Hack the Planet!

Heads up folks, the entire Internet basically got hacked today.  Without going into details that will make your brain hurt, all you need to do is turn this setting on in Chrome:



Websites are scrambling to revoke their hacked certificates and issue new ones, but we won't get any of the new ones unless we check that box.

If you don't check that box, your browser will be trusting the old, compromised certificate.  This is bad and means people can steal your passwords very easily, if they haven't already.

Thanks for the heads up wonkman. I hadn't actually heard anything about this until now.

It it's a big deal and is worse than I thought.  We're all going to have to change passwords for anything we care about in a week or so, after all the sites we use have updated to fix the exploit.  It's been out there since 2011 but was only just discovered.  This picture shows someone running a simple python script on yahoo.com and getting usernames and passwords, among other things, back in plain text:



The reason we have to change our passwords is because we've all been using a broken version of OpenSSL on these various sites since 2011, meaning our usernames and passwords are likely out there somewhere up for grabs.  Definitely change passwords for your banking and any other sensitive sites next week or so, then wait to see what other sites send you an email saying they were vulnerable and to change your password.

I had some fun today running that same python script against various websites.  It basically dumps the remote server's memory for you, which can include all kinds of sensitive information that's supposed to be encrypted.  I saw registration info for people including their phone numbers and addresses and all kinds of info.

The Great Password Reset of 2014 is upon us.

Use this tool to test whether a website is patched and, therefore, safe to change your password on.  Do not change your password until the website has patched otherwise even your new password will be out there.
http://filippo.io/Heartbleed/
http://watchtower.agilebits.com/


Unfortunately many programs and apps are also vulnerable.  If you use any twitter clients or instant messaging apps.. basically any program or app that logs you into a service of one kind or another.. you're going to need to update those as well.

Wow so this basically the same thing that happened to psn back in 2011. Everyone's personal info wasn't encrypted, therefore hackers could easily obtain the info. So I just wonder if they will be forced to shut down the internet to protect peoples info too? :p

About that heartbleed tool you posted, if a site is verified to be fixed or unaffected does that mean it's safe to change our passwords?

Even if they shut the Internet down, it wouldn't matter. All the leaked unencrypted data is already out there. That's why this is such a big deal. It's not like they can just fix it and you're safe... the damage has been continuously done every day you've logged into something since 2011.

So yeah, if the tool says a site is fixed then it is safe to change your password. Your new password won't be leaked out anymore.

We have no real way of knowing which sites were affected at any point between 2011 and now, so I plan to change basically all my passwords this weekend. This is probably a good point to remind everyone that a good password manager is pretty invaluable. KeePass or LastPass are free, but I personally love 1Password.

Mashable recently posted a list of sites with a checkbox for whether or not you need to change your password.  They compiled this list based on emails they sent out to the websites asking if they were vulnerable.  The responses are also listed and most of them sound like the sites had their marketing firms spin some BS about how everything is fine.  So for that reason I'm not posting that list because I don't think we can rely on these companies to tell us the truth.  They're more worried about saving face at this point.

One example, Fidelity said:

"We have multiple layers of security in place to protect our customer sites and services."

What does that even mean???  That tells us nothing useful.


Edit:  These are the sites that admitted to Mashable that they were vulnerable though:

• Facebook
  
• Instagram
  
• Pinterest
  
• Tumblr
  
• Twitter (spun some marketing BS about how their servers were not affected but they did apply a patch.  I saw many reports that Twitter was affected two days ago so they go in this list)
  
• Google (ie:  gmail, youtube, etc)
  
• Yahoo
  
• Amazon
  
• GoDaddy
  
• Intuit
  
• Dropbox
  
• Minecraft
  
• OKCupid
  
• SoundCloud
  
• Wunderlist
  

Keep in mind this is just the ones Mashable reached out to.  Hundreds of thousands of sites across the internet were affected.  But pay special attention to those.

I went through and changed my passwords today. I didn't run into any sites that hadn't fixed the exploit so it should be safe for everyone to change passwords now. But remember to double check using the tool I posted up there just in case.

All kinds of fun little tools popping up around the interwebs.  This one checks whether your browser is honoring certificate revocation, an important part of making sure you're secure after the heartbleed attack.  If you followed the instructions in my very first post, Chrome should block this page from even loading and tell you "Cannot connect to the real revoked.grc.com":

https://revoked.grc.com/

Unfortunately, all our mobile devices appear to be vulnerable to compromised certificates.  There's not much we can do about this now except avoid entering any kind of sensitive information into websites on a mobile device until some OS updates start coming down.

This xkcd comic explains the exploit pretty well:

And another heads up... our routers may be affected to and might need to have their firmware updated. There's not much more info out there about this just yet. If your router has an update function it might be a good idea to check that in a week or two.

So people literally can hack the planet?

Looks like.

So I have some more info on our routers:

Blekin and Linksys routers are safe. A lot of Cisco and Juniper routers are affected. Netgear is conspicuously silent on the matter, so who knows.

This site has links to lists of affected Cisco and Juniper routers:
http://www.engadget.com/2014/04/10/the-heartbleed-bug-is-affecting-routers-too/


Most websites seem to have pushed out patches by now, so if any of you have yet to change your passwords, it's probably safe to do so for most major sites now.

Hmm... hasn't been much activity around here lately. I just presumed everyone got hacked.

I've changed my passwords anyway. So I guess I'm safe for now until they figure out another way to hack my shit!

Maybe everyone turned off the Internet to avoid being hacked. I hear the withdrawal is the most horrible thing ever.

Here's a good example of how NOT to react to Heartbleed.

Also, here's a better checker tool for websites that actually interprets the results and tells you what you should do about it:
http://watchtower.agilebits.com/

For example, here's what it says about amazon:

Status

Not Vulnerable - Not vulnerable to Heartbleed, but certificates have not been updated.

Recommended Action

Although amazon.com is not vulnerable to Heartbleed, their certificates may not have been updated.

Old certificates make things complicated because an attacker could have stolen the private key from the server before Heartbleed was fixed (assuming it was originally susceptible).

In some cases sites may have fully updated certificates, but because of the dates associated with their certificates we report them as "old".

Because of this, it is recommended that you change your password for this site twice. Change the password now so any old data theft become useless to the attacker. Then wait until this website shows as fully fixed before changing your password a second time.