OpenSSL/Heartbleed Vulnerability

[frizzlefry]

Funny thing is this exploit has been in existence for 2 years. Researchers just found it. Good on the CRA for shutting down their site until they fix it though. They are not alone, almost 2/3rds of https sites use OpenSSL as its the default encryption method Apache servers. Its not the default for windows servers so they are generally safe.

I know that Royal Bank's site and HRBlock is ok. But do your research for your own sites you use. I know people at work were losing their minds. "OMG I changed all the passwords on all my sites! Phew!" and their faces when I said its not fixed yet and they would have been better off not logging in at all as the exploit can only grab 64k blocks from memory at a time and memory is overwritten/purged often. So if they just left it alone their info would have been gone within minutes to a day most likely. But now every person on the planet is saturating memory blocks with their passwords...ripe for the picking now that any hackers who did not figure it out themselves now know its possible....this is what happens when the media grabs a hold of something tech and blows it up.

[ZenOps]

This has far reaching implications for banks more than the tax collectors. The only reason the government has put out a warning is because it endangers their ability to collect taxes.

However, the exploit can be used on any of the https banks (which pretty much all banks in Canada use)

TDcanadatrust is now requiring at least one extra "question" on login, not like that adds anything more than a sliver of extra security.

Potential to digitally wipe out all of your assets without you knowing it? Yes. Make sure to get physical printed statements from physical bank branches for a while at least.

[Xtrema]

Originally posted by frizzlefry
this is what happens when the media grabs a hold of something tech and blows it up.

Well, given out digital footprint is so huge now, publicity on this is good.

[frizzlefry]

Originally posted by ZenOps

However, the exploit can be used on any of the https banks (which pretty much all banks in Canada use)

Only if they use OpenSSL. But this is why banks often require a "verification question" or may have added more recently. The bad thing about this is that the memory blocks they rob can contain cookie info. And if you hate answering questions and said "remember me on this computer" they could, in theory, grab your verification answers as well if they grab the cookie required to answer the questions for you.

Never, ever, tell a site to remember you. Ever. Suck it up and answer one of the same 5 questions every time.

But as I said, its only memory blocks they can get at so if you have not used your online account for a day or two don't. Your info is not in memory anymore and any hacker who now knows about the exploit thanks to the media can't grab shit about you because its not there.

Of course if you freak out and start accessing every site you frequent you are only making your password freshly available to anyone who now knows about the exploit.

[frizzlefry]

Originally posted by Xtrema


Well, given out digital footprint is so huge now, publicity on this is good.

Yes but, in this case, recommending that everyone update their password only increases the odds that it will get stolen. The info available for theft is only in a "temp" area (memory) and changing it now only ensures your password is there. And now every hacker knows its possible to take it and there is no fix for it yet.

[Mibz]

Originally posted by frizzlefry
Never, ever, tell a site to remember you. Ever.

BMO is hilarious for this. "Don't ask me a verification question" is checked by default, you have to manually tell it not to remember you. Great security, guys.

[ZenOps]

Its not so much that I'm worried about the security at my end. Many bank tellers and managers also use logins and do of course - have greater power than you do over your own account.

But: I do like to always have a printed balance and reference codes for each transaction. Its bad enough that not all digital dollars are backed by physical bills, and not all physical bills are backed by metal in coinage form.

[frizzlefry]

Originally posted by Mibz
BMO is hilarious for this. "Don't ask me a verification question" is checked by default, you have to manually tell it not to remember you. Great security, guys.

...aaaannd that's why they added a question. RBC does not make that the default and therefore no added questions. They may have added one if you said to remember you but I don't know...I never tell it to

[syscal]

Was sent a threat by our shitty data center today.

Please note that if your server is hacked, you will be liable for any collateral damage to our other clients.

#1 - it's not that kind of bug
#2 - don't threaten your clients, I guarantee my lawyers are better
#3 - if being inside the data center somehow gives me different access to your other client's racks, you're doing it wrong!

Thank goodness we're touring Q9 Monday, no more downtime!

[rage2]

Originally posted by frizzlefry
Its not the default for windows servers so they are generally safe.

Microsoft isn't affected because they don't use OpenSSL code at all, they write their own. The only IIS servers that are vulnerable are the ones that use OpenSSL appliances to offload SSL off the IIS servers.

Originally posted by ZenOps
The only reason the government has put out a warning is because it endangers their ability to collect taxes.

