[GPSCC-chat] Heartbleed is real. Do something real.
Cameron L. Spitzer
cls at truffula.us
Sat Apr 12 11:48:43 PDT 2014
>I also did a search to try to find out if the Heartbleed patch is
available for Windows XP
It seems you misunderstood what the Heartbleed problem is about. If you
don't know a term here, please follow its link:
OpenSSL <https://www.openssl.org/> is a popular implementation
<http://en.wikipedia.org/wiki/Implementation#Computer_science> of the
Secure Sockets Layer and Transport Layer Security (SSL/TLS
<http://en.wikipedia.org/wiki/Transport_Layer_Security>) protocol
<http://searchnetworking.techtarget.com/definition/protocol>s. Those
protocols are a set of rules to encrypt your data so it can be sent
securely through an insecure medium.
The Common Vulnerabilities and Exposures CVE-2014-0160 (Heartbleed)
buffer overrun bug <https://www.google.com/search?q=cve-2014-0160>
compromises systems running certain versions of OpenSSL and products
which include those versions. The most visible is the Apache HTTPS web
server.
*OpenSSL runs on unix*. Microsoft uses its own implementations of SSL
and TLS. MSFT's SSL/TLS may have similar bugs, but it doesn't have this
one. (Pedantically, OpenSSL /has/ been ported to Windows. It runs
there. But *Windows doesn't come with OpenSSL*, and Web servers on
Windows typically use MSFT's software stack. Web servers running
OpenSSL on Windows are very rare. OpenSSL on Windows would most likely
be found on something like an ATM or voting machine, never on a home PC.)
("unix" in lowercase is a common, convenient nickname for any software
distribution <http://distrowatch.com/> derived from or mimicking Bell
Labs' UNIX^TM . That's GNU, Linux, BSD, Solaris, Ubuntu, Android, etc.
Windows XP steals a bunch of ideas from unix, but it's not a unix.)
On 04/12/2014 08:05 AM, John Thielking wrote:
> Thanks for the web update Spencer. I double checked my Direct Express
> online account and it is possible to send money to another bank
> account after logging in, but there is also what is called "two factor
> security" involved. It seems that I have to enter the code on the back
> of my debit card before I can transfer money and even then the
> transaction might be declined by Comerica Bank. I'm working with the
> account issuer to disable online access and have them send me a paper
> bill in the mail with all of my transactions for the month listed
> instead of having online access, but it is not clear how much trouble
> it will be to do this since the customer service rep said they weren't
> sure if it was possible to do this for an active online account. She
> had the tech support people arrange to call me back sometime next
> week. She also said that it was not possible to only disable the
> online funds transfer feature and online bill pay. Two factor security
> is better than just having a password and login required before you
> can send money from an online bank account. If your bank doesn't have
> at least that level of security, they are fools and you should switch
> banks or at least disable online access for your account. Hopefully my
> security code is secure on the Direct Express web site as I've never
> entered that code when using that site. I'm still going to disable
> online access entirely ASAP if I am allowed to do that.
>
> On a related note, I did a search to find out if the Heartbleed bug
> affects security for credit card numbers and PINs, not just passwords,
> and found at least one article that confirms that it DOES affect other
> data such as CC numbers. That article is located here:
>
> http://www.christianpost.com/news/heart-bleed-virus-update-open-ssl-computer-bug-how-to-protect-your-security-passwords-for-gmail-yahoo-facebook-117732/
>
>
> I also did a search to try to find out if the Heartbleed patch is
> available for Windows XP. I found a bunch of articles that talked
> about the end of XP security support on April 8, 2014 and that talked
> about the Heartbleed bug, but none of the articles raised any alarms
> for XP users trying to patch the Heartbleed bug.
>
> John Thielking
>
>
> On Fri, Apr 11, 2014 at 9:33 PM, Spencer Graves
> <spencer.graves at prodsyse.com <mailto:spencer.graves at prodsyse.com>> wrote:
>
> Hi, Cameron, et al.:
>
>
> A discussion of how to deal with problems like Heartbleed is
> now available on Wikiversity, "Managing risk from cyber attacks".
>
>
> Please revise this as you see fit or send suggestions to
> me. Cameron has done a great service in providing his expertise
> on this list. The Wikipedia article on Heartbleed received almost
> 47,000 views on April 11 (UTC), and over 39,000 on the three
> previous days combined. If this Wikiversity article gets a small
> portion of that number of views, it will provide a great service
> humanity.
>
>
> Creating that article helped me think through what seemed
> like a sensible reaction. Alarmists said we should change all our
> passwords. I think that's overkill. Even creating a simple list
> of all the accounts and passwords I've created over the years was
> more work than I felt justified. And creating such a list would
> miss the point. We need to worry about the financial institutions
> that manage savings. If cyber thieves drain those accounts, it
> could create big problems for us. For more, see the Wikiversity
> article
> (https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks).
>
>
> Thanks again, Cameron -- and thanks to John and Drew for
> their additional comments.
