some point, fall into the hands of a bad actor. So if you are logging in to a site using your email address as your username, then that bad actor can very likely get hold of your real name, your email address and some password. That will allow them to send you phishing emails using your real name (thus making a joke of PayPal security guidelines). If you used the same password for your email address, they can now log in to your account and read all of your emails. This is usually the worst-case scenario, because from there they can pretty much do whatever they want, including finding out what accounts you hold and potentially, change your passwords and steal your identity.

    In fact, so many sites have been hacked and had details stolen that the chances are, your details are already in circulation somewhere. A lot of these have been reported (recently: Yahoo!, LinkedIn, Kickstarter), but it's probably fair to assume roughly 10x as many incidents have happened without ever having been detected.

  10. #10
    *Flashaholic* PhotonWrangler's Avatar
    Join Date
    Oct 2003
    Location
    In a handbasket
    Posts
    12,178

    Default Re: Heartbleed and CPF

    Great news, Greta. Thanks for checking this out.


    It's correct that one of the real dangers is using public wi-fi hotspots. To make a long story short, don't use a public hotspot for anything that really matters (like banking). Save those transactions for a home, wired connection whenever possible. The crappiest wired connection is always more secure than the best wireless one.

  11. #11
    Administrator Greta's Avatar
    Join Date
    Apr 2002
    Location
    Arizona
    Posts
    15,432

    Default Re: Heartbleed and CPF

    I think it is not necessary or productive for someone to come along and make such a blanket statement as "CPF doesn't use https, so all passwords are exposed anyway."

    This would imply that all members of CPF are in danger and their CPF passwords are just out there for anyone to come along and take. This is not true and it is irresponsible to say that.

  12. #12

    Default Re: Heartbleed and CPF

    Quote Originally Posted by Greta View Post
    I think it is not necessary or productive for someone to come along and make such a blanket statement as "CPF doesn't use https, so all passwords are exposed anyway."

    This would imply that all members of CPF are in danger and their CPF passwords are just out there for anyone to come along and take. This is not true and it is irresponsible to say that.
    This issue is somewhat technical, but the original statement is quite true. It is, under the right circumstances, very easy to steal passwords from a site like this. Of course, the same is true of the vast majority of websites and it in practise, it really doesn't matter that much.

    What really does matter, as explained more thoroughly in my previous post, is to absolutely never share passwords between a low-security site like this one and a high security site like your bank or PayPal.

    Note that calling this site "low security" isn't intended to reflect badly on this site in particular, it's just a fact that banks invest huge amounts of money into security, whereas average websites like this one don't, because they don't need to. That's completely appropriate, because the risk profile is completely different. A bank is a much more valuable target than an email provider, which is a much more valuable target than an e-commerce site, which is a more valuable target than a site like this one.

  13. #13
    Flashaholic Light Sabre's Avatar
    Join Date
    Sep 2008
    Location
    Tucson, Arizona
    Posts
    404

    Default Re: Heartbleed and CPF

    The problem is that websites store passwords in the first place. If they stored the "message digest" (MD5 or SHA) also known as a hash function of your password then it would be virtually impossible to break. Here is an explanation from Wikipedia:

    Cryptographic hash function - Wikipedia, the free encyclopedia


    Not sure about what they're using now, but PKZIP has always used a CRC32/message digest/hash function to store your password within the ZIP file itself. A hacker could look inside the file and all he would see is the CRC32.

    Going from password to message digest is very simple. Going from message digest to password is nearly impossible.
    Wrong Planet

  14. #14
    Flashaholic* Beamhead's Avatar
    Join Date
    Jul 2004
    Location
    gone "Squatchin" :p
    Posts
    4,077

    Default Re: Heartbleed and CPF

    Wait...............my CPF password is "exposed"? I could get arrested for that.....................
    Quando Omni Flunkis Moritati

  15. #15

    Default Re: Heartbleed and CPF

    Quote Originally Posted by Light Sabre View Post
    The problem is that websites store passwords in the first place. If they stored the "message digest" (MD5 or SHA) also known as a hash function of your password then it would be virtually impossible to break. Here is an explanation from Wikipedia:
    Sorry, but you are wrong. Most websites already do store a password hash of some sort. vBulletin, which CPF uses, does this. If the website stores passwords as plaintext, then that website is just implemented very badly. You can usually tell which method is being used by using the "forgot password" link on the website. If it sends you a copy of your password by email, they are doing it wrong.