Wut? They disabled efile so it directly impacts their ability to collect taxes. They could've left it running, still collected taxes, and users would have their data stolen which still doesn't endanger their ability to collect taxes.

Originally posted by frizzlefry
The bad thing about this is that the memory blocks they rob can contain cookie info. And if you hate answering questions and said "remember me on this computer" they could, in theory, grab your verification answers as well if they grab the cookie required to answer the questions for you.

Never, ever, tell a site to remember you. Ever. Suck it up and answer one of the same 5 questions every time.

Makes absolutely zero difference. The remembered data is stored client side, not server side. Both remember me, or answering manually transfers the exact same thing. In cases where the cookies are encrypted client side, you can just pass the encrypted data to the server and is actually MORE secure than entering it manually because there's 2 levels of encryption vs just 1, which became useless. Entering manually exposes your answers in clear text via Heartbleed and can be used elsewhere, encrypted cookie the data can only be used on the site that it's gathered from via Heartbleed.

[ZenOps]

Tax collection could be altered, just like banking information could be altered.

One need only have a hacker with a "Donald Trump 25% tax on Chinese" mentality, and you could have every person with a Chan last name owing $20 to $20,000 more on a faked return (requiring them to resubmit a "real" tax return.) Or every Rob Anders owing an extra million. Or have all hacked accounts owing $0.

Are people malicious enough to alter returns for individuals? I'd say - yes. Which could grind the legit and correct tax collection to a halt.

Banks and utilities alter the rules all the time on small scale legally: If you have this type of account, we are going to raise your minimum monthly rate by this much with zero recourse. How many people actually know if the extra they are paying is "normal" or just a corrected bill, or a hacked account?

[rage2]

There's easier ways to steal money with stolen identity data than to fuck with tax returns lol.

[frizzlefry]

Originally posted by rage2

Microsoft isn't affected because they don't use OpenSSL code at all, they write their own. The only IIS servers that are vulnerable are the ones that use OpenSSL appliances to offload SSL off the IIS servers.

Correct. But if you wanted you could install it and use it to generate a cert on a windows server but I don't know who would rather than use native encryption.

Originally posted by rage2

Makes absolutely zero difference. The remembered data is stored client side, not server side. Both remember me, or answering manually transfers the exact same thing. In cases where the cookies are encrypted client side, you can just pass the encrypted data to the server and is actually MORE secure than entering it manually because there's 2 levels of encryption vs just 1, which became useless. Entering manually exposes your answers in clear text via Heartbleed and can be used elsewhere, encrypted cookie the data can only be used on the site that it's gathered from via Heartbleed.

Not exactly Link

However, Adam Langley, a Google security expert who helped close the OpenSSL hole, said his testing didn't reveal information as sensitive as secret keys. "When testing the OpenSSL heartbeat fix I never got key material from servers, only old connection buffers. (That includes cookies though)," Langley said on Twitter.

Cookies are actually more vulnerable than the theoretical memory fragment theft everyone is freaking out about. Any security questions you send are not (or should not) be in clear text over an https connection. If someone is using a targeted man in the middle attack in conjunction with heartbleed exploit than yes, that info could be decrypted right then and there. Whether its a man in middle attack or a memory grab, data entered via a form or via cookie is still readable all the same once decrypted. Except if its a cookie, and they pull the memory grab method, there is a higher chance your personal info and answers are all stored in adjacent blocks and easier to figure out who what answers belong to as they are all delivered at the same time (depending on how the website works of course). A separate manually filled in form after your initial login would be more unlikely to store your name and answers in adjacent blocks. Making it more difficult for someone who got a raw dump of the data to be sure who's card number is secured by who's mother's maiden name because they are not stored right beside each other because they were sent to the server 1 minute apart. And if you have 50 clients accessing the site every 10 seconds, for example, your security answers will be quite a fair bit away from your card number when someone is reading the raw blocks they stole out of memory. Edit: likely why BMO added an additional question outside of their cookie data.

[msommers]

My concern: All of this is literally a foreign language to me. Apparently I'm not tech savvy at all!

[ZenOps]

Well, sure. If you assume that the ultimate goal is to steal money - tax returns isn't the way to do it.

But people trip other people for different reasons. Some people do it to gain advantage, other people do it for the funnies, and others are just jerks.

Can't assume that any of this is for financial gain.

