Heartbleed SSL Attack. Important!

Ben Ruset · Apr 9, 2014

So hopefully by now most of you folks will have heard about how SSL (the protocol used when you're signing into secure websites like your bank, Amazon, etc.) has been hacked. If you haven't, take a moment to look at this site, as well as pretty much any newspaper.

Back when I set up NJPineBarrens.com I was lazy and did not use secure sign on for the site. That is going to change when I upgrade to the new forum software this summer. But there's a few things you should do to protect yourself:

1. For your NJPineBarrens.com account, change the password to something you DO NOT USE anywhere else. It's good security practice anywhere, but until I get the SSL certificate bought and installed your password is going back and forth unencrypted.

2. For all of your other accounts (your bank, Amazon, etc.) change your password. This attack has been out there for a while, and it's undetectable. So who knows, hackers might already have your password and there's absolutely no way anybody would know.

3. Use a password manager application. It may be a little bit of a pain to use in the beginning, but you'll get used to it and it will be super easy to generate secure passwords individually for any site you go to. I literally do not know 90% of my passwords. I just copy them in from the password safe.

For Windows:
PWSafe - Free. I use this for work and it's great.
Keepass - Also free. I used this at my last job.

For Mac:
Password Gorilla - Free. Decent.
pwSafe - Not free, but works on both your Mac and your iDevice. It can keep your password safe in iCloud so that any Apple device you have can open the safe.

For Android:
Password Safe

Web Based:
LastPass - There's a free version. I have never used this.

4. Use a different password for every site you go to. If the site offers 2 factor authentication (where it texts you a code to enter when you log in) use that too.

This is probably the worst/potentially most destructive thing that has happened to the web up until now. I can not stress enough how important it is for you to change your passwords just to be safe.

ecampbell · Apr 9, 2014

Thanks Ben. I didn't know what to make of it.
Is a password manager really safe? It seems everything gets hacked.

Teegate · Apr 9, 2014

Remember that changing your password on an SSL site that has not been fixed is useless. They will just get it again. So be careful on which ones you change. Contact the sites you use regularly and ask them if they have fixed their site. If they had not planned on it and get tons of inquiries they may do it more quickly.

But as Ben mentions if your password to this site is different than anything else you use, only we will have to deal with the hack of your password.

ecampbell · Apr 9, 2014

Guy, it sounds unmanageable. I have 7 pages of usernames and passwords. Every time I buy something, they want to marry me. I hate it, but without it I can't function. What does "fixed" mean? Can I someway stop everything and start over?

Teegate · Apr 9, 2014

ecampbell said:
Guy, it sounds unmanageable. I have 7 pages of usernames and passwords. Every time I buy something, they want to marry me. I hate it, but without it I can't function. What does "fixed" mean? Can I someway stop everything and start over?

I meant for example your bank password. If your bank has not fixed their website to secure it and you change your password, the hackers can still hack into it and get it. Once they fix the problem and you change your password, then it is secure. So changing your bank password without finding out if their site is fixed is useless.

Teegate · Apr 9, 2014

I just changed mine to this site. A portion of it I did use on other sites. Now it is completely different than anything I use.

ecampbell · Apr 9, 2014

If the site is fixed will it have something other than HTTPS?

Teegate · Apr 9, 2014

ecampbell said:
If the site is fixed will it have something other than HTTPS?

No. You will not be able to know if the site is fixed. However, I suspect most reputable sites will be working on that quite quickly.

46er · Apr 9, 2014

A pretty good article on the problem. Includes a link to test a site.

http://money.cnn.com/2014/04/09/technology/security/heartbleed-bug/index.html

Status

http://mashable.com/2014/04/09/hear...idCIsImkiOiJfeXltYWVteWZ5dXlhOGEycTl2eThiXyJ9

http://www.cnet.com/how-to/which-si...ce=dlvr.it&utm_medium=twitter#ftag=CAD5457c2c

Ben Ruset · Apr 10, 2014

ecampbell said:
Thanks Ben. I didn't know what to make of it.
Is a password manager really safe? It seems everything gets hacked.

Yes. Generally it's an encrypted file that sits on your computer or out in the cloud somewhere. (I used to keep mine on Dropbox before I switched to iCloud.)

