Major bug called ‘Heartbleed’ exposes Internet data

[CLICKHEREx]

http://www.bluelight.org/vb/content/116-Major-bug-called-%E2%80%98Heartbleed%E2%80%99-exposes-Internet-data

by

bronson

Published on 10-04-2014 05:30

11 Comments Comments

April 9 at 12:30 am

By Lindsey Bever / The Washington Post - Morning Mix

Please note: bluelight was not affected by this security breach, as we run on a dedicated server with ssl disabled. Thus there is no need to change your password here, however, our intention in posting is to alert you that other sites you frequent might have been endangered.

A newly discovered security bug nicknamed Heartbleed has exposed millions of usernames, passwords and reportedly credit card numbers a major problem that hackers could have exploited during the more than two years it went undetected.

Thats why some experts were calling Heartbleed the worst bug yet, something that should worry everyone who frequents the Internet or does business on it.

Comments 11 Comments

-------------------------------------------------------------------------------------------------------------------

Dr. Flatline's Avatar

Dr. Flatline - 10-04-2014, 15:52

Reply

To check if a site is still vulnerable, you may use the tool at:

http://filippo.io/Heartbleed/

Vaya's Avatar

Vaya - 11-04-2014, 11:08

Reply

Quote Originally Posted by Dr. Flatline View Post

To check if a site is still vulnerable, you may use the tool at:

http://filippo.io/Heartbleed/

Thank you so much for posting this....

rlssux420's Avatar

rlssux420 - 12-04-2014, 06:17

Reply

jeez cant believe how many sites have been comprimised......heartbleed is an intracate program..

velmwend's Avatar

velmwend - 13-04-2014, 01:05

Reply

I've changed my banking passwords, ebay, paypal and major social media. I mean, they were due for a good change anyhows. I'm sure most folks are in this position ... this is a shove

Just A Guy's Avatar

Just A Guy - 14-04-2014, 00:31

Reply

And where there is one there are ten others.

zouloum's Avatar

zouloum - 16-04-2014, 01:05

Reply

You DON'T use SSL? then how are our passwords sent out to the server? In plaintext!? If so, this is far worse than being affected by the heartbleed bug. It's just an open door.

sinclair1984's Avatar

sinclair1984 - 16-04-2014, 18:00

Reply

I have the same concern as zouloum. especially here.

bmxxx's Avatar

bmxxx - 20-04-2014, 06:24

Reply

anyone have any insight on whether heartbleed shares code w/ 'the flame' and/or stuxnet? I heard this recently was unable to substantiate it

bmxxx's Avatar

bmxxx - 20-04-2014, 06:25

Reply

sorry for such a dumb post but how do I subscribe to this???

[nm, found proper thread here: http://www.bluelight.org/vb/threads/...-Internet-data ]

tricomb's Avatar

tricomb - 23-04-2014, 06:38

Reply

Quote Originally Posted by zouloum View Post

You DON'T use SSL? then how are our passwords sent out to the server? In plaintext!? If so, this is far worse than being affected by the heartbleed bug. It's just an open door.

I'm not posting on behalf of Bluelight or those who run our servers, but I am going to tell you a few things that makes internet security in general more of an issue.

As the official release says Please note: bluelight was not affected by this security breach, as we run on a dedicated server with ssl disabled. Thus there is no need to change your password here, however, our intention in posting is to alert you that other sites you frequent might have been endangered.

1) The statement that SSL is disabled doesn't mean that there aren't other types of encryption and privacy/secrecy protections out there. OpenSSL, the open source team of just a few dozen people wrote the algorithms for FREE and MILLIONS of websites took advantage of this. Who's fault is it really here? OpenSSL's? The corporations and consumers and everyone who used their technology without paying a dime while making who knows how many billions or trillions of dollars that openSSL never got paid a dime for letting them use their open source code. Who's at fault? All of us, in a way to a certain extent. Had they been compensated better openSSL could have likely caught this bug (alleging that it was not a deliberate backdoor for data mining), been able to pay employees to run quality control and enforce actual regulations on stuff that so many people took for granted as being one of the cheapest ways of maintaining companies private information private. Shit happens.

