Jump to content



Photo
neowin

  • Please log in to reply
38 replies to this topic

#16 COKid

COKid

    Neowinian Senior

  • 3,155 posts
  • Joined: 07-April 10
  • Location: Loveland, CO

Posted 09 April 2014 - 15:15

Changed to "qwerty". Thanks! ;)

 

Seriously, what's the point of rushing to change my passwords if the sites I deal with haven't updated their security procedures? The new passwords will be just as vulnerable, won't they?

 

I'm not trying to be snarky. Just wondering. TIA.




#17 greenwizard88

greenwizard88

    Neowinian Senior

  • 1,856 posts
  • Joined: 28-November 04

Posted 09 April 2014 - 15:24

Wouldn't it only effect people if they tried to login while someone was looking? I'm going to chance my password, but just to understand how this worked...



#18 Krome

Krome

    Neowinian God!

  • 4,547 posts
  • Joined: 29-August 01

Posted 09 April 2014 - 15:41

Password is changed to 123

 

[EDIT]

Ok after I changed my password,  I post this and then I went to www.neowin.net front page, I was not logged in and when I attempt to log in, I get this:

Why.PNG



#19 +Brando212

Brando212

    Neowinian Senior

  • 6,871 posts
  • Joined: 15-April 10
  • Location: Omaha, NE
  • OS: Windows 8.1
  • Phone: Sony Xperia ZL, Nokia Lumia 925

Posted 09 April 2014 - 16:04

Password is changed to 123

 

[EDIT]

Ok after I changed my password,  I post this and then I went to www.neowin.net front page, I was not logged in and when I attempt to log in, I get this:

attachicon.gifWhy.PNG

i refer you to my previous post

 

log out and then back in. a new password cookie needs to be created for the front page



#20 este

este

    Neowinian Senior

  • 2,249 posts
  • Joined: 20-July 07

Posted 09 April 2014 - 16:11

I thought this (Heartbleed) issue was known about for a while now. But they only just issued a fix for it, correct?



#21 +LimeMaster

LimeMaster

    LippyZillaD Council ( ͡° ͜ʖ ͡°)

  • 11,104 posts
  • Joined: 28-August 10
  • OS: Windows 8
  • Phone: Nokia Lumia 920

Posted 09 April 2014 - 20:40

Changed it now!



#22 Turk.

Turk.

    Neowinian

  • 581 posts
  • Joined: 28-February 14

Posted 09 April 2014 - 23:03

new password: Neo-bring-babes-back



#23 +theblazingangel

theblazingangel

    Software Engineer

  • 3,490 posts
  • Joined: 25-March 04
  • Location: England, UK

Posted 09 April 2014 - 23:10

Regarding this news post http://www.neowin.ne...y-vulnerability

 

We were affected too, someone registered on Neowin to let us know we were vulnerable, so thanks for that thumbs_up.gif

 

We have since patched our web servers (yesterday) and we're no longer vulnerable to the Heartbleed vulnerability, but since we use SSL to log you in it's a good idea to update your password.

 

I have changed mine tongue.png

 

Edit: This affects everyone, because everyone is logged in securely.

 

While the Neowin servers may be patched, the certificate is dated July 2013. To properly address this extremely critical vulnerability, patching by itself isn't enough; certificates also need to be revoked and replaced just incase their private keys have been compromised. It is pointless for us to change our passwords until this is addressed...



#24 +warwagon

warwagon

    Only you can prevent forest fires.

  • 27,244 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 09 April 2014 - 23:14

While the Neowin servers may be patched, the certificate is dated July 2013. To properly address this extremely critical vulnerability, patching by itself isn't enough; certificates also need to be revoked and replaced just incase their private keys have been compromised. It is pointless for us to change our passwords until this is addressed...

 

Isn't that only if you google or some how get duped into clicking on a fake Neowin link. If you bookmark neowin and use that we should be ok.

 

Also you can use this link https://www.ssllabs.com/ to check sites to see if they are vulnerable to the heartbleed vulnerability.



#25 Praetor

Praetor

    ASCii / ANSi Designer

  • 3,536 posts
  • Joined: 05-June 02
  • Location: Lisbon
  • OS: Windows Eight dot One dot One 1!one

Posted 09 April 2014 - 23:54

Neobond, I've been using the same password on this site since i register on it! Do you really think I'm going to change it?

 

Also you can use this link https://www.ssllabs.com/ to check sites to see if they are vulnerable to the heartbleed vulnerability.

 

good call.



#26 Krome

Krome

    Neowinian God!

  • 4,547 posts
  • Joined: 29-August 01

Posted 10 April 2014 - 00:15

Thanks.. it's fixed... cookie removed and it worked

i refer you to my previous post

 

log out and then back in. a new password cookie needs to be created for the front page



#27 Raa

Raa

    Resident president

  • 12,986 posts
  • Joined: 03-April 02
  • Location: NSW, Australia

Posted 10 April 2014 - 00:27

Considering I forgot my password and had it generated and emailed to me, i'm not worried... :laugh:



#28 Boo Berry

Boo Berry

    Neowinian Ghost

  • 4,240 posts
  • Joined: 26-March 05
  • Location: United States
  • OS: Windows 8.1 Pro 64-bit Mac OS X Yosemite 10.10.1 Ubuntu 14.10 64-bit

Posted 10 April 2014 - 00:37

I like to change mine every few months (using the max amount of letters) so changing it again is no biggie!



