You should expect your personal data to be hacked or stolen

[Zombie]

Heartbleed flaw

The Heartbleed "bug" was made public a week ago by Google and Codenomicon, a small Finnish security firm, which independently identified the problem.

OpenSSL is used to digitally scramble data as it passes between a user's device and an online service in order to prevent others eavesdropping on the information.

It is used by many, but not all, sites that show a little padlock and use a web address beginning "https".

The researchers discovered that because of a coding mishap hackers could theoretically access 64 kilobytes of unencrypted data from the working memory of systems using vulnerable versions of OpenSSL.

Although that is a relatively small amount, the attackers can repeat the process to increase their haul.

UK site Mumsnet has been breached. It has been criticised for how it handled the breach - its email to members contains an inline link that it suggests they click to reset their passwords.

UK police have previously warned members of the public to beware of unsolicited email asking them to click links "even if they are from companies you are familiar with".

This is because fraudsters are taking advantage of Heartbleed to mount phishing attacks in which users are directed to spoof sites designed to steal their credentials.

"It is dangerous," Dr Steven Murdoch, a computer security researcher at the University of Cambridge told the BBC.

"Probably what [Mumsnet] should have done is sent out an email saying 'go to our website using the normal address [to reset the password]'.

"If people receive an email they have not asked for they should be suspicious."

 

Canada's tax agency has also been breached but it said it would not call or email the individuals it believed to be affected by its breach in order to avoid giving criminals a chance to exploit the situation.

Instead it said it would send out registered letters.

"I believe we'll see many more of these announcements over the coming days," Keith Bird, UK managing director of internet security firm Check Point said.

"However, people should double-check that the website or service they use is actually advising them to choose a new password before making any changes to their settings.

"This way, they can be sure the website has updated its security, and that they're not running the risk of exposing a new password. And if a service does recommend changing passwords, don't choose one that you already use for other websites."
 

http://www.bbc.co.uk/news/technology-27028101

Edited April 14, 2014 by Zombie

[Trebs]

I just finished changing most of my passwords.  It's also important to find out if the websites you use have upgraded to be protected against Heartbleed.  If you google Heartbleed, there are good articles that show a few websites that you can go to, enter in the name of say your banking website, and it will analyze the site and tell you if it is protected or not.  It doesn't make any sense to change a password if the site is still bad although most of the better sites have gone and made the necessary changes.

[Suvitar]

I changed a lot of passwords during the weekend. Most were sites where I usually change the password regularly anyway, like google and facebook.

[Sasha Distan]

Remember that passwords are only good if they are long, complex and difficult.

 

Passwords can be brute forced by those people who write code and know what they are doing, justy making your password hard to guess is not enough.

 

This website How Secure Is My Password will tell you approx how long it will take code to brute force it's way through your password. Mine takes 13 thousand years. Before i changed it, it took 0.77 seconds.

[Suvitar]

Remember that passwords are only good if they are long, complex and difficult.

 

Passwords can be brute forced by those people who write code and know what they are doing, justy making your password hard to guess is not enough.

 

This website How Secure Is My Password will tell you approx how long it will take code to brute force it's way through your password. Mine takes 13 thousand years. Before i changed it, it took 0.77 seconds.

 

I checked few passwords, all of them took many years and the best one 25 000 years to crack.

[Ron]

This website How Secure Is My Password will tell you approx how long it will take code to brute force it's way through your password. Mine takes 13 thousand years. Before i changed it, it took 0.77 seconds.

According to the site, my internet router's password will take 32 sextillion years to crack. No one is leeching off my wifi.  Now to work on the others.

[Kitt]

Ummm - silly question.  If you go to a website, they now have your IP address.  Now you type in your password to "see how secure it is".  Do they now not have everything they need to hack into your computer with no effort what so ever?

Edited April 15, 2014 by Kitt

[Graeme]

Ummm - silly question.  If you go to a website, they now have you IP address.  Now you type in your password to "see how secure it is".  Do they now not have everything they need to hack into your computer with no effort what so ever?

My son suggested using a website to check on password strength. My wife and I told him that we're not doing that for exactly the reason given by Kitt. I don't intend to give my password to anyone. I could, I suppose, use a similar password (eg. same structure, but change some letters/numbers), but I don't see the point. I work in IT and I have a good understanding of what makes a password strong or weak.

[Phantom]

I use a random password generator with Norton and save them so that when I show up on a website, it automatically populates the passwords based on what the site requires and lets you store them automatically as a login that populates on the site your logging into. Now for it to populate, you have to have the toolbar running and type in the password for the 'password vault'. Also if I'm on the go, I have a norton app that saves the passwords and lets me type them in without having to memorize them. Finally, if all else fails, I write down all my logins and passwords on paper and keep it in a safe place so if Norton or something were to go down, I still have access to it. While it's not foolproof (see Heartbleed) It's a pretty safe and secure method.

 

Just remember when someone tells you it's impossible with not just only computer security but anything in general, Nothing is impossible, just highly improbable.

[Ron]

My son suggested using a website to check on password strength. My wife and I told him that we're not doing that for exactly the reason given by Kitt. I don't intend to give my password to anyone. I could, I suppose, use a similar password (eg. same structure, but change some letters/numbers), but I don't see the point. I work in IT and I have a good understanding of what makes a password strong or weak.

Wouldn't they have to know what the password was for in order to use it?

[Kitt]

Wouldn't they have to know what the password was for in order to use it?

How many people use the same password for everything?

[Ron]

Yes, people do that, but it seems to me they're just asking for trouble if they do. I run an antivirus software and a malware software, delete my internet history, cache and download history, and I do it everyday. Like Phantom says, nothing is impossible but it's improbable that my computer will be taken over. Of course the crossed fingers and the knocking on wood are an improbable help ... but impossibile? To answer--more than likely, but I still find myself doing it now and then.

