DPChallenge: A Digital Photography Contest You are not logged in. (log in or register
 

DPChallenge Forums >> General Discussion >> Heartbleed bug
Pages:  
Showing posts 1 - 16 of 16, (reverse)
AuthorThread
04/11/2014 10:46:19 AM · #1
I'm not sure if the recently reported OpenSSL security failure (the Heartbleed bug) is something to really worry about or not, but this little site can be used to check whether the sites you visit were/are vulnerable, and whether you should reset your password or not.

(If you need more info about the Heartbleed bug, it can be found on that site, or just use that Google thing.)

If you're like me, and access your millions in Switzerland and the Caymans mostly through online services, perhaps it's worth some investigation.
04/11/2014 11:49:01 AM · #2
Thank you very much.
04/11/2014 12:07:35 PM · #3
Thanks bohemka. This has been a troubling development since, like many, I use the internet for LOTS of my financial transactions.
04/11/2014 01:05:53 PM · #4
dpchallenge.com is listed as possibly unsafe
04/11/2014 01:18:27 PM · #5
LastPass password manager warns you too about sites that have the issue.
04/11/2014 02:00:08 PM · #6
Originally posted by Mike:

LastPass password manager warns you too about sites that have the issue.


how safe and secure is LastPass password manager. I hate to have my my most sensitive passwords in some service/system that can be hacked.
04/11/2014 02:27:50 PM · #7
Originally posted by jab119:

Originally posted by Mike:

LastPass password manager warns you too about sites that have the issue.


how safe and secure is LastPass password manager. I hate to have my my most sensitive passwords in some service/system that can be hacked.


very safe. look them up and reviews of theme, theyve taken security seriously and put safeguards into place. they've been hacked but they don't store passwords on their site, i'll look up the article to how it works but its really secure.

Message edited by author 2014-04-11 14:28:55.
04/11/2014 02:58:20 PM · #8
Thanks Mike, I did a quick look on them before I posted, but its always goof to hear from real users.

I will give it a try with some non essential logon's first
04/11/2014 03:48:58 PM · #9
This is a confusing issue. I stopped in at my "neighborhood" bank to ask them what they were doing about it and they are clueless. Nothing about it on their site, can't get in touch with an IT person. They'll check into it, they said.

In the meantime their site is listed as vulnerable and my account is just sitting there. I can't deactivate it or (better) temporarily block access. I can change the password but if the OpenSSL encryption remains compromised it does me no good.

This is a weird event. It's not even known if anything has been hacked, but now that the info about this issue is out it's only a matter of time, and those that are slow to fix it are risking the security of their customers.
04/11/2014 04:49:39 PM · #10
Well, gee, this is a surprise:

//www.buzzfeed.com/charliewarzel/report-nsa-used-heartbleed-security-flaw-to-spy-on-citizens
04/11/2014 05:39:01 PM · #11
Originally posted by bohemka:

This is a confusing issue. I stopped in at my "neighborhood" bank to ask them what they were doing about it and they are clueless. Nothing about it on their site, can't get in touch with an IT person. They'll check into it, they said.

In the meantime their site is listed as vulnerable and my account is just sitting there. I can't deactivate it or (better) temporarily block access. I can change the password but if the OpenSSL encryption remains compromised it does me no good.

This is a weird event. It's not even known if anything has been hacked, but now that the info about this issue is out it's only a matter of time, and those that are slow to fix it are risking the security of their customers.


Just your data being there isn't a problem*. If you access your data, that is a problem. The attack happens to other other data in memory, which is to say, recently active data.

In quick, normally you ask for 100 of something, you give 100, and you get 100 in return. But in this case, a malicious user asks for 100, only gives 1, and still gets 100 in return. Those other 99 things are pieces of data from other users who are currently using the website.

* The exception is if your login data is compromised elsewhere, and you use that same login data here too. In that case, your data sitting there would be in jeopardy. In that case, change your passwords. I like to use 1password to help manage this.
04/11/2014 07:15:04 PM · #12
I spent most of this past week dealing with this from the other side. giantmike is correct. Your data sitting on their server isn't in danger from this. Where you're in danger is if you logged onto a site and did stuff while it wasn't protected. The main risk is that bad guys could have snarfed up your username and password when you were logging in. So...