Ben Ruset · Apr 10, 2014

Here's a list of major sites that have been patched. As you'd expect, all of the "big" ones have been addressed:

http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

You can also use this tool to check if a site is still vulnerable:

https://lastpass.com/heartbleed/

ecampbell · Apr 10, 2014

http://business.financialpost.com/2014/04/09/heartbleed-bug-how-to-protect-yourself/

Resist the urge to change passwords immediately. “Security experts suggest waiting for confirmation of a fix because further activity on a vulnerable site could exacerbate the problem,” continues CNet.

this_is_nascar · Apr 10, 2014

While I agree that all passwords should be changed and each one different than the other, I'd never use a so-called "password manager" to generate or store my passwords. Come up with a scheme for having a unique password for each site. Each password can be similar with a variation. I especially will never use a password manager for site access that involves money, such as bank accounts, e-commerce sites, etc.

Yes, a password manager is "supposed" to be secure. That being said, so was SSL and some 60+million Target users were supposed to be secure and the list goes on and on and on. Allowing some 3rd party application to have any involvement with your online passwords, just sounds like you're asking for trouble down the road.

Just my opinion..........................

Ben Ruset · Apr 11, 2014

this_is_nascar said:
While I agree that all passwords should be changed and each one different than the other, I'd never use a so-called "password manager" to generate or store my passwords. Come up with a scheme for having a unique password for each site. Each password can be similar with a variation. I especially will never use a password manager for site access that involves money, such as bank accounts, e-commerce sites, etc.

Yes, a password manager is "supposed" to be secure. That being said, so was SSL and some 60+million Target users were supposed to be secure and the list goes on and on and on. Allowing some 3rd party application to have any involvement with your online passwords, just sounds like you're asking for trouble down the road.

Just my opinion..........................

Well, in this case most of them are open source (subject to source code review), the data files are encrypted and live locally on your computer, and the programs themselves do not talk to the internet.

You're certainly free to do what you want, but at least for me, I'm 100% comfortable with it.

Pine Baron · Apr 12, 2014

I understand why you need to change your password on financial sites such as banks and such, but why is there a need to change it on a site like this which is more or less "social".

Is it because some people use passwords for more than one site?

Thanx, John-

Teegate · Apr 12, 2014

Pine Baron said:
I understand why you need to change your password on financial sites such as banks and such, but why is there a need to change it on a site like this which is more or less "social".

Is it because some people use passwords for more than one site?

Thanx, John-

Ben has concerns that the password some members use on this site may be the same one or similar that they use on other sites. Since this site does not use SSL the passwords are not encrypted when sent back and forth. If anyone gets the password they can use it to try and access your bank account. For example, if you name on this site is Tom Smith, and your bank account name is also Tom Smith, they can get your password from this site and then try accessing your bank account figuring your name and password there may be the same as here.

So, if the password you use here has any portion of it used elsewhere, change the password of this site to something you have not used before.

Ben Ruset · Apr 12, 2014

Yes.

And I will be setting up SSL here later this summer.

Pine Baron · Apr 12, 2014

Teegate said:
Ben has concerns that the password some members use on this site may be the same one or similar that they use on other sites. Since this site does not use SSL the passwords are not encrypted when sent back and forth. If anyone gets the password they can use it to try and access your bank account. For example, if you name on this site is Tom Smith, and your bank account name is also Tom Smith, they can get your password from this site and then try accessing your bank account figuring your name and password there may be the same as here.

So, if the password you use here has any portion of it used elsewhere, change the password of this site to something you have not used before.

Ben Ruset said:
Yes.

And I will be setting up SSL here later this summer.

Thanx Guy, that clears it up perfectly! And thanx for the new security, Ben!

Search

Search

Heartbleed SSL Attack. Important!

Ben Ruset

Administrator

ecampbell

Piney

Teegate

Administrator

ecampbell

Piney

Teegate

Administrator

Teegate

Administrator

ecampbell

Piney

Teegate

Administrator

46er

Piney

Ben Ruset

Administrator

Ben Ruset

Administrator

ecampbell

Piney

this_is_nascar

Piney

Ben Ruset

Administrator

Pine Baron

Explorer

Teegate

Administrator

Ben Ruset

Administrator

Pine Baron

Explorer