>
>
> Spencer
>
>
> On 4/11/2014 3:29 PM, John Thielking wrote:
>> Sorry to keep dragging this out, but I finally decided to search
>> the RT.com web site using the search term "computer hardware" to
>> see if I could find an article or two relating to my previous
>> statement that RT.com broadcast the claim that computer hardware
>> in general has been compromised by the NSA. I did find the
>> following article at
>>
>> http://rt.com/op-edge/nsa-hacking-individual-computers-008/
>>
>>
>> that states that some of the material provided by Snowden does in
>> fact indicate that some people's computers are implanted with
>> special chips to aid the NSA in monitoring them. This may not be
>> widespread just yet, but it does fit with previously broadcast
>> info from RT.com that was saying that certain people's laptops
>> that have been ordered online are sometimes transhipped to
>> special NSA facilities where they have their hardware modified to
>> contain implanted viruses or malware (in the CMOS perhaps?). Of
>> course the article also says that the NSA may choose to bug all
>> computers sold in a specific city, if that city is a region of
>> interest for the NSA. I'll bet that Eugene, Oregon (Berkeley
>> North) could be one of those places. And who knows, they might
>> put radio bugs in all the watches sold there too.
>> More to think about I guess.
>>
>> A more speculative opinion piece is located here:
>>
>> http://rt.com/op-edge/nsa-spying-future-total-952/
>>
>>
>> and a link to the Derspiegal article that this stuff is based on
>> is contained here:
>>
>> http://rt.com/op-edge/annie-machon-nsa-spying-925/
>> <http://rt.com/op-edge/nsa-spying-future-total-952/>
>>
>>
>> Any further thoughts?
>>
>> John Thielking
>>
>>
>> On Fri, Apr 11, 2014 at 2:19 PM, John Thielking
>> <peacemovies at gmail.com <mailto:peacemovies at gmail.com>> wrote:
>>
>> Another more specific question for you Cameron:
>>
>> Is the patch for the Heartbleed bug supported for systems
>> running Windows XP, which was just barely out of date as of
>> the time of broad announcement of the Heartbleed bug, or do
>> the people currently running Windows XP also have to upgrade
>> their OS? I know my home computer only has 500 MB of memory
>> so I can't just do an easy upgrade to Win 7. I hope not too
>> many POS terminals are also in the same boat. They should
>> upgrade to a new OS anyway, but this problem may just
>> compound the problem presented by the Heartbleed bug itself.
>>
>> John Thielking
>>
>>
>> On Fri, Apr 11, 2014 at 12:52 PM, John Thielking
>> <peacemovies at gmail.com <mailto:peacemovies at gmail.com>> wrote:
>>
>> People should also know that there may be additional
>> security gaps in ATMs and Point Of Sale terminals due to
>> their owners' slow response to the need to do away with
>> using Windows XP. For instance, the last time I went to
>> Round Table Pizza a couple of weeks ago, the screen saver
>> on their POS terminal still said "Windows XP". Chase
>> signed a contract for another year of support from MS for
>> Win XP for their ATMs, but I can only assume that
>> everyone else will no longer have support for Win XP
>> after early April 2014. Good luck on that one too.
>>
>> John Thielking
>>
>>
>> On Fri, Apr 11, 2014 at 12:14 PM, John Thielking
>> <peacemovies at gmail.com <mailto:peacemovies at gmail.com>> wrote:
>>
>> After reading this I'm not likely to trust ATMs for
>> awhile with any of my debit cards or credit cards. At
>> least my latest credit card company and one of my
>> debit cards I'm pretty sure I can just go to the bank
>> teller of any bank and get a "cash advance" from the
>> teller instead of using an ATM. Often times I don't
>> need a PIN when doing that, just a photo ID. I think
>> the fees for that method may even be less than using
>> the ATM anyway. Do you think that the bank teller's
>> systems are likely to be more secure than their ATM's?
>> Thanks for clarifying the other info Cameron.
>>
>> Sincerely,
>>
>> John Thielking
>>
>>
>> On Fri, Apr 11, 2014 at 8:45 AM, Cameron L. Spitzer
>> <cls at truffula.us <mailto:cls at truffula.us>> wrote:
>>
>>
>> I may have been unclear.
>> 1. Check your bank (etc) site for the vulnerability.
>> If it's bad, make a note.
>> 2. Change your password.
>>
>> 3. Go back to the bad ones tomorrow and check
>> them again.
>> 4. If a site has changed from bad to good,
>> change your password there.
>>
>> 5. Repeat again tomorrow until there are no more
>> bad sites on your list.
>>
>> If the first check of a site was good, you'll
>> only change that site's password once.
>> If the first check was bad, you'll have to change
>> your password twice. The first change
>> deactivates the password which was probably
>> stolen over the last two years, replacing it with
>> a temporary password. The second replaces the
>> temporary password, which may also have been stolen.