[Graeme]

How many people use the same password for everything?

Humans are not usually capable of remembering too many different passwords. You either use a small set (often one) of passwords, or you use one 'master' password that accesses a password vault (as described above by Phantom). Either way, you're not using lots of different passwords.

 

The advantage of the password vault is that the password shouldn't leave your computer, but it's not impossible. It also means that you've got all your eggs in one basket and if something happens to that basket (stolen, breaks down unexpectedly, or gets swept away in the great coffee flood of '14) then you've just lost access to all your accounts. If you back up the passwords in the vault, then it's no longer secure, and you've got the problem that there's multiple places from where the passwords could be stolen.

 

I know people who keep their set of passwords small. They'll have a unique password for each critical system, and a common password for non-critical accounts. That's a compromise position between the same password for everything and a password vault, with a known risk for the accounts that the person doesn't consider to be critical.

 

There's no perfect solution. There are, however, some solutions that are better than others (and solutions which are really poor...)

[Phantom]

Thinking about this topic about getting personal data hacked or stolen online I realized that we kinda skipped over another area of security that some people don't realize, your garbage can. There's been stories in the news of people's who's identities have been stolen from bills, credit card offerings, Medical Bills and other sensitive stuff that they either didn't shred, just ripped in half and at times even after shredding.

 

Seeing these stories got me to thinking and I made myself what I call a burn pile where any document that has sensitive material on it that I don't need or expired or what have you, get thrown into that pile. Once it builds up I make myself a nice little bonfire in my fireplace or firepit, depending on the season.

 

For example tonight was the night I got my fireplace going and was able to destroy things down to ash. Literally there is no way to recover any information when it's nothing but blacked cinder. I even got a picture of it at work.

[JamesSavik]

I have been involved in technology security for a very long time. As far back as the mid-nineties, my contemporaries have been privately speculating that nation-states¹ have been involved on the black hat side of things.

 

Quite a lot of things just don't make sense. The numbers and sophistication of viruses and worms, the timing of zero-day attacks and the publication of China's asymmetric warfare plan called the Dragon's Spear².

 

Recently- there have been a number of revelations about the US National Security Agency. Specifically their involvement in the Stuxnet worm³ and allegations that they knew about the Heartbleed flaw as far back as two years ago⁴.

 

Sadly- NSA and others within our goverenment have proven to be above the law and have cost the people billions in fraud, identity thief and various cyber-crimes.

 

I hope that I haven't drifted to close to the politics thing- I didn't point fingers at guilty parties.

 

________________________________________

 

1- Nation-States have economic, personnel and technical resources that just aren't available to individuals, groups or private companies.

 

2- Information Warfare: China has a Scary Plan  http://www.strategypage.com/htmw/htiw/articles/20120301.aspx

 

3- Stuxnet  http://en.wikipedia.org/wiki/Stuxnet

 

4- NSA Knew About Heartbleed for 2 Years https://www.yahoo.com/tech/report-nsa-knew-about-heartbleed-vulnerability-for-82407088205.html

Edited April 16, 2014 by jamessavik

[Trebs]

Thinking about this topic about getting personal data hacked or stolen online I realized that we kinda skipped over another area of security that some people don't realize, your garbage can. There's been stories in the news of people's who's identities have been stolen from bills, credit card offerings, Medical Bills and other sensitive stuff that they either didn't shred, just ripped in half and at times even after shredding.

 

Seeing these stories got me to thinking and I made myself what I call a burn pile where any document that has sensitive material on it that I don't need or expired or what have you, get thrown into that pile. Once it builds up I make myself a nice little bonfire in my fireplace or firepit, depending on the season.

 

For example tonight was the night I got my fireplace going and was able to destroy things down to ash. Literally there is no way to recover any information when it's nothing but blacked cinder. I even got a picture of it at work.

 

Cross-cut shreaders are pretty cheap these days...  I have one that can handle 10 sheets at a time with no problem

[Kitt]

The contents of my cross cut shredder get mixed with melted parafin to make my fire starters for camping so I think I am pretty well protected there. If someone manages to reassemble an account number from all that they deserve to make a little profit!

 

As for the password vault thing - some of us are just not that swift with computers. I refer to myself as functionally illiterate when it comes to computer operation. My passwords are individualized - and kept on an index card in with my important papers in the fire safe in case i cant remember which goes with which account or get the characters mixed up.

[Trebs]

The fire safe idea is good and one I use as well, but with additional information for my will's executor (my brother).  He then also has the combo and 2nd key to the safe and if it ever comes to it, can access all of my accounts: financial, email, social, etc.  I plan on being around for a long time to come, but you never know what tomorrow may bring.

[Suvitar]

I never use the same password on different sites, I always create a new one. I write my passwords and usernames on little book and keep that in a safe place. I´d never be able to remember them all.

[wildone]

So they say the Mounties always get there man.

 

In this case, the RCMP arrested a 19 year old 'genius' computer science student and the University of Western Ontario in London, Ontario.

 

https://ca.finance.yahoo.com/news/police-charge-man-19-heartbleed-privacy-breach-canada-183231634.html

 

On the news they said his dad is a computer science professor that works as a 'professional hacker', one who works to find vulnerabilities in security systems on the web.

 

What they don't know is if either the son or father actually designed the code that makes the security vulnerable. It is mentioned that the son did little to cover his tracks and that is why the Mounties found him so quickly.

 

In a way, it would be nice if this is the origin and if there isn't others, but sadly I don't think this will be the case