Critical crypto bug exposes Yahoo Mail passwords Russian-roulette style

OpenSSL defect still exposing sensitive data even after patch is released.

Read the whole story

 

[Killer Orca]

I am doubly glad that I switched over to using a password manager. Makes it a lot easier to keep log in information unique.

 

[issor]

Probably TLS-supporting mail servers and OpenVPN clients as well. Atlassian JIRA is having issues as well, and they don't seem to be dynamically linked, either, so we have to wait on them.

Gmail had TLS heartbeat enabled as of an hour ago.

This is quite the nightmare.

Edit: I'm actually seeing conflicting reports, some places report TLS heartbeat support, but exploit scripts don't seem to recognize or be able to use it.

 

[Eva01]

WTF? How do you even stay away from your mail? Your phone alone checks it every 2-5 minutes. What disable email on every device you have now?

Eva01

 

[usmanismail]

I often get ignored or ridiculed at my current organization when I try to push static analysis tools but this bug and the apple bug illustrates how important it is to be able to check for common bugs.

Unit tests are not the answer as they only test what you remember to check.

'If' without braces and range checks are the first thing any static analysis tool should be setup to fail.

Java PMD even has the braces check in its standard rule set.

 

[snowcat-il]

Whelp this is going to very ugly very quickly..... I bet a lot of private keys are about to get changed...

Edit: Spelling

 

[Vigilante1024]

Killer Orca[/url]":3hz1rn7x]I am doubly glad that I switched over to using a password manager. Makes it a lot easier to keep log in information unique.

Any word on vulnerability of hosted password manager services like lastpass? Even two factor auth is no guarantee if the second factor is tied to an email service that is also vulnerable...

 

[cscade]

snowcat-il[/url]":2edxxzi6]Welp this is going to very ugly very quickly..... I bet a lot of privet keys are about to get changed

Gotta keep folks out of your bushes!

 

[hangfirew8]

Nagant Model 1895 revolver... from Russia... nice touch.

 

[karinto]

Vigilante1024[/url]":2c222sv7]

Killer Orca[/url]":2c222sv7]I am doubly glad that I switched over to using a password manager. Makes it a lot easier to keep log in information unique.

Any word on vulnerability of hosted password manager services like lastpass? Even two factor auth is no guarantee if the second factor is tied to an email service that is also vulnerable...

This is their response:

One of the companies affected by the vulnerability was password manager LastPass, but the company upgraded its servers as of 5:47 a.m. PT Tuesday, spokesman Joe Siegrist said. "LastPass is quite unique in that nearly all your data is also encrypted with a key that LastPass servers never get -- so this bug could not have exposed customer's encrypted data," Siegrist added.

http://www.cnet.com/news/heartbleed-bug ... passwords/

and http://blog.lastpass.com/2014/04/lastpa ... d-bug.html

 

[RRob]

You could have used Yahoo as an example without making the article title suggest it's an issue particular to them.

 

[Marc Aurel]

hangfirew8[/url]":3s81li12]Nagant Model 1895 revolver... from Russia... nice touch.

It gives you better chances at Russian roulette than most revolvers...

 

[Solomonoff's Secret]

Bugs like this don't happen in memory-managed languages like Java. If we insist on writing our security software in C, perhaps it should be written in a variant that enforces the validity of memory accesses at runtime. Performance would suffer negligibly compared to the security benefit. Unfortunately certain operations would have to be disallowed but the resulting inconvenience is a small price to pay.

 

[ThomBat]

Good to see some actual rubber-on-the-road proof of the vulnerability, since in the earlier thread people were quite sensibly asking how often something interesting does churn through the 64kB window.

Is there an up-to-date summary page of the state of major services like Gmail, Yahoo, etc, showing whether they've patched and re-issued keys? I don't want to go updating passwords on each until I know they've shut their peephole.

 

[ThomBat]

SuperJB[/url]":6hc5b81y]I'm sorry ... but this was no accident. Security conscious programmers know better. Someone got a nice phat check.

