[GPSCC-chat] Heartbleed is real. Do something real.
Spencer Graves
spencer.graves at structuremonitoring.com
Sat Apr 12 09:46:30 PDT 2014
Cameron mentioned routers. I just confirmed that they could be a
problem and added information on what to do about that to the
Wikiversity article on "Managing risk from cyber attacks".
Spencer
On 4/12/2014 8:05 AM, John Thielking wrote:
> Thanks for the web update Spencer. I double checked my Direct Express
> online account and it is possible to send money to another bank
> account after logging in, but there is also what is called "two factor
> security" involved. It seems that I have to enter the code on the back
> of my debit card before I can transfer money and even then the
> transaction might be declined by Comerica Bank. I'm working with the
> account issuer to disable online access and have them send me a paper
> bill in the mail with all of my transactions for the month listed
> instead of having online access, but it is not clear how much trouble
> it will be to do this since the customer service rep said they weren't
> sure if it was possible to do this for an active online account. She
> had the tech support people arrange to call me back sometime next
> week. She also said that it was not possible to only disable the
> online funds transfer feature and online bill pay. Two factor security
> is better than just having a password and login required before you
> can send money from an online bank account. If your bank doesn't have
> at least that level of security, they are fools and you should switch
> banks or at least disable online access for your account. Hopefully my
> security code is secure on the Direct Express web site as I've never
> entered that code when using that site. I'm still going to disable
> online access entirely ASAP if I am allowed to do that.
>
> On a related note, I did a search to find out if the Heartbleed bug
> affects security for credit card numbers and PINs, not just passwords,
> and found at least one article that confirms that it DOES affect other
> data such as CC numbers. That article is located here:
>
> http://www.christianpost.com/news/heart-bleed-virus-update-open-ssl-computer-bug-how-to-protect-your-security-passwords-for-gmail-yahoo-facebook-117732/
>
>
> I also did a search to try to find out if the Heartbleed patch is
> available for Windows XP. I found a bunch of articles that talked
> about the end of XP security support on April 8, 2014 and that talked
> about the Heartbleed bug, but none of the articles raised any alarms
> for XP users trying to patch the Heartbleed bug.
>
> John Thielking
>
>
> On Fri, Apr 11, 2014 at 9:33 PM, Spencer Graves
> <spencer.graves at prodsyse.com <mailto:spencer.graves at prodsyse.com>> wrote:
>
> Hi, Cameron, et al.:
>
>
> A discussion of how to deal with problems like Heartbleed is
> now available on Wikiversity, "Managing risk from cyber attacks".
>
>
> Please revise this as you see fit or send suggestions to
> me. Cameron has done a great service in providing his expertise
> on this list. The Wikipedia article on Heartbleed received almost
> 47,000 views on April 11 (UTC), and over 39,000 on the three
> previous days combined. If this Wikiversity article gets a small
> portion of that number of views, it will provide a great service
> humanity.
>
>
> Creating that article helped me think through what seemed
> like a sensible reaction. Alarmists said we should change all our
> passwords. I think that's overkill. Even creating a simple list
> of all the accounts and passwords I've created over the years was
> more work than I felt justified. And creating such a list would
> miss the point. We need to worry about the financial institutions
> that manage savings. If cyber thieves drain those accounts, it
> could create big problems for us. For more, see the Wikiversity
> article
> (https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks).
>
>
> Thanks again, Cameron -- and thanks to John and Drew for
> their additional comments.
>
>
> Spencer
>
>
> On 4/11/2014 3:29 PM, John Thielking wrote:
>> Sorry to keep dragging this out, but I finally decided to search
>> the RT.com web site using the search term "computer hardware" to
>> see if I could find an article or two relating to my previous
>> statement that RT.com broadcast the claim that computer hardware
>> in general has been compromised by the NSA. I did find the
>> following article at
>>
>> http://rt.com/op-edge/nsa-hacking-individual-computers-008/
>>
>>
>> that states that some of the material provided by Snowden does in
>> fact indicate that some people's computers are implanted with
>> special chips to aid the NSA in monitoring them. This may not be
>> widespread just yet, but it does fit with previously broadcast
>> info from RT.com that was saying that certain people's laptops
>> that have been ordered online are sometimes transhipped to
>> special NSA facilities where they have their hardware modified to
>> contain implanted viruses or malware (in the CMOS perhaps?). Of
>> course the article also says that the NSA may choose to bug all
>> computers sold in a specific city, if that city is a region of
>> interest for the NSA. I'll bet that Eugene, Oregon (Berkeley
>> North) could be one of those places. And who knows, they might
>> put radio bugs in all the watches sold there too.
