Arrkham 291 Posted April 10, 2014 (edited) If you haven't heard, there was a huge security hole found for a lot of websites. You may want to change all your internet passwords in a week or so. Check out the list of compromised sites (just the tip of the iceberg): http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ Edited April 10, 2014 by The Dλrk Knight Rises Quote Share this post Link to post Share on other sites
Kung? 173 Posted April 10, 2014 The Today Show covered this topic this morning I think. The bug is known as "Heart-bleed," from all that I can remember, Quote Share this post Link to post Share on other sites
Swed 2651 Posted April 10, 2014 The Heartbleed flaw in OpenSSLThe fatal flaw (that has been named Heartbleed) is that the OpenSSL library never checked that the Heartbeat payload size corresponds with the actual length of the payload being sent. A user is allowed to input any number up to 65535 (64 kilobytes) regardless of the true size of the payload. If an attacker sends a Heartbeat request saying the size is 65535, but a payload that's only 18 bytes long the vulnerable server will store only 18 bytes in memory. However, the response will start with those stored 18 bytes, but continue sending data from the next 64KB of memory back to the client. This data could be usernames and passwords, private keys, username, HTML pages, random junk, or even the private secret that the webserver uses to establish its identity. (The fix to OpenSSL implemented in 1.0.1g and later versions is essentially to perform sanity checks on the payload size as told by the client).The attack can be repeated many times and in general will reveal different parts of the webserver's memory each time. The attack can be performed anonymously in an undetectable manner for typical webserver configurations. Typically, you only log IP addresses when you serve a web page, but this attack can happen early in the negotation process in vulnerable versions, before any webpage is served. Source: http://security.stackexchange.com/questions/55343/how-to-explain-heartbleed-without-technical-terms The actuality of a hacker grabbing your password is little to none If a hacker was able to grab the private key the website uses for encryption, that would be a problem as they can now perform MITM attacks and grab whatever they want. 1 MrCoolness reacted to this Quote Share this post Link to post Share on other sites
Ryziou 538 Posted April 10, 2014 2lazy2changepasswords. Koopa 2 MrCoolness and xmen reacted to this Quote Share this post Link to post Share on other sites
ElectronicDrug 7496 Posted April 10, 2014 Same^ 2 Dojima and MrCoolness reacted to this Quote Share this post Link to post Share on other sites
Piero 2272 Posted April 10, 2014 2lazy2changepasswords. :mario:FTFY* 2 Stabbitty and Ryziou reacted to this Quote Share this post Link to post Share on other sites
centran 4457 Posted April 10, 2014 now everyone knows my super secret password of hunter2 1 Gonepostal2000 reacted to this Quote Share this post Link to post Share on other sites
Ichalvl 1752 Posted April 10, 2014 now everyone knows my super secret password of hunter2 don't you mean *******? Quote Share this post Link to post Share on other sites
Necrophenia 435 Posted April 10, 2014 If anyone likes the boring details this video is pretty good http://vimeo.com/91425662 Quote Share this post Link to post Share on other sites
ElectronicDrug 7496 Posted April 11, 2014 4 Bob Ross Zombie, MrCoolness, camelFun and 1 other reacted to this Quote Share this post Link to post Share on other sites
Pebbz. 953 Posted April 11, 2014 Facebook, Tumblr, Pinterest And Instagram. Fuck, Thats Like Every Girl On The Planet. What An Elaborate Plan. 1 camelFun reacted to this Quote Share this post Link to post Share on other sites
GaryTheSnail 220 Posted April 11, 2014 ********** is my new password<br />Thanks for the heads up Quote Share this post Link to post Share on other sites
MrCoolness 547 Posted April 12, 2014 ********** is my new password<br />Thanks for the heads up only 10 characters? Brute force through numerous IP addresses will get your password in 15 minutes 1 Destin reacted to this Quote Share this post Link to post Share on other sites
BLiNDBoi 930 Posted April 12, 2014 brute force on a timedelay will always be the best password... Quote Share this post Link to post Share on other sites
driz 2626 Posted April 18, 2014 remember to NOT change your passwords until the site in questions has 1) fixed the bug 2) generated a new key Quote Share this post Link to post Share on other sites
Ryziou 538 Posted April 18, 2014 only 10 characters? Brute force through numerous IP addresses will get your password in 15 minutes Only noobs use 10 charactered passwords. You gotta go with ***************************** Quote Share this post Link to post Share on other sites
Saint Paul 4 Posted April 19, 2014 Lol I have too many acounts to give a shit Quote Share this post Link to post Share on other sites