The Heart Bleed Bug

[***Flawless]

So what are people's opinions on this? If you didn't know, this is a summary of what it is:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

http://heartbleed.com

The NSA is having to deny that they had any knowledge of it even though they've apparently known about this weakness since 2012 and have used it to their own advantage.

Here's a list of what websites you'll most probably want to change your password for: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Another tip is to enable 2-step verification on any website you can.

Edited April 12, 2014 by ***Flawless

[OmarBradley]

Hard to say, NSA's denying they knew about it, but sources seem to say they did. I'm generally a defender of our government's defense practices, but if this is true, I could not defend this. I'm curious as to the exact code that allowed for the bug. I doubt I'll change any of my passwords, there's too many across different websites - I know that's the wrong attitude, but I'm just gonna hope for the best.

Probably shouldn't post that, if any unsavory types are reading it that's like a "come hack me" advert.

[Ketan]

Hard to say, NSA's denying they knew about it, but sources seem to say they did. I'm generally a defender of our government's defense practices, but if this is true, I could not defend this. I'm curious as to the exact code that allowed for the bug. I doubt I'll change any of my passwords, there's too many across different websites - I know that's the wrong attitude, but I'm just gonna hope for the best.

Probably shouldn't post that, if any unsavory types are reading it that's like a "come hack me" advert.

Apparently the culprit is this line :

buffer = OPENSSL_malloc(1 + 2 + payload + padding);

in the openssl program. The problem is that there is no bound or length check to ensure that the allocated memory does not exceed beyond allowed length and as "payload" and "padding" are user control values, a client can use this buffer allocation function to read up to 64kb of data off the server's RAM.

Anyone who might had stumbled upon this bug would have made a program to keep on reading 64 kbs of data from the target server. This exploit has been there for the last two years so its anyone's guess as to how much information has been stolen from the target servers.

Popular websites such as google and facebook have put in a bound check and they are now safe so changing your password would mean your new password wont be compromised via this exploit.

Personally though, i realize its crazy how insecure our data is even with the most trusted of services but i don't think it would have been that easy to steal any relevant data from the web servers and most of us should be pretty safe. But just to think that our password (or session id) could have been read by someone and used to read our mails etc is frightening,