>>
>>
>> The work your bank (etc) has to do is more
>> elaborate. They have to replace the trust
>> certificates that SSL protects. because those
>> have secret keys and they also could have been
>> stolen. However, when a site goes from bad to
>> good it's a pretty good indication they're doing
>> all of that. The certs are mainly important for
>> protecting you from impostor web sites. Impostors
>> are mainly a threat to people who follow links
>> received in email, but they can also appear if
>> the DNS is compromised anywhere along the line.
>> That mostly happens to Microsoft Windows users
>> with malware (that's most consumers who use
>> Windows at home) and on corporate intranets.
>> Ironically, even though Microsoft's
>> implementation of SSL was not affected, the
>> prevalence of Windows malware greatly magnifies
>> the vulnerability, One more example of how
>> Windows ruins everything, even for non-Windows users!
>>
>>
>> The OpenSSL source code's history is visible at
>> its Github page. Several security blogs show how
>> you can look up the Dec 31 2011 change that
>> introduced the bug and the April 7 2014 change
>> that fixes it. No stealthy detective work is
>> needed. However, Github is pretty swamped this
>> week with everybody looking at these two changes,
>> so you might get a timeout or a 500 error.
>>
>> It will take years for everybody to fix
>> everything. There are home routers, ATM machines,
>> point of sale terminals (we used to call them
>> "cash registers") and other "appliances" (voting
>> machines?) which use the buggy OpenSSL, and most
>> consumers never update the firmware in those things.
>> Corporate intranets with huge software stacks
>> (internal accounting processes etc) will be the
>> most work.
>> But almost large consumer-facing commerce sites
>> will have this fixed within a few weeks. The fix
>> isn't difficult for professionally managed web
>> sites, and the urgency is high and unusually well
>> understood.
>>
>>
>>
>>
>> On 04/10/2014 10:07 PM, John Thielking wrote:
>>> KRON4 TV news had an interesting piece on this
>>> bug tonight. Hopefully they rebroadcast it at 11
>>> so you all can see it. They were saying that
>>> they found out who created the bug, that it was
>>> a "mistake" and that it could take years for all
>>> the web sites involved to be fixed. What a headache.
>>>
>>> John Thielking
>>>
>>>
>>> On Thu, Apr 10, 2014 at 12:46 PM, Spencer Graves
>>> <spencer.graves at prodsyse.com
>>> <mailto:spencer.graves at prodsyse.com>> wrote:
>>>
>>> Hi, Cameron, Drew, et al.:
>>>
>>>
>>> 1. Do you have any reactions to the
>>> suggestion that a user could increase rather
>>> than decrease their vulnerability if they
>>> change a password BEFORE a host fixes the
>>> software on their end? The concern is that
>>> some of the information stolen via
>>> Heartbleed may still need need more work to
>>> decode than a password change before the
>>> host software is patched. If this is
>>> accurate, we should first check the hosts
>>> for our greatest vulnerabilities to ensure
>>> that they've installed an appropriate patch,
>>> then change our password, log out, then
>>> quickly log back in and change the password
>>> again, as Cameron suggested. If I
>>> understand correctly, the need to change the
>>> password twice is because a data thief may
>>> catch the first password change but is
>>> unlikely to be able to react quickly enough
>>> with that new information to catch your
>>> second password change if you do it quickly
>>> enough.
>>>
>>>
>>> 2. Wikipedia has an article on
>>> "Heartbleed", which been updated every few
>>> minutes since it was created 2014-04-09
>>> 04:39 UTC. If you have information that you
>>> feel is not properly reflected there, I'd
>>> like to know. I might be able to help update
>>> it, though my schedule today is quite busy.
>>>
>>>
>>> Be safe.
>>> Spencer
>>>
>>>
>>> On 4/10/2014 6:16 AM, Drew wrote:
>>>> Cameron, I and others can help people move
>>>> to a (user-friendly), freedom-respecting
>>>> GNU/Linux computer system such as Puppy
>>>> Linux http://puppylinux.com , or Zorin
>>>> http://www.zorin-os.com/ , or Linux Mint, etc.
>>>>
>>>> Green is Freedom!
>>>>
>>>> Drew
>>>> --
>>>> Sent from my Android device with K-9 Mail.
>>>> Please excuse my brevity.
>>>>
>>>>
>>>
>>> _______________________________________________
>>> sosfbay-discuss mailing list
>>> sosfbay-discuss at cagreens.org
>>> <mailto:sosfbay-discuss at cagreens.org>
>>> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>>>
>>
>
> --
> Spencer Graves, PE, PhD
> President and Chief Technology Officer
> Structure Inspection and Monitoring, Inc.
> 751 Emerson Ct.
> San José, CA 95126
> ph:408-655-4567 <tel:408-655-4567>
> web:www.structuremonitoring.com <http://www.structuremonitoring.com>
>
>
>
>
> _______________________________________________
> sosfbay-discuss mailing list
> sosfbay-discuss at cagreens.org
> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140412/e3bb3458/attachment.html>
More information about the sosfbay-discuss
mailing list