[sputnik]

Originally posted by rage2
Makes absolutely zero difference. The remembered data is stored client side, not server side. Both remember me, or answering manually transfers the exact same thing. In cases where the cookies are encrypted client side, you can just pass the encrypted data to the server and is actually MORE secure than entering it manually because there's 2 levels of encryption vs just 1, which became useless. Entering manually exposes your answers in clear text via Heartbleed and can be used elsewhere, encrypted cookie the data can only be used on the site that it's gathered from via Heartbleed.

Came here to say this.

[rage2]

Originally posted by frizzlefry
Cookies are actually more vulnerable than the theoretical memory fragment theft everyone is freaking out about. Any security questions you send are not (or should not) be in clear text over an https connection.

Go check on every site out there, all the form data is sent clear text over SSL. There may be some exception here and there where the clientside javascript hashes passwords before transmitting, but that's rare. That's the point of SSL, to encrypt the session data with strong encryption.

Originally posted by frizzlefry
Whether its a man in middle attack or a memory grab, data entered via a form or via cookie is still readable all the same once decrypted.

This is correct, and what I said earlier.

Originally posted by frizzlefry
Except if its a cookie, and they pull the memory grab method, there is a higher chance your personal info and answers are all stored in adjacent blocks and easier to figure out who what answers belong to as they are all delivered at the same time (depending on how the website works of course). A separate manually filled in form after your initial login would be more unlikely to store your name and answers in adjacent blocks. Making it more difficult for someone who got a raw dump of the data to be sure who's card number is secured by who's mother's maiden name because they are not stored right beside each other because they were sent to the server 1 minute apart.

The website needs to know who's answers are submitted. How does it do that? Via a session cookie to keep track of your session. It doesn't matter if you answered 1 second apart and the data is sitting on the adjacent block, or 1 minute apart 10000 memory grabs away, the attacker would NEED to tie it back using the identical session cookie from the initial login with your account # and password, to the secondary authentication answer submitted 1 minute or 1 second later. You'd be a pretty terrible hacker to assume and guess which answers in adjacent blocks belongs to which username password.

Now, let's look at how a "remember me" cookie is slightly more secure than entering it everytime. Let's take Beyond for example, where you can remember your info to keep you logged in. Let's assume that all this happens over https that's vulnerable to Heartbleed.

1. Manual login, you would enter your username and password. Attacker would dump your session, and get your username and password in clear text.

2. Remember me cookie login. vBulletin stores your username cleartext, but your password as an encrypted hash. You login to the site, and that data is transmitted and captured. The attacker would now have your username, but an encrypted password. Attacker would need to attack the hash to get your password. Safer via an extra layer of security.

At the end of the day, this bug has been blown WAY out of proportion. Is it serious? Yes, if your site is slow to patch. Will a stolen private key from a vulnerable site expose you in the future? Technically possible, but quite difficult, and not worth the effort on a mass scale. People aren't going to get hacked from losing their credentials with this bug, they're going to get hacked from phishing scams that's going to go insane in the next few months due to the publicity of this bug. The average Joe is going to click that fake Heartbleed warning from Royal Bank to request a password change, submit their info, and lose their money.

[sputnik]

Originally posted by rage2
People aren't going to get hacked from losing their credentials with this bug, they're going to get hacked from phishing scams that's going to go insane in the next few months due to the publicity of this bug. The average Joe is going to click that fake Heartbleed warning from Royal Bank to request a password change, submit their info, and lose their money.

We are already beginning to see these.

Just had one hit our mail gateways that was claiming to be the "new" link for the CRA website.

[The_Penguin]

Originally posted by rage2



At the end of the day, this bug has been blown WAY out of proportion. Is it serious? Yes, if your site is slow to patch. Will a stolen private key from a vulnerable site expose you in the future? Technically possible, but quite difficult, and not worth the effort on a mass scale. People aren't going to get hacked from losing their credentials with this bug, they're going to get hacked from phishing scams that's going to go insane in the next few months due to the publicity of this bug. The average Joe is going to click that fake Heartbleed warning from Royal Bank to request a password change, submit their info, and lose their money.

Absolutely agree. The Phishing aspect for sure will be way more of a risk.
Seems I read somewhere that none of the major Canadian banks were using vulnerable ssl code, but people will panic, and jump all over the first fake bank email.

[The_Penguin]

Originally posted by sputnik


We are already beginning to see these.

Just had one hit our mail gateways that was claiming to be the "new" link for the CRA website.

Yeah, I'm watching ours closely, since our anti-spam provider has been asleep at the switch lately.