[GPSCC-chat] Heartbleed is real. Do something real.
Spencer Graves
spencer.graves at prodsyse.com
Sat Apr 12 18:15:12 PDT 2014
John:
Possibly the largest network of Automated Teller Machines (ATMs)
in the world may be those run by credit unions. Many if not all credit
unions world wide honor each other's debit cards. Provident Credit Union
(providentcu.org) advertises, "Over 28,000 CO-OP Network ATMs worldwide
(including over 5,500 ATMs in 7-Eleven stores around the country).
Provident deposits accepted at many of these locations. Over 22,000
MoneyPass ATMs nationwide (including at US Bank, Dunkin' Donuts,
Walgreens, and more). Over 4,900 Alliance One ATMs in 43 states
nationwide. Provident members can use any Bank of the West ATM without
incurring a surcharge. Bank of the West has over 650 branches in 19
states (including many in San Francisco Bay Area). Provident deposits
accepted at many of these locations." I just checked to see what
Provident Credit Union offered for St. Francis, KS, where I attended
High School. They said they had no branches near there. The nearest ATM
was 25 miles away, and they listed 3 others within 40 miles. I checked
Denver 200 miles from St. Francis: I got a list of over 50 branches I
could enter and many more ATMs.
I rarely enter a Provident CU office; the closest is 3-4 miles
away. I usually get cash back when I use my debit card with major
retailers. If I need to make a deposit or I need more cash, I use the
ATM at a credit union closer that's less than one mile from where we
live. If I recall correctly, I had a problem once making a deposit at
this other credit union. A few months later, the problem was resolved.
Spencer
On 4/12/2014 5:23 PM, John Thielking wrote:
>
> I attended a retired union worker's BBQ today where reps from various
> legislators' offices were available to answer questions. I mentioned
> the Heartbleed bug a couple of times in my comments (once before and
> once after the legislators' assistants and some legislators themselves
> showed up late). I mentioned that the Heartbleed bug affects the
> security of credit card numbers and PINS as well as the passwords to
> your favorite web sites. I mentioned that to find out if your favorite
> web site has been patched to fix the Heartbleed bug, you can simply
> Google for "Heartbleed" and find an article that has a link to one of
> the sites that allows you to test the web sites that you use to see if
> they have fixed the bug. I also urged the legislators to come up with
> rules requiring banks to take various additional security measures and
> to allow online account feature choices that would tend to thwart any
> similar future bug. Such security features and selections include: Any
> two factor security for transferring funds online should include an
> offline component such as mailing the customer a new debit card upon
> their request with new card numbers and a new security code on the
> back. The new security code should only need to be used if the
> customer transfers money online or uses the online bill pay features,
> so that if the customer does not use those features, the new security
> code would not be entered into the user interface of the bank's web
> site by the customer. Another user selection would include the ability
> to let the customer select (through a secure method) to either disable
> the online money transfer features such as bank account money
> transfers and online bill pay at some point after the creation of the
> account or to sign up for a secure online account at the start that
> has those online features permanently disabled. The "secure method"
> for changing (enabling or disabling) these features could include, in
> the case of Direct Express where there are not always Comerica bank
> branches available in every town, a network of banks such as Chase and
> Wells Fargo, who do tend to have branches in more places, who could
> securely transfer such requests to Comerica upon the customer visiting
> the local branch and presenting a photo ID. It is possible to
> implement part of these features without making any changes to
> existing procedures by simply using an online bank account that
> requires you to enter your current 3 or 4 digit security code on the
> back of your debit card before making any online money transfers or
> before using online bill pay features. Then if you want to be secure
> in this way, order a new debit or credit card with all new numbers and
> simply never use those online money transfer features so that you
> never enter the new security code into your bank's web site user
> interface. If you really want to be secure, you can tell your bank to
> disable online access to your account(s). That way if someone hacks
> your security code when you use it on a third party web site, they
> won't be able to use your bank's web site to steal any funds from you
> (especially from your other accounts such as your savings accounts),
> at least not through the front door anyhow. As for legislation or not,
> it may be best to simply present these ideas to the experts and
> legislators and have them lobby the banks, rather than casting new
> sections of law into stone, as the banks may need to adapt quickly to
> future security threats that may circumvent these new ideas and
> because of that they should not have their hands tied by legislation.
> The next opportunity to do this type of lobbying in the San Jose area
> will be at the Senior Scam Stopper Seminar, Friday, April 18^th , 2014
> from 2PM-4PM at the Campbell Community Center Orchard City Banquet
> Hall, 1 W Campbell Avenue, Campbell, CA 95008. CA State Assembly
> member Paul Fong is putting on this event in conjunction with the
> Contractors State License Board. The event will include a panel of
> experts on preventing seniors from being scammed. It is recommended to
> RSVP for this event as seating will be limited. To RSVP, call
> 408-371-2802 or visit www.asmdc.org/yh <http://www.asmdc.org/yh>. Thanks.
