Corrine Administrator, Microsoft MVP, Security Analyst Staff member Joined Feb 22, 2012 Posts 12,306 Location Upstate, NY Apr 9, 2014 #1 There is nothing people can do to protect themselves if vulnerable websites are visited until the administrators of those websites have upgraded their software. Then, change your password. See The Heartbleed Bug, explained - Vox
There is nothing people can do to protect themselves if vulnerable websites are visited until the administrators of those websites have upgraded their software. Then, change your password. See The Heartbleed Bug, explained - Vox
Corrine Administrator, Microsoft MVP, Security Analyst Staff member Joined Feb 22, 2012 Posts 12,306 Location Upstate, NY Apr 9, 2014 #2 Just found this. Check sites here: LastPass - LastPass Heartbleed checker. Also, if you use LastPass, see The LastPass Blog: LastPass Now Checks If Your Sites Are Affected by Heartbleed
Just found this. Check sites here: LastPass - LastPass Heartbleed checker. Also, if you use LastPass, see The LastPass Blog: LastPass Now Checks If Your Sites Are Affected by Heartbleed
P Patrick Sysnative Staff Joined Jun 7, 2012 Posts 4,618 Apr 9, 2014 #3 I've been using LastPass Premium for over 2 years, so I just changed any affected sites with their password tool.
I've been using LastPass Premium for over 2 years, so I just changed any affected sites with their password tool.
jcgriff2 Co-Founder / AdminBSOD Instructor/ExpertMicrosoft MVP (Ret.) Staff member Joined Feb 19, 2012 Posts 21,541 Location New Jersey Shore Apr 10, 2014 #4 What I don't understand is that the article says the bug opens up system RAM to possible threats of being read. Is the vulnerability ongoing - even when logged off the SSL site? Regardless, it would take a long time to upload 4,8,12+ GB RAM.
What I don't understand is that the article says the bug opens up system RAM to possible threats of being read. Is the vulnerability ongoing - even when logged off the SSL site? Regardless, it would take a long time to upload 4,8,12+ GB RAM.
Corrine Administrator, Microsoft MVP, Security Analyst Staff member Joined Feb 22, 2012 Posts 12,306 Location Upstate, NY Apr 10, 2014 #5 Aaron posted his understanding of the issue at LzD which you might find helpful: OpenSSL and the Heartbleed issue. My understanding is that if logged into a service while it was vulnerable, then there is a chance that the password has been harvested. Here's what Bruce Schneier explained in Schneier on Security: Heartbleed: Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. Click to expand... Last edited: Apr 10, 2014
Aaron posted his understanding of the issue at LzD which you might find helpful: OpenSSL and the Heartbleed issue. My understanding is that if logged into a service while it was vulnerable, then there is a chance that the password has been harvested. Here's what Bruce Schneier explained in Schneier on Security: Heartbleed: Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. Click to expand...
x BlueRobot Administrator Staff member Joined May 7, 2013 Posts 10,324 Location %systemroot% Apr 10, 2014 #6 This is supposedly a list of hostnames for vulnerable websites - https://gist.github.com/dberkholz/10169691
This is supposedly a list of hostnames for vulnerable websites - https://gist.github.com/dberkholz/10169691
niemiro Senior Administrator, Windows Update Expert Staff member Joined Mar 2, 2012 Posts 8,769 Location District 12 Apr 10, 2014 #7 x BlueRobot said: This is supposedly a list of hostnames for vulnerable websites - https://gist.github.com/dberkholz/10169691 Click to expand... That's definitely not all vulnerable websites though. It's a useful list, just people need to be aware that it doesn't list every vulnerable website.
x BlueRobot said: This is supposedly a list of hostnames for vulnerable websites - https://gist.github.com/dberkholz/10169691 Click to expand... That's definitely not all vulnerable websites though. It's a useful list, just people need to be aware that it doesn't list every vulnerable website.
x BlueRobot Administrator Staff member Joined May 7, 2013 Posts 10,324 Location %systemroot% Apr 10, 2014 #8 niemiro said: x BlueRobot said: This is supposedly a list of hostnames for vulnerable websites - https://gist.github.com/dberkholz/10169691 Click to expand... That's definitely not all vulnerable websites though. It's a useful list, just people need to be aware that it doesn't list every vulnerable website. Click to expand... The best method is to use the LastPass Checker, or contact the site staff for a particular website.
niemiro said: x BlueRobot said: This is supposedly a list of hostnames for vulnerable websites - https://gist.github.com/dberkholz/10169691 Click to expand... That's definitely not all vulnerable websites though. It's a useful list, just people need to be aware that it doesn't list every vulnerable website. Click to expand... The best method is to use the LastPass Checker, or contact the site staff for a particular website.
x BlueRobot Administrator Staff member Joined May 7, 2013 Posts 10,324 Location %systemroot% Apr 12, 2014 #9 A list of the major companies affected as has been listed here, with their comments including if you should change your password and if a patch has been released. The Heartbleed Hit List: The Passwords You Need to Change Right Now
A list of the major companies affected as has been listed here, with their comments including if you should change your password and if a patch has been released. The Heartbleed Hit List: The Passwords You Need to Change Right Now
jcgriff2 Co-Founder / AdminBSOD Instructor/ExpertMicrosoft MVP (Ret.) Staff member Joined Feb 19, 2012 Posts 21,541 Location New Jersey Shore Apr 12, 2014 #10 I don't believe that none of the major banks were hit.
x BlueRobot Administrator Staff member Joined May 7, 2013 Posts 10,324 Location %systemroot% Apr 14, 2014 #11 Microsoft and Apple weren't affected either.
Corrine Administrator, Microsoft MVP, Security Analyst Staff member Joined Feb 22, 2012 Posts 12,306 Location Upstate, NY Apr 14, 2014 #12 jcgriff2 said: I don't believe that none of the major banks were hit. Click to expand... That's because they apparently don't use OpenSSL.
jcgriff2 said: I don't believe that none of the major banks were hit. Click to expand... That's because they apparently don't use OpenSSL.