    In any case, it's easy to get hashing wrong, and many websites do. If you get it wrong, it's actually very easy to recover most passwords, even though a hash is supposed to be guaranteed "one way only" encryption. It's just that most passwords are too short for that to be true. Most website developers don't know enough about cryptography to implement secure hashing correctly.

    As an example, LinkedIn was hacked recently and all the passwords were stolen. The passwords were hashed with SHA-1, but it was still trivial to recover nearly all the original passwords.

    Whether not a website hashes passwords makes no difference to the HTTP vs HTTPS issue. With HTTP, the password is sent unencrypted every time you log in. That means anyone can intercept passwords "on the wire". They just can't necessarily recover passwords in bulk by hacking into that website and downloading the password database.

    If a site is vulnerable to Heartbleed, none of this matters at all, because Heartbleed causes the contents of memory to be exposed. So even if the server is correctly hashing the passwords, at some point the password will exist in memory, which allows an attacker to get at it. That was never the biggest problem with Heartbleed though, because an attacker could get hold of much more valuable information from an affected server.

  16. #16
    Flashaholic
    Join Date
    Sep 2011
    Location
    Bavaria, Germany
    Posts
    121

    Default Re: Heartbleed and CPF

    Quote Originally Posted by Greta View Post
    I think it is not necessary or productive for someone to come along and make such a blanket statement as "CPF doesn't use https, so all passwords are exposed anyway."

    This would imply that all members of CPF are in danger and their CPF passwords are just out there for anyone to come along and take. (...)
    Although it's really no big thing to catch passwords sent over a http connection, it does not have this relevance for me. What could "they" (cyber mafia, NSA, script kiddies) do with my CPF password? One could do some kind of "fun", maybe another one could upload a trojan, but that's it. As long - and that's what really matters - as long as I do not share low-risk website passwords with high-risk websites. As long as I don't use my CPF password for fetching my mails, buying my smartphone apps or doing my paypal transactions...

  17. #17
    Enlightened
    Join Date
    Jul 2012
    Location
    Hello World!
    Posts
    93

    Default Re: Heartbleed and CPF

    I got hacked 2 weeks ago and assumed it was due to the heartbleed bug. After many hours investigating it, I found out I had a trojan installed and a keylogger running.

    Serves me right to not have any antivirus/antispyware/hips. I had to install AVG free, malware byte free and personal firewall free editions

  18. #18
    *Flashaholic*
    Join Date
    Dec 2003
    Location
    USA
    Posts
    8,159

    Default Re: Heartbleed and CPF

    folks quit giving Greta a hard time for informing everyone that CPF is on top of the heartbleed bug issue.

    here's an explanation in plain english from krebs on security on what happening with the heartbleed bug

    The Heartbleed bug concerns a security vulnerability in a component of recent versions of OpenSSL, a technology that a huge chunk of the Internet’s Web sites rely upon to secure the traffic, passwords and other sensitive information transmitted to and from users and visitors.

    Around the same time that this severe flaw became public knowledge, a tool was released online that allowed anyone on the Internet to force Web site servers that were running vulnerable versions of OpenSSL to dump the most recent chunk of data processed by those servers.

    That chunk of data might include usernames and passwords, re-usable browser cookies, or even the site administrator’s credentials. While the exploit only allows for small chunks of data to be dumped each time it is run, there is nothing to prevent attackers from replaying the attack over and over, all the while recording fresh data flowing through vulnerable servers.


  19. #19
    Flashaholic*
    Join Date
    Jan 2012
    Location
    /etc/hosts
    Posts
    1,000

    Default Re: Heartbleed and CPF

    Quote Originally Posted by robert.t View Post
    Arilou is quite correct. However it's not something I would worry about personally. There's 'exposed' and there's 'exposed'. Lack of SSL is mostly a theoretical issue unless you are connected to a hotel or coffee shop wifi. In that case it's a real problem, because anyone else connected to the same wifi that knows what they are doing could easily steal your password (unless you are using a VPN or something like HTTPS Everywhere, which if you don't already know any of this, you probably are not). It's also a problem if someone is targeting you personally, but in that case you probably have bigger things to worry about as well.