>
>
> Sincerely,
>
>
> John Thielking
>
>
>
> On Sat, Apr 12, 2014 at 12:58 PM, Spencer Graves
> <spencer.graves at prodsyse.com <mailto:spencer.graves at prodsyse.com>> wrote:
>
> Hi, Cameron:
>
>
> Thanks very much for all you've written on this.
>
>
> Do you think the Wikipedia article on "Heartbleed" could be
> improved, e.g., by adding a section on "Gravity" (or some similar
> title), explaining what you just said? I can help you with
> implementation if you don't feel comfortable with the Mediawiki
> markup language and the Wikipedia culture, I can help with that.
> Additions without appropriate citations may be quickly reverted,
> but balanced comments with reasonable citations will likely be
> retained. I think it's worth doing, because (as I previously
> noted) this "Heartbleed" article received almost 47,000 views on
> April 11 (UTC), and over 39,000 on the three previous days combined.
>
>
> Example: 17:12 today (5:12 PM, UTC), an anonymous user
> added a comment that, "It is believed that Heartbleed originates
> from the same organisation as stuxnet and duqu." This comment
> included a reference to an article that mentioned neither stuxnet
> nor duqu. It was undone 49 minutes later. The article also
> includes comments that, "According to two insider sources speaking
> to Bloomberg.com, the United States National Security Agency was
> aware of the flaw since shortly after its introduction, but chose
> to keep it secret, instead of reporting it, in order to exploit it
> for their own purposes." These comments cite 3 sources and are
> likely to remain in the article unless none of the 3 actually
> mention the NSA.
>
>
> Best Wishes,
> Spencer
>
>
> On 4/12/2014 11:10 AM, Cameron L. Spitzer wrote:
>>
>> >Alarmists said we should change all our passwords. I think
>> that's overkill.
>>
>> I disagree.
>> Bruce Schneier is no "alarmist." He's the author of the standard
>> textbook Applied Cryptography, and a member of the Electronic
>> Frontier Foundation's advisory board. And he's the best tech
>> writer to general audiences since Carl Sagan. If you're having
>> trouble with rational risk assessment (a widespread problem among
>> activists), you should read his book /Beyond Fear/
>> <https://www.schneier.com/book-beyondfear.html>.
>>
>> This is the worst Internet security problem due to a single
>> programming error that I can remember, ever, because of the
>> circumstances of its deployment and the nature of the exploit.
>> When a vulnerability like this one is discovered, you /must/
>> assume the bad guys have had the use of it since it was deployed.
>> It allows not just stealing your password, but stealing the
>> secrets that would make it impossible for your browser to detect
>> an impostor HTTPS site.
>> And in the standard deployment, exploiting the bug leaves no trace.
>> In this case, the window was wide open for roughly two years.
>> Your passwords have /probably/ been stolen from affected sites.
>> Whether you have been managing them well is irrelevant. Take all
>> the needless risks you like, but don't lead others to take risks
>> by denying them.
>>
>> Throwaway passwords used only for commenting on newspaper
>> articles (etc) need not be replaced, unless they share recovery
>> secrets with more sensitive accounts. But /anything/ useful for
>> identity theft poses a risk.
>> For example, the attacker might use your account at some ancestry
>> site to discover some non-secret "secret" (e.g., street you lived
>> on as a child, mother's maiden name) to accomplish a password
>> reset on your bank site. (Next time, /lie/ about your mother's
>> maiden name, and keep the lie someplace safe.) Identity thieves
>> work on thousands of identities at a time, filling in a jigsaw
>> puzzle on each potential victim. They use efficient, automated,
>> mass production techniques. They rattle /every/ doorknob. You
>> never know which pieces they already have or still need.
>>
>> I've been following my employer's well organized response to this
>> problem. One takeaway is our local experts are not at all
>> concerned about Secure Shell V2. A long obsolete implementation
>> used SSL, but the one we've been using doesn't. I had been
>> mistaken about that. They're also pretty confident about
>> password managers that do client side encryption. E.g., LastPass
>> <https://lastpass.com/> and Kwallet
>> <http://userbase.kde.org/KDE_Wallet_Manager>. These tools make
>> it practical to maintain distinct, strong passwords for each web
>> site and hosted application, so you can stop using "log in with
>> Facebook" type shortcuts. Of course, LastPass on an unmaintained
>> Windows XP host is only as secure as that host. If it's full of
>> memory-scraping malware, you've got a local version of Heartbleed.
>>
>> Rational risk assessment means ignoring irrelevant factors. Mass
>> production identity thieves don't care about your politics.
>> (Spearfishers do. They use everything they know about you to
>> compile a word list for guessing password and recovery secrets.)
