or Connect
New Posts  All Forums:Forum Nav:

HeartBleed Bug

post #1 of 13
Thread Starter 

Hey guys and gals,

Not sure if you saw the news about the Heart Bleed bug for website security, but it's pretty bad considering it was/is useful for data mining.

That includes things like passwords.

http://heartbleed.com/ For info

https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt 

http://www.bbc.com/news/technology-26954540

A list of affected sites and we're one so you might want to change your password.


Edited by GasMaskMan - 4/10/14 at 5:47am
post #2 of 13

Prudent advice.  However, I'd suggest waiting until after the admins apply the patch that addresses this vulnerability, before changing your password.

 

As a courtesy, many sites have released public notifications to their members that actions have been taken to address this problem.  I'd like to see an official announcement from the Head-Fi admin team that the vulnerability has been address on this site as well.

 

This is a serious issue.  I hope the admin team resolves the issue quickly.

post #3 of 13
Thread Starter 
Quote:
Originally Posted by jazzfan View Post

 

 

This is a serious issue.  I hope the admin team resolves the issue quickly.

As do I.

post #4 of 13
It's not just the web servers, there are *many* network/storage/server devices that use firmware versions of OpenSSL. So does much of the SW running on the network infrastructure. This hits a lot of the biggest names in technology:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
http://kb.juniper.net/InfoCenter/index?page=content&id=KB29004&actp=RSS
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225
https://library.netapp.com/ecm/ecm_get_file/ECMP1516404
http://supportkb.riverbed.com/support/index?page=content&id=S23635

You can't just patch the web server and call it a day - this could affect a significant portion of the hops a data packet travels all around the world.

I imagine the big hosting centers where sites like huddler are hosted are all frantically scrambling (or they should be!) I happen to know that Rackspace jumped on this almost immediately for their hosting customers.
post #5 of 13

The Heartbleed bug has been in the headlines this week.  This is a serious problem.


What actions have been, or are being, taken by Head-Fi to address Heartbleed vulnerability?


What should Head-Fi members do to mitigate this vulnerability?

post #6 of 13

Just posted this question over in Feedback & Bug Reports to see if this gets more visibility.  We may want to continue the discussion over there if there is a response.

.   

http://www.head-fi.org/t/714524/is-head-fi-susceptible-to-the-heartbleed-vulnerability

post #7 of 13
Thread Starter 

I PM'd it to Jude (only easy admin i could figure out on here), no response.

post #8 of 13

I merged the threads. The servers are run by Huddler. The active admins have nothing to do with either the back-end (nor the management of sponsors btw.) so we can't answer that because we don't know. 

 

However, while I have no doubt that Huddler are well aware of security issues, since large sites are often the target of intrusions where databases are stolen, I would follow the advice of numerous security professionals and simply NOT use the same password on any two sites. Even if passwords are one-way encrypted (like they are on your computer) it is easy to get enough computing power these days that 90% of them can be cracked through brute force (guessing billions of possible passwords).  As such I recommend using iPassword (50% off I heard because of Heartbleed) or Lastpass and having them generate 20-30 character random passwords for sites (or as long as is allowed by each site).

post #9 of 13

FYI, Keepass is a great open source and free alternative cross-platform password manager:

http://keepass.info/index.html

 

I have no affiliation. Just a happy user.

post #10 of 13
I use Keepass as well - it is an excellent product for storing/managing password.
post #11 of 13
Quote:
Originally Posted by Currawong View Post
 

I merged the threads. The servers are run by Huddler. The active admins have nothing to do with either the back-end (nor the management of sponsors btw.) so we can't answer that because we don't know. 

 

However, while I have no doubt that Huddler are well aware of security issues, since large sites are often the target of intrusions where databases are stolen, I would follow the advice of numerous security professionals and simply NOT use the same password on any two sites. Even if passwords are one-way encrypted (like they are on your computer) it is easy to get enough computing power these days that 90% of them can be cracked through brute force (guessing billions of possible passwords).  As such I recommend using iPassword (50% off I heard because of Heartbleed) or Lastpass and having them generate 20-30 character random passwords for sites (or as long as is allowed by each site).

 

Thank you for responding to the concern.  I think it's important for everyone to realize that changing passwords alone in no way guarantees your information is now safe from being compromised.  All systems identified as being exposed to this vulnerability must first be patched, or reconfigured to mitigate the vulnerability.  Only after those actions have been taken can one be assured that personal data passing through those systems are safe from being compromised by the Heartbleed bug.

Note the following warning from a recent Forbes article - http://www.forbes.com/sites/jameslyne/2014/04/10/avoiding-heartbleed-hype-what-to-do-to-stay-safe/

Internet providers and hosts:

You should be making a statement about when you’ve successfully patched and mitigated the issues. Proactive customer notification would be logical, but at least a banner on your site would help. Forcing customers to guess or test themselves is just negligent.

 

With that in mind, please request a formal statement from Huddler detailing what actions have been taken, or are being taken, and ask that they officially acknowledge when their systems are secure.

I look forward to an update from Huddler on the status of their systems.  Thank you for taking action to keep Head-Fi a safe and secure community.

post #12 of 13


To all concerned, today I received confirmation from Huddler that the vulnerability on Head-Fi's site was addressed shortly after the bug was made public.  As was previously mentioned, it would be wise to change your password now, if you haven't already done so.

post #13 of 13
Thread Starter 

Thanks, man.

New Posts  All Forums:Forum Nav:
  Return Home