>> More to think about I guess.
>>
>> A more speculative opinion piece is located here:
>>
>> http://rt.com/op-edge/nsa-spying-future-total-952/
>>
>>
>> and a link to the Derspiegal article that this stuff is based on
>> is contained here:
>>
>> http://rt.com/op-edge/annie-machon-nsa-spying-925/
>> <http://rt.com/op-edge/nsa-spying-future-total-952/>
>>
>>
>> Any further thoughts?
>>
>> John Thielking
>>
>>
>> On Fri, Apr 11, 2014 at 2:19 PM, John Thielking
>> <peacemovies at gmail.com <mailto:peacemovies at gmail.com>> wrote:
>>
>> Another more specific question for you Cameron:
>>
>> Is the patch for the Heartbleed bug supported for systems
>> running Windows XP, which was just barely out of date as of
>> the time of broad announcement of the Heartbleed bug, or do
>> the people currently running Windows XP also have to upgrade
>> their OS? I know my home computer only has 500 MB of memory
>> so I can't just do an easy upgrade to Win 7. I hope not too
>> many POS terminals are also in the same boat. They should
>> upgrade to a new OS anyway, but this problem may just
>> compound the problem presented by the Heartbleed bug itself.
>>
>> John Thielking
>>
>>
>> On Fri, Apr 11, 2014 at 12:52 PM, John Thielking
>> <peacemovies at gmail.com <mailto:peacemovies at gmail.com>> wrote:
>>
>> People should also know that there may be additional
>> security gaps in ATMs and Point Of Sale terminals due to
>> their owners' slow response to the need to do away with
>> using Windows XP. For instance, the last time I went to
>> Round Table Pizza a couple of weeks ago, the screen saver
>> on their POS terminal still said "Windows XP". Chase
>> signed a contract for another year of support from MS for
>> Win XP for their ATMs, but I can only assume that
>> everyone else will no longer have support for Win XP
>> after early April 2014. Good luck on that one too.
>>
>> John Thielking
>>
>>
>> On Fri, Apr 11, 2014 at 12:14 PM, John Thielking
>> <peacemovies at gmail.com <mailto:peacemovies at gmail.com>> wrote:
>>
>> After reading this I'm not likely to trust ATMs for
>> awhile with any of my debit cards or credit cards. At
>> least my latest credit card company and one of my
>> debit cards I'm pretty sure I can just go to the bank
>> teller of any bank and get a "cash advance" from the
>> teller instead of using an ATM. Often times I don't
>> need a PIN when doing that, just a photo ID. I think
>> the fees for that method may even be less than using
>> the ATM anyway. Do you think that the bank teller's
>> systems are likely to be more secure than their ATM's?
>> Thanks for clarifying the other info Cameron.
>>
>> Sincerely,
>>
>> John Thielking
>>
>>
>> On Fri, Apr 11, 2014 at 8:45 AM, Cameron L. Spitzer
>> <cls at truffula.us <mailto:cls at truffula.us>> wrote:
>>
>>
>> I may have been unclear.
>> 1. Check your bank (etc) site for the vulnerability.
>> If it's bad, make a note.
>> 2. Change your password.
>>
>> 3. Go back to the bad ones tomorrow and check
>> them again.
>> 4. If a site has changed from bad to good,
>> change your password there.
>>
>> 5. Repeat again tomorrow until there are no more
>> bad sites on your list.
>>
>> If the first check of a site was good, you'll
>> only change that site's password once.
>> If the first check was bad, you'll have to change
>> your password twice. The first change
>> deactivates the password which was probably
>> stolen over the last two years, replacing it with
>> a temporary password. The second replaces the
>> temporary password, which may also have been stolen.
>>
>>
>> The work your bank (etc) has to do is more
>> elaborate. They have to replace the trust
>> certificates that SSL protects. because those
>> have secret keys and they also could have been
>> stolen. However, when a site goes from bad to
>> good it's a pretty good indication they're doing
>> all of that. The certs are mainly important for
>> protecting you from impostor web sites. Impostors
>> are mainly a threat to people who follow links
>> received in email, but they can also appear if
>> the DNS is compromised anywhere along the line.