2) The fact that we weren't using SSL is probably even a better thing than had it been enabled, making the chances of us being victims of this bug much higher. I always wished bluelight would go HTTPS but after this monumentally historic internet security scandal, I don't even know what's the best thing to do anymore besides follow the BLUA and not post incriminating things, remember that the internet is forever and everything you do on it is and will forever be saved somewhere in cyberspace.

3) Internationally, intelligence agencies have freely admitted to having tapped the major intra-continental and deep-sea fiber optic and other such communications channels, so "They" or "big brother" or whoever you want to call it, maybe just some hacker with the right clearance and know-how, are a much bigger issue here considering it doesn't matter what form of encryption or data that is being transmitted around the globe provided that these main channels are tapped by government intelligence agencies and those with access to their databases, which is a surprisingly high number according to everything I've learned over the years. Everything you do on the internet is being monitored, and/or saved somewhere by someone and whoever and wherever this information is kept, is not something that the keepers of that information would readily disclose.

So TL;DR-

Not using SSL possibly was a good thing regarding the heartbleed bug

&

Everything you do online is tapped by the government or other undisclosed "anonymous" parties anyways so there are much bigger problems than which layers of encryption are employed since they're going to travel through what the government (at least in the USA and other countries) freely have admitted to be intercepting the cables, connections, relays, and everything that let's internet traffic go from point A to point B. It's like, say there's only one door/exit in one-room house with no other exits or alternative ways of entering/leaving the house (Illegal pretty much everywhere due to zoning law and fire codes but back to the point...). The only way for ANYONE or ANYTHING to enter or leave through

And guess what, they probably already have been doing this for YEARS even pre-dating the patriot act and the other laws that destroyed the right to privacy.

bmxxx's Avatar

bmxxx - 23-04-2014, 19:25

Reply

re 'better to have no used ssl wrt Hearbleed' : Heartbleed only exploited openssl, so w/o ssl enabled wouldn't it have been not only 'better' (against heartleed), but that heartbleed would've been 100% ineffective? Followup Q: Wouldn't http communication, as opposed to https, have opened the door for more baddies to get in? (ie, in the end I wonder if, even w/ heartbleed, it was still safer to be using https? At this point, are ppl turning off their HTTPS Everywhere extensions? Is the TOR bundle still including that extnsion as default?)

re 'internet is wide open' : You cannot say that enough. Do not type things into your computer (or do things in front of your inactivated webcam/mic) that you're not comfortable being recorded. This does not mean that ppl are watching you and that you need to whip out your tinfoil hat lol, but if you apply some forward-thinking to the consequences of mass data retention, and some years' more advancements in algorithms for really 'nailing down' the entirety of a person's internet history, it's just in poor-form to ever do things that you're not comfortable doing in the open, IMO. I'll occasionally use TOR, and I practice basic computer security protocols, but in no way does that affect, in any way whatsoever, the content of what I put out, ie I use those to protect my data a smidgen more, but that data is the same regardless of whether i'm using open wifi w/ http from the coffee shop, or TOR and all that from home or a VPN (I'd note that I almost expect TOR to be as, if not more, easy for the big data co's (ie nsa, gchq) to monitor, but harder for individual operators to crack)

[Foo]

This has been largely rectified.

[CLICKHEREx]

The password of one of my Yahoo accounts was hacked last year, but there was nothing there anyone with criminal intent would be interested in, so I didn't bother changing it.

[at0m]

Please note: bluelight was not affected by this security breach, as we run on a dedicated server with ssl disabled.

Secure by being insecure!

It's like "I wasn't affected by the dodgy keval vests because I don't wear kevlar vests"

This isn't much of an issue anymore. It was basically a 0-day. Cloudflare (which a lot of sites are behind) was patched a week /before/ it was announced and any sysadmin worth their salt patched their servers in ~24 hours, 48 at a stretch.

Edited April 26, 2014 by at0m

[DiscoStu]

i thought it was quite funny reading about the guy caught using this exploit to access government data, after news of it went mainstream.