#29 +theblazingangel

theblazingangel

    Software Engineer

  • 3,490 posts
  • Joined: 25-March 04
  • Location: England, UK

Posted 10 April 2014 - 02:22

Isn't that only if you google or some how get duped into clicking on a fake Neowin link. If you bookmark neowin and use that we should be ok.

 

Also you can use this link https://www.ssllabs.com/ to check sites to see if they are vulnerable to the heartbleed vulnerability.

 

Depends on how paranoid you are. We (should) know all too well how extensively certain people are breaching our privacy and security, in particular systems administrators in some respects. A compromised certificate not only helps to add legitimacy to a phishing attack (which could perhaps be avoided with the use of a bookmark, as you suggest), but also to MITM attacks.

 

The vulnerability exposes application memory content, which could expose authentication credentials of user's logging in, or potentially even the site/service's private key (there seems to be some debate about this). Patching the hole prevents further data leakage, however there's still a problem if the private key was indeed compromised.

 

If the private key is indeed compromised:

 - Any secure communications without PFS are also compromised. This applies to all past and future communications, regardless as to whether the patch has been applied.

 - Communications protected with PFS are a little more complicated. They require that session keys are compromised independently from the RSA private key. If there's a possibility of private keys being leaked, there's certainly also a possibility of session keys being leaked, though it occurs to me that having to fish the right session key out of memory for a given communication might be a slightly trickier challenge. If it is possible, communications that have taken place prior to servers being patched may have been compromised. Communications taking place after the servers having been patched are secure, despite the private key having been compromised, but only as long as you are communicating with the correct servers.

 - Whether or not PFS is used, if the RSA private key is compromised, it is possible for an attacker to perform a MITM attack. PFS isn't going to do anything to protect you in this case.

 

Whether or not the certificate needs replacing depends on whether it has been possible for it to have been leaked through vulnerable application software, which as I mentioned seems to perhaps be under dispute. If it is indeed possible that the certificate may have been compromised, it is pointless for us to change our passwords prior to the certificate being replaced.

 

I really want to see this whole mess cleaned up as quickly as possible and I'd much rather see website/service owners assuming the worst case scenario and immediately replacing certificates than delaying things by spending time trying to understand and identify whether the architecture of the webserver software (or whatever) that they have been running over the past few years may perhaps have allowed the private key to be leaked in order to make a decision as to whether or not to go ahead with a replacement.



#30 Praetor

Praetor

    ASCii / ANSi Designer

  • 3,536 posts
  • Joined: 05-June 02
  • Location: Lisbon
  • OS: Windows Eight dot One dot One 1!one

Posted 10 April 2014 - 02:35

Depends on how paranoid you are. We (should) know all too well how extensively certain people are breaching our privacy and security, in particular systems administrators in some respects. A compromised certificate not only helps to add legitimacy to a phishing attack (which could perhaps be avoided with the use of a bookmark, as you suggest), but also to MITM attacks.

 

The vulnerability exposes application memory content, which could expose authentication credentials of user's logging in, or potentially even the site/service's private key (there seems to be some debate about this). Patching the hole prevents further data leakage, however there's still a problem if the private key was indeed compromised.

 

If the private key is indeed compromised:

 - Any secure communications without PFS are also compromised. This applies to all past and future communications, regardless as to whether the patch has been applied.

 - Communications protected with PFS are a little more complicated. They require that session keys are compromised independently from the RSA private key. If there's a possibility of private keys being leaked, there's certainly also a possibility of session keys being leaked, though it occurs to me that having to fish the right session key out of memory for a given communication might be a slightly trickier challenge. If it is possible, communications that have taken place prior to servers being patched may have been compromised. Communications taking place after the servers having been patched are secure, despite the private key having been compromised, but only as long as you are communicating with the correct servers.

 - Whether or not PFS is used, if the RSA private key is compromised, it is possible for an attacker to perform a MITM attack. PFS isn't going to do anything to protect you in this case.

 

Whether or not the certificate needs replacing depends on whether it has been possible for it to have been leaked through vulnerable application software, which as I mentioned seems to perhaps be under dispute. If it is indeed possible that the certificate may have been compromised, it is pointless for us to change our passwords prior to the certificate being replaced.

 

I really want to see this whole mess cleaned up as quickly as possible and I'd much rather see website/service owners assuming the worst case scenario and immediately replacing certificates than delaying things by spending time trying to understand and identify whether the architecture of the webserver software (or whatever) that they have been running over the past few years may perhaps have allowed the private key to be leaked in order to make a decision as to whether or not to go ahead with a replacement.

 

yeah, it's the best and the fastest scenario. Yahoo changed their certificate some hours ago, for example.