>> That mostly happens to Microsoft Windows users
>> with malware (that's most consumers who use
>> Windows at home) and on corporate intranets.
>> Ironically, even though Microsoft's
>> implementation of SSL was not affected, the
>> prevalence of Windows malware greatly magnifies
>> the vulnerability, One more example of how
>> Windows ruins everything, even for non-Windows users!
>>
>>
>> The OpenSSL source code's history is visible at
>> its Github page. Several security blogs show how
>> you can look up the Dec 31 2011 change that
>> introduced the bug and the April 7 2014 change
>> that fixes it. No stealthy detective work is
>> needed. However, Github is pretty swamped this
>> week with everybody looking at these two changes,
>> so you might get a timeout or a 500 error.
>>
>> It will take years for everybody to fix
>> everything. There are home routers, ATM machines,
>> point of sale terminals (we used to call them
>> "cash registers") and other "appliances" (voting
>> machines?) which use the buggy OpenSSL, and most
>> consumers never update the firmware in those things.
>> Corporate intranets with huge software stacks
>> (internal accounting processes etc) will be the
>> most work.
>> But almost large consumer-facing commerce sites
>> will have this fixed within a few weeks. The fix
>> isn't difficult for professionally managed web
>> sites, and the urgency is high and unusually well
>> understood.
>>
>>
>>
>>
>> On 04/10/2014 10:07 PM, John Thielking wrote:
>>> KRON4 TV news had an interesting piece on this
>>> bug tonight. Hopefully they rebroadcast it at 11
>>> so you all can see it. They were saying that
>>> they found out who created the bug, that it was
>>> a "mistake" and that it could take years for all
>>> the web sites involved to be fixed. What a headache.
>>>
>>> John Thielking
>>>
>>>
>>> On Thu, Apr 10, 2014 at 12:46 PM, Spencer Graves
>>> <spencer.graves at prodsyse.com
>>> <mailto:spencer.graves at prodsyse.com>> wrote:
>>>
>>> Hi, Cameron, Drew, et al.:
>>>
>>>
>>> 1. Do you have any reactions to the
>>> suggestion that a user could increase rather
>>> than decrease their vulnerability if they
>>> change a password BEFORE a host fixes the
>>> software on their end? The concern is that
>>> some of the information stolen via
>>> Heartbleed may still need need more work to
>>> decode than a password change before the
>>> host software is patched. If this is
>>> accurate, we should first check the hosts
>>> for our greatest vulnerabilities to ensure
>>> that they've installed an appropriate patch,
>>> then change our password, log out, then
>>> quickly log back in and change the password
>>> again, as Cameron suggested. If I
>>> understand correctly, the need to change the
>>> password twice is because a data thief may
>>> catch the first password change but is
>>> unlikely to be able to react quickly enough
>>> with that new information to catch your
>>> second password change if you do it quickly
>>> enough.
>>>
>>>
>>> 2. Wikipedia has an article on
>>> "Heartbleed", which been updated every few
>>> minutes since it was created 2014-04-09
>>> 04:39 UTC. If you have information that you
>>> feel is not properly reflected there, I'd
>>> like to know. I might be able to help update
>>> it, though my schedule today is quite busy.
>>>
>>>
>>> Be safe.
>>> Spencer
>>>
>>>
>>> On 4/10/2014 6:16 AM, Drew wrote:
>>>> Cameron, I and others can help people move
>>>> to a (user-friendly), freedom-respecting
>>>> GNU/Linux computer system such as Puppy
>>>> Linux http://puppylinux.com , or Zorin
>>>> http://www.zorin-os.com/ , or Linux Mint, etc.
>>>>
>>>> Green is Freedom!
>>>>
>>>> Drew
>>>> --
>>>> Sent from my Android device with K-9 Mail.
>>>> Please excuse my brevity.
>>>>
>>>>
>>>
>>> _______________________________________________
>>> sosfbay-discuss mailing list
>>> sosfbay-discuss at cagreens.org
>>> <mailto:sosfbay-discuss at cagreens.org>
>>> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>>>
>>
>
--
Spencer Graves, PE, PhD
President and Chief Technology Officer
Structure Inspection and Monitoring, Inc.
751 Emerson Ct.
San José, CA 95126
ph: 408-655-4567
web: www.structuremonitoring.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140412/7d0af136/attachment.html>
More information about the sosfbay-discuss
mailing list