>> They don't care how paranoid you are about mass surveillance.
>>
>> Forward this message as you see fit.
>> -/Cameron/
>>
>>
>>
>> On 04/11/2014 09:33 PM, Spencer Graves wrote:
>>> Hi, Cameron, et al.:
>>>
>>>
>>> A discussion of how to deal with problems like Heartbleed
>>> is now available on Wikiversity, "Managing risk from cyber
>>> attacks".
>>>
>>>
>>> Please revise this as you see fit or send suggestions to
>>> me. Cameron has done a great service in providing his expertise
>>> on this list. The Wikipedia article on Heartbleed received
>>> almost 47,000 views on April 11 (UTC), and over 39,000 on the
>>> three previous days combined. If this Wikiversity article gets
>>> a small portion of that number of views, it will provide a great
>>> service humanity.
>>>
>>>
>>> Creating that article helped me think through what seemed
>>> like a sensible reaction. Alarmists said we should change all
>>> our passwords. I think that's overkill. Even creating a simple
>>> list of all the accounts and passwords I've created over the
>>> years was more work than I felt justified. And creating such a
>>> list would miss the point. We need to worry about the financial
>>> institutions that manage savings. If cyber thieves drain those
>>> accounts, it could create big problems for us. For more, see
>>> the Wikiversity article
>>> (https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks).
>>>
>>>
>>> Thanks again, Cameron -- and thanks to John and Drew for
>>> their additional comments.
>>>
>>>
>>> Spencer
>>>
>>>
>>> On 4/11/2014 3:29 PM, John Thielking wrote:
>>>> Sorry to keep dragging this out, but I finally decided to
>>>> search the RT.com web site using the search term "computer
>>>> hardware" to see if I could find an article or two relating to
>>>> my previous statement that RT.com broadcast the claim that
>>>> computer hardware in general has been compromised by the NSA. I
>>>> did find the following article at
>>>>
>>>> http://rt.com/op-edge/nsa-hacking-individual-computers-008/
>>>>
>>>>
>>>> that states that some of the material provided by Snowden does
>>>> in fact indicate that some people's computers are implanted
>>>> with special chips to aid the NSA in monitoring them. This may
>>>> not be widespread just yet, but it does fit with previously
>>>> broadcast info from RT.com that was saying that certain
>>>> people's laptops that have been ordered online are sometimes
>>>> transhipped to special NSA facilities where they have their
>>>> hardware modified to contain implanted viruses or malware (in
>>>> the CMOS perhaps?). Of course the article also says that the
>>>> NSA may choose to bug all computers sold in a specific city, if
>>>> that city is a region of interest for the NSA. I'll bet that
>>>> Eugene, Oregon (Berkeley North) could be one of those places.
>>>> And who knows, they might put radio bugs in all the watches
>>>> sold there too.
>>>> More to think about I guess.
>>>>
>>>> A more speculative opinion piece is located here:
>>>>
>>>> http://rt.com/op-edge/nsa-spying-future-total-952/
>>>>
>>>>
>>>> and a link to the Derspiegal article that this stuff is based
>>>> on is contained here:
>>>>
>>>> http://rt.com/op-edge/annie-machon-nsa-spying-925/
>>>> <http://rt.com/op-edge/nsa-spying-future-total-952/>
>>>>
>>>>
>>>> Any further thoughts?
>>>>
>>>> John Thielking
>>>>
>>>>
>>>> On Fri, Apr 11, 2014 at 2:19 PM, John Thielking
>>>> <peacemovies at gmail.com <mailto:peacemovies at gmail.com>> wrote:
>>>>
>>>> Another more specific question for you Cameron:
>>>>
>>>> Is the patch for the Heartbleed bug supported for systems
>>>> running Windows XP, which was just barely out of date as of
>>>> the time of broad announcement of the Heartbleed bug, or do
>>>> the people currently running Windows XP also have to
>>>> upgrade their OS? I know my home computer only has 500 MB
>>>> of memory so I can't just do an easy upgrade to Win 7. I
>>>> hope not too many POS terminals are also in the same boat.
>>>> They should upgrade to a new OS anyway, but this problem
>>>> may just compound the problem presented by the Heartbleed
>>>> bug itself.
>>>>
>>>> John Thielking
>>>>
>> ...
>>
>>
>> _______________________________________________
>> sosfbay-discuss mailing list
>> sosfbay-discuss at cagreens.org <mailto:sosfbay-discuss at cagreens.org>
>> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>
--
Spencer Graves, PE, PhD
President and Chief Technology Officer
Structure Inspection and Monitoring, Inc.
751 Emerson Ct.
San José, CA 95126
ph: 408-655-4567
web: www.structuremonitoring.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140412/ca48f7d7/attachment.html>
More information about the sosfbay-discuss
mailing list