I wish I got a big payout every time I fucked up my logic - I'd surely have enough money to slow down and do it properly the first time!

(just kidding - I'd still fuck up. It's a variant of Hofstadter's Law: tomorrow you will see something in your code so bone-headed that you pretend for a second it suffered bitrot overnight - and this will surprise you even though you already adjusted your expectations downwards.

 

[robert.walter]

ThomBat[/url]":21l75ip5]Good to see some actual rubber-on-the-road proof of the vulnerability, since in the earlier thread people were quite sensibly asking how often something interesting does churn through the 64kB window.

Is there an up-to-date summary page of the state of major services like Gmail, Yahoo, etc, showing whether they've patched and re-issued keys? I don't want to go updating passwords on each until I know they've shut their peephole.

This**10!

The guy running the 2 factor implementation summary page could just add an additional column to his matrix!

 

[GreenMeters]

Has any credible website posted a definitive "what Internet users need to do" guide for what needs to be done in the aftermath of this vulnerability? Do all passwords need to be changed? Stop logging in to all services for some period of time? Are there tools to test whether the websites we use are still vulnerable?

 

[Solidstate89]

Vigilante1024[/url]":kul4trh8]

Killer Orca[/url]":kul4trh8]I am doubly glad that I switched over to using a password manager. Makes it a lot easier to keep log in information unique.

Any word on vulnerability of hosted password manager services like lastpass? Even two factor auth is no guarantee if the second factor is tied to an email service that is also vulnerable...

LastPass' own blog said there is no breech because all of the transmitted data is already in an encrypted state on the client's machine before it ever gets sent.

http://blog.lastpass.com/2014/04/lastpa ... d-bug.html

They also use Perfect Forward Secrecy.

 

[robert.walter]

RRob[/url]":1t12omue]You could have used Yahoo as an example without making the article title suggest it's an issue particular to them.

As a yahoo subscriber, I'm glad they did. If more pressure causes the purple Y! to move its ass I'm all for it.

Other sites will have to follow suit as soon as the topic slips into the mainstream on the back of Yahoo as whipping boy.

 

[tiagojn]

You can check whether a particular website is vulnerable using this link:
http://filippo.io/Heartbleed/

It looks like yahoo.com is still vulnerable

 

[RRob]

robert.walter[/url]":20ayn2u8]

RRob[/url]":20ayn2u8]You could have used Yahoo as an example without making the article title suggest it's an issue particular to them.

As a yahoo subscriber, I'm glad they did. If more pressure causes the purple Y! to move its ass I'm all for it.

Other sites will have to follow suit as soon as the topic slips into the mainstream on the back of Yahoo as whipping boy.

When I scanned Yahoo a few minutes ago they weren't vulnerable. But I'm starting to wonder if that python script has issues.

 

[willdude]

Website operators should strongly consider replacing their X.509 certificates after applying the update...

As mentioned in the prior article, the key is getting the old certificate revoked too, or else it can still be used in a MITM attack where the client never sees the new cert.

 

[Nijyo]

Vigilante1024[/url]":1bh12vgv]

Killer Orca[/url]":1bh12vgv]I am doubly glad that I switched over to using a password manager. Makes it a lot easier to keep log in information unique.

Any word on vulnerability of hosted password manager services like lastpass? Even two factor auth is no guarantee if the second factor is tied to an email service that is also vulnerable...

http://blog.lastpass.com/2014/04/lastpa ... d-bug.html

 

[conan77]

equote="Vigilante1024"]

Killer Orca[/url]":1ew1tlol]I am doubly glad that I switched over to using a password manager. Makes it a lot easier to keep log in information unique.

Any word on vulnerability of hosted password manager services like lastpass? Even two factor auth is no guarantee if the second factor is tied to an email service that is also vulnerable...[/quote]
Or the shared secret happens to be memory too ( thinking of Google authenticator).