    What I would say is that if you are using the same password for something important like your bank account or email address for something like a forum then that's asking for trouble. Either use unique passwords for everything (best option), or "layer" your passwords, so you have unique, strong passwords for high-value things, and one, or a few, passwords shared between the low value stuff like forums and don't worry about those too much. Then if anyone gets hold of a password from a forum like this, they won't be able to use it for anything important.

    It's generally best to assume that any details you have given to any website (apart from very secure sites like your bank) will, at some point, fall into the hands of a bad actor. So if you are logging in to a site using your email address as your username, then that bad actor can very likely get hold of your real name, your email address and some password. That will allow them to send you phishing emails using your real name (thus making a joke of PayPal security guidelines). If you used the same password for your email address, they can now log in to your account and read all of your emails. This is usually the worst-case scenario, because from there they can pretty much do whatever they want, including finding out what accounts you hold and potentially, change your passwords and steal your identity.

    In fact, so many sites have been hacked and had details stolen that the chances are, your details are already in circulation somewhere. A lot of these have been reported (recently: Yahoo!, LinkedIn, Kickstarter), but it's probably fair to assume roughly 10x as many incidents have happened without ever having been detected.
    No, you are both incorrect in ways to numerous to mention. While some stuff here is 'true', it is interlaced with assumptions not facts.

    Without knowing all the details about how the network is set up, you don't have anything to base your statements on.

    There are hundreds of network and web presences that keep assets valued >1 billion protected that never use SSL or certificates,
    and they have very accessible sites on good old port 80. Rock solid security. You just don't know how it's done, and it is not
    public information about how it is setup, and never will be.

    You simply cannot be taken seriously if you back up a statement like
    'CPF doesn't use https, so all passwords are exposed anyway.'

    It makes you appear wholly uneducated, especially in IT security matters.

    Please, at least be somewhat factual if you are going to discuss IT security advice or recommendations.

    FYI: about this
    -----------------------
    'but it's probably fair to assume roughly 10x as many incidents have happened without ever having been detected'
    -----------------------
    Try >30,000 times undetected vs detected. It is expensive in material cost and personal time to root out dedicated fraud,
    and there are literally armies of fraudsters out there...the majority of successful attacks are low-hanging fruit not worth
    further intrusion past a certain point. The game is score the big targets (not a pun on Target Corp). Advanced Persistent
    Attacks go far beyond a simple SSL vulnerability, (though that hole helped the crooks a lot).
    Source: I know this, for reasons...
    Last edited by 127.0.0.1; 05-07-2014 at 01:48 PM.
    posted by jh333233
    Dont cheat me, im expert in using crap light

  20. #20

    Default Re: Heartbleed and CPF

    Quote Originally Posted by 127.0.0.1 View Post
    Without knowing all the details about how the network is set up, you don't have anything to base your statements on.
    In fact I do, since "the network" in question is the Internet. If you mean the hypothetical coffee shop LAN, is it possible that it's set up in such a way that capturing local packets isn't guaranteed to work? Yes. Should you assume that is the case when connected to it? I wouldn't - if you want to because you apparently know so much about infosec, that's up to you.

    I'm not sure if I should even dignify your post with a response, as even the part in where you seem to be agreeing with me, you've provided some figures without any substantiation. At least I made clear than 10x is purely conjecture, but an order of magnitude is often a good estimate of unknowns like this. I don't doubt that it's more likely to be higher than lower, but unless you have some evidence apart from "reasons" then you are the one making baseless claims here.

  21. #21
    Administrator Greta's Avatar
    Join Date
    Apr 2002
    Location
    Arizona
    Posts
    15,432

    Default Re: Heartbleed and CPF

    OMG - really guys? Nerd fight?

    All I wanted to tell you all is that the CPF servers were/are not affected by the Heartbleed virus.

    Good Lord...

    Thread closed.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •