Search the Community
Showing results for tags 'security'.
-
Security announcement: the Heartbleed vulnerability
bmn posted a topic in Site Updates & Announcements
So, you may or may not have seen mutterings about Heartbleed around the Interweb. It's a bug that's caused major security worries since it was discovered a few days ago (I've heard it called the biggest issue since the discovery of SQL injection around '98). There's some nice roundups around, but I thought I'd provide a little info and advice about it for you guys here. What it is and how it works Heartbleed is a bug in some versions of OpenSSL, the software that most servers use to provide secure connections to websites (where you see "https://" instead of "http://", and all the data sent between you and the server is encrypted). By sending a bad request to a vulnerable server, an attacker can receive back 64KB of random data from the server's current memory. This random data could include sensitive data that has already been decrypted (passwords sent when you log in, bank details when paying for stuff), or even the server's master encryption key. The latter would allow the attacker to much more easily eavesdrop or modify data sent over the Internet using man-in-the-middle, or potentially masquerade as another site as part of a separate attack. The risk The bug was present in OpenSSL for about 2 years, and only recently fixed. Because of the way software is handled on many servers, many will by "up to date", but still have a vulnerable version. Also, to be considered safe, all fixed servers will need to generate a new master encryption key (in case the existing one was found out through the vulnerability). That's a hassle that some may not bother, or be able, to take. About 17% of secure servers are thought to have been affected by Heartbleed, and it's thought that hackers were exploiting it for about 5 months. If you logged into Yahoo!, Imgur, Flickr, Steam's website, or any number of other sites in that time, some of your data may have been taken without your knowledge. What it means for you and us None of our services use secure connections, so this specific issue does not affect your visits to TSS or SSMB. You're still vulnerable to man-in-the-middle attacks, but, well, that's the case for every non-secure connection on the Internet, and has been for a very long time. If you have the same username and password here as anywhere that has been affected, there's a chance that someone could get into your SSMB account as a result. More importantly, if you use the same password on multiple sites, such as your email account or other sensitive accounts, those accounts could be at risk. If an attacker has found out your password for one of them in the last 5 months, they could potentially have access to all of them. It's recommended that you change your password for any account you're concerned about, and try not to use the same password for all of them. You may find a password manager useful for keeping track of different passwords. The recommendations for website users like yourselves are more precautionary than anything else. There's no directed threat towards individual people, but there is a chance of you essentially getting caught in the crossfire. So, I wouldn't go into a panic, but at the same time it's a very good excuse to take a look at your security. If there are any questions or anything you're unsure about, you can post them here, and I'm sure I or other tech-savvy people will try to help.