Edit: given that a Google engineer was one of the people finding the bug, I'm guessing google is patched.

 

[bthylafh]

My router firmware (Tomato/Shibby v1.16) is vulnerable. I've shut off remote access to the web console until this gets resolved.

 

[Fblue]

You know, you should post an article about how Ars Tech was vulnerable with user accounts compromised.

 

[TemporaryAftermatch]

In the meantime, readers should steer clear of Yahoo Mail and any other sites that are still running vulnerable versions of OpenSSL. The login credential you save may be your own.

That's exactly why I created this throwaway account to log in on Ars Technica. This website is extremely vulnerable. Just check the comments under http://meincmagazine.com/security/2014/04 ... 1&start=40 (look at the end of the page).

 

[longhairedboy]

its tempting to fire up my own mail server again.

 

[sryan2k1]

bthylafh[/url]":25n46tqi]My router firmware (Tomato/Shibby v1.16) is vulnerable. I've shut off remote access to the web console until this gets resolved.

You shouldn't have remote access to your router enabled in the first place.

 

[Solidstate89]

TemporaryAftermatch[/url]":16e8npnm]

In the meantime, readers should steer clear of Yahoo Mail and any other sites that are still running vulnerable versions of OpenSSL. The login credential you save may be your own.

That's exactly why I created this throwaway account to log in on Ars Technica. This website is extremely vulnerable. Just check the comments under http://meincmagazine.com/security/2014/04 ... 1&start=40 (look at the end of the page).

You don't have to keep logging in under the throwaway account. They updated OpenSSL this morning.

 

[longhairedboy]

bthylafh[/url]":v9ddaaql]

sryan2k1[/url]":v9ddaaql]

bthylafh[/url]":v9ddaaql]My router firmware (Tomato/Shibby v1.16) is vulnerable. I've shut off remote access to the web console until this gets resolved.

You shouldn't have remote access to your router enabled in the first place.

I don't care. It's all over HTTPS and it's a good password, and it lets me remotely wake a computer if it's nodded off.

maybe adjust some power management settings? if you have to wake up your machines over the lan to do their jobs, then it seems like they aren't really doing what they're supposed to be doing anyway.

 

[SunnyD]

... The entire Android ecosystem relies on OpenSSL if I am not mistaken, probably iOS too ...

Imagine how many "outdated" phones that are still in use will never get firmware update to fix this issue.

 

[armwt]

TemporaryAftermatch[/url]":vi47fkdu]

In the meantime, readers should steer clear of Yahoo Mail and any other sites that are still running vulnerable versions of OpenSSL. The login credential you save may be your own.

That's exactly why I created this throwaway account to log in on Ars Technica. This website is extremely vulnerable. Just check the comments under http://meincmagazine.com/security/2014/04 ... 1&start=40 (look at the end of the page).

If you actually read the thread, you'd see that Ars updated their servers this morning within hours of the news breaking. AKA - as soon as the admins became aware, and as soon as the OpenSSL patch was available.

Nice try.

Don't know that I'd call that "extremely vulnerable"

 

[daneren2005]

Was gmail at any point vulnerable? I tried checking about a hour ago and it wasn't at that point.

 

[Jousle]

I think that is time for large companies that make use of this library and can afford it to contribute more with man power and financially to the openssl project .

Meanwhile, just grab your guns and everything will be OK....

 

[Fblue]

Solidstate89[/url]":3c1a0oja]
You don't have to keep logging in under the throwaway account. They updated OpenSSL this morning.

I saw this. I wonder if they have swapped there SSL Cert yet? I would imagine Ars public key was compromised, everything else appeared to be.

 

[Aurich]

Fblue[/url]":3heu0ql4]

Solidstate89[/url]":3heu0ql4]
You don't have to keep logging in under the throwaway account. They updated OpenSSL this morning.

I saw this. I wonder if they have swapped there SSL Cert yet? I would imagine Ars public key was compromised, everything else appeared to be.

Yes, we've updated all our certs.