Change your passwords

Started by Glenn, Apr 09, 2014, 19:33:39

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Glenn

"Catastrophic is the right word. On the scale of one to 10, this is an 11,"

http://www.bbc.co.uk/news/technology-26954540
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Simon

Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Technical Ben

Hmmmm... I wonder if I can even remember half of them.
I use to have a signature, then it all changed to chip and pin.

zappaDPJ

Very much related to this: http://www.idnetters.co.uk/forums/index.php/topic,32024.0.html

It's all very well running around changing all your passwords but how do you know that the servers have been adequately patched? In fact, just logging in to change a password might actually reveal both the old and new password to an attacker. In my view this is potentially bad advice being given out by uninformed reporters.


zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

This bug has been around since 2011, yes its bad but as Zap said changing all your passwords is a tad over the top, even that sensationalist BBC story at the end quotes another source saying you don't have to, unless told too really. The BBC likes its headlines to be scary...
Damned, if you do damned if you don't

Steve

The BBC seems to be as useful as the Daily Mail and the Daily Express these days, sensationalistic cr*p.
Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.

Gary

#6
There's been a lot of concern about the OpenSSL Heartbleed bug, which is a vulnerability that allows theft of information that's normally protected by the SSL/TLS encryption used to secure many Internet sites and services. Well, thanks to a tip from former TUAW-er Damien Barrett, those of us who run OS X and OS X Server can breathe a bit easier. No versions of OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version of shipped by Apple in an OS was 0.9.8y, which is a branch not affected by this bug. So unless you've installed OpenSSL via MacPorts or Homebrew, your public-facing OS X servers/services should be immune to this bug." Also OpenSSL has never been provided as part of iOS"

http://www.tuaw.com/2014/04/09/why-the-openssl-heartbleed-bug-doesnt-affect-os-x-or-os-x-serve/
Damned, if you do damned if you don't

Gary

Facebook, Google, Dropbox and now Yahoo mail are safe, although yahoo was vulnerable for a while.  IDNet test safe too from what I can see although the encryption says weak  :eyebrow: Natwest seems safe too but whether it was is another thing as with many of these sites, running about changing them seems over the top though, and the BBC is just spreading panic for headlines.
Damned, if you do damned if you don't

Technical Ben

Quotealthough yahoo was vulnerable for a while
It's Yahoo... need we say more? (Well, if I do, they've been in lots of trouble, ranging from employees giving out details to make cash, to loosing it by mistake)
I use to have a signature, then it all changed to chip and pin.

Gary

Quote from: Technical Ben on Apr 10, 2014, 10:18:04
It's Yahoo... need we say more? (Well, if I do, they've been in lots of trouble, ranging from employees giving out details to make cash, to loosing it by mistake)
Well considering Yahoo is used for BT Mail I imagine some people were concerned as they just use the default email service. Other firms are just as bad, and since this bug effects maybe 66% of servers world wide its not really yahoos fault this time.
Damned, if you do damned if you don't

zappaDPJ

I probably ought to say that although I'd advise you not change all your passwords this is a problem that should be taken very seriously now that the knowledge of it is in the public domain. To put some perspective on the matter here's a list of 10,000 sites that are or were vulnerable: https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt This provides a reasonable explanation of how the exploit works: http://heartbleed.com/

The short version is up until a week ago your stuff was as safe or as unsafe as it's ever been. Now knowledge of this flaw is in the public domain your stuff is not safe at all if it's sitting on servers that remain vulnerable. If that is the case you should wait for the service provider to patch the flaw and then change your password.

On a more positive note this has provided me with more work than I can possibly cope with!
zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Simon

Christ, that's a hell of a lot to go through checking if they're sites one uses!   :swoon:  What does 'No SSL' mean, against some of them?  I've checked a few and they seem secure in my browser.  :dunno:
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Thankfully my stuff is on very few sites and servers and they are all patched and hunky dory. The internet is getting to be a horrendous pain in the backside, oh look I have a garden and its sunny...  ;D
Damned, if you do damned if you don't

Bill

Bill
BQMs-  IPv4  IPv6

Simon

The 'this website' link on there takes me to a Spotify page asking me to login via Facebook.  :eyebrow:
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Bill

Don't understand that, works fine for me- straight to the DT page :dunno:
Bill
BQMs-  IPv4  IPv6

Simon

Just cleared iPhone cache and history and it's fine now.  :dunno:
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Bill

'Tis a wondrous thing, the internet :P
Bill
BQMs-  IPv4  IPv6

Technical Ben

Quote from: Simon on Apr 10, 2014, 17:30:21
Christ, that's a hell of a lot to go through checking if they're sites one uses!   :swoon:  What does 'No SSL' mean, against some of them?  I've checked a few and they seem secure in my browser.  :dunno:
Most probably that the site does not use SSL so is "safe".
I use to have a signature, then it all changed to chip and pin.

Simon

OK, I'll put my Mr Thick hat on, but that sounds like a contradiction in terms.  I thought SSL meant it IS secure. 

:stars:
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Steve

So is a Safe unless you give away the combination. ;)
Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.

Technical Ben

Quote from: Simon on Apr 10, 2014, 20:52:10
OK, I'll put my Mr Thick hat on, but that sounds like a contradiction in terms.  I thought SSL meant it IS secure. 

:stars:
It's "safe from the bug" because it does not use SSL. Like saying "safe from lock pickers" because it has no locks...  ;D :laugh:
(Hence me putting safe in quotations. It's not really safe from all things, just this one instance. Or at the least, is not a data collecting site, so has no need for SSL)
I use to have a signature, then it all changed to chip and pin.

Gary

Mkaes me laugh oddly, google said no need to change password then the telegraph says you have to, unless google facebook etc tell me I'm doing nothing.
Damned, if you do damned if you don't

zappaDPJ

Quote from: Simon on Apr 10, 2014, 20:52:10
OK, I'll put my Mr Thick hat on, but that sounds like a contradiction in terms.  I thought SSL meant it IS secure. 

:stars:

In theory yes, but in reality it turns out running SSL has given attackers an entry point to exploit. Systems running it have been less secure than systems that don't run it all. However nobody knows if anyone has actually exploited the entry point because it would leave no trace if they did. For all we know all our stuff has already been harvested or more likely (I think) it hasn't been touched at all. It certainly became a thousand times more vulnerable during the window when this became public knowledge until such time that the servers were patched. I'd like to think anything important has already been patched by now.

zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.