Change your passwords. All of them, at least the all of the ones that are protecting things you care about. Your best defense is to change each of them to something different. That's where something like lastpass comes in handy. I personally use keypass. My spouse uses her iPhone's notepad app, which is a perfectly valid solution as long as you're not syncing it with iCloud.

If the site has 2 factor authentication, use it. It's a small amount of pain for a lot of peace of mind. If you're using 2 factor authentication, then even if the bad guy has your password, he can't log into your account.

Beyond that, for sites like some banking sites that still appear to be unprotected, if you don't need to login, don't login until they're protected. Once they're protected, change your password again.

04/11/2014 09:24:42 PM · #13
Thank you, Mike and Ann, for the info.

My concern is that I don't know when the vulnerability actually began. I've logged into everything important within the past few weeks, being tax time and all. Seems like this has been a vulnerability for years, so there's nothing I haven't logged into in that span. It's a real mixed bag of those who are providing reassurance that they have addressed the situation and those who seemingly have absolutely no idea about it. Not to mention it would take a greater amount of thought than I have the capability for to track down all the random sites for which I have a login and password. The important sites have unique passwords, but what if someone nicks my DPChallenge password and then logs into Facebook and "likes" Nickleback? How do I recover from something like that?

I assume 2 factor authentication is the process when you log in and then recognize a photo before you enter your password? That is some comfort.
04/12/2014 04:01:12 AM · #14
Originally posted by bohemka:

I assume 2 factor authentication is the process when you log in and then recognize a photo before you enter your password?

Two factor is two of three:

Something you know (Password)
Something you have (for instance, Smartcard)
Something you are (Biometrics)

Some bank transactions are two factor, you have to log in with a password, and then enter a code you received via your mobile phone (that is the thing you need to have).

I wouldn't count recognizing a photo as a second factor.
04/12/2014 04:11:05 AM · #15
I just realized that all my sub-6 challenge entries over the past two years were posted by someone hacking my account due to this Heartbleed bug. How do I begin the process of expunging those? ...also any jokes I made in the forums in the past two years that were not funny were obviously posted by the hacker - those should be removed as well.
04/12/2014 03:09:44 PM · #16
Answering bohemka's concerns as a computer security insider...To get hacked, you need two things:

* A vulnerability
* An attacker who knows how to use it

The press has made a big, big deal about this vulnerability, which has indeed existed for awhile, but there's no evidence in the industry that there has been any actual attacks that used the vulnerability. Now that it's public knowledge, anything that isn't patched yet is fair game, but I personally wouldn't spend a lot of time worrying about what sites you might have logged into in the past.

My approach is to check each site that I log into over the next few weeks. If the various Heartbleed checkers say it's still vulnerable, I'll decide how important the data is stored on that site is. For example, I don't particularly care whether dpchallenge is patched or not. I'll log in anyway, and when it is patched, I'll change my password. My bank, however, I won't log into until it's patched. Regardless, anytime I log into a new site over the next few weeks, I'll change my password. It's been a year or more since I last changed my password on some sites, so it's time to do that anyway.

Bjoern is correct about what two factor authentication is. In the context of websites, it's usually something you know (your password) plus something you have, usually a mobile phone. Some websites will send you a text when you login, and you enter the code from the text message. No code, no login. Others use the Google Authenticator app, which is basically the same thing. You enter your password, then a code from the app. Most of the bigger websites, like google, twitter, Facebook, etc, have this. You might have to do some digging through the settings to find and enable it. Some banking and financial services sites have this, but many do not. I find it really odd that retailers and social sites are ahead of most financial service companies as far as website security, but I don't work in the finance sector, so maybe I'm missing something.
Pages:  
Current Server Time: 10/26/2020 09:31:52 AM

Please log in or register to post to the forums.


Home - Challenges - Community - League - Photos - Cameras - Lenses - Learn - Prints! - Help - Terms of Use - Privacy - Top ^
DPChallenge, and website content and design, Copyright © 2001-2020 Challenging Technologies, LLC.
All digital photo copyrights belong to the photographers and may not be used without permission.
Proudly hosted by Sargasso Networks. Current Server Time: 10/26/2020 09:31:52 AM EDT.