Important message for website administrators

[ElSecundo]

This warning is for HRW and any HRW vendors:

I don't know how much publicity this has gotten outside of tech circles, but there is a very significant bug that was announced Monday. The bug affects about 2/3 of all websites worldwide. It's a vulnerability in OpenSSL, and allows a hacker to obtain encryption keys, passwords, etc -- essentially the keys to the kingdom.

Any website that is taking credit card information has a 2/3 probability that they are using OpenSSL, and need to patch their site immediately, then reissue all new security certificates.

As it stands, any unpatched site is subject to man-in-the-middle attacks, and a hacker can intercept any traffic flowing in and out of the site, and easily decrypt it. Because it was announced publicly on Monday, it's open season for any would-be hackers to find and exploit unpatched websites, especially ones that are involved in financial transactions.

If the site is behind a firewall, the firewall is also subject to this attack, and will need its firmware patched.

For more information, look up the 'Heart Bleed bug'.

[HomeRacingWorld]

This is one of the many reasons why I do not allow the open scripts like Facebook "Like" or Twitter feeds. So those who keep asking for them, stop please. If you like a link or post so much then copy it and paste it in your status.

The extra firewall we pay for detected activity, but was not confirmed to be this bug. It deleted it and there is no way to track it. Regardless, it was stopped what ever it was.

Our site was patched 2 days ago. And again this morning with a small update. A scan this morning reveals all is well.

[SRQSloter]

[DAVE]

What is really scary is what the news reported about this. Apparently this bug allows hackers to get into the E-file IRS sites,
and file bogus tax returns for the refunds. As well as getting all your personal info. And the IRS didn't even know this. Glad
I don't E-file, and send my tax return by mail. Easier to trace if someone steals your tax return, plus very serious jail time
for anyone who does.

[ElSecundo]

What's really scary is that nobody knows if serious hackers have been using this exploit. It's been out there for two years, with no real way to identify it. A good hacker could have quietly collected data for two years from any of 2/3 of the world's web servers, including the supposedly 'secure' servers. And with encryption keys, they can even go back and unlock these servers again after they are patched (if the administrators fail to re-issue security certificates after patching).

[DAVE]

From what I have seen, hackers have been using it and it was a hacker who spilled the beans. They also say that
even if you change you passwords it only takes a millisecond to break in again. I just wish there was more reliable
info on this. Banks and credit card companies are telling all sorts of stories on how secure their sites are, and it
all may or may not be true.

[Jesla]

This issue will be with us for weeks if not months before being resolved.....Even
if a particular vender, bank or credit card service announces they are patched does
not make it safe. Your data makes many hops on it's way to it's destination, any one
of which could be an affected server. You have a 2 in 3 chance of passing through an
affected server.

[ElSecundo]

[goosenapper]

As with all things sciency, xkcd.com broke it down for non-tech folks:

[ElSecundo]

xkcd nailed it. That rocks. :)

[Ember]

That's a great illustration of the problem.

I am not looking to belittle the import of this at all. But....

The only difference between this week and last week is that now every amateur mischief maker knows about this weakness and will be pushing against it.

In the billions of lines of code that makes the world turn these days there be an unknown number of lines with unknown errors in them. Many will be benign. But some will not be. They will not have an effect on the apparent running of the world and we will remain ignorant of them. They will only be identified when someone pushes up against them and finds that they allow them to do something they should not be able to do. They will let someone else in on the secret (it is human nature to brag) and eventually we will find out about it. The steps can be taken to fix it. But by then another will be discovered.

The nature of the internet and the haphazard way in which it has grown means we will always be discovering these things. 99% of the systems affected by Heart Bleed will be taken care of. But there will always be that 1% that is forgotten.

The only difference between this week and last week is that we know.

[ElSecundo]

And that's a major difference -- everybody in the world who has an interest in taking advantage of this exploit now knows. Yes, of course there are always bugs, exploits will always be out there. The difference between being smart and being stupid, though, is knowing when your odds are good, and when they're bad. This is one of those times when the odds are at their worst. Before this bug was known, the number of people capable of doing you extreme financial harm was very small. Today, the number of people capable of causing you extreme financial harm is extremely high, the number of internet devices that they can use to do so is extremely high, the effort needed to do so is extremely low, and the odds of a hacker being detected are extremely low (so there is low deterrence).

Your odds of being hit are still fairly low -- but the odds of being hit have never been this high in the history of the internet. Taking advice on this topic from non-IT professionals is like asking Jenny McCarthy for vaccine information. :lol:

[Ember]

Not arguing with you.

This type of situation is going to get more common, not less. But creating blind panic, which is what media coverage tends to do, achieves nothing.

[Jesla]

There some that are in-the-know more than most and what is scary is how the media is reacting.
The media has not gotten the word out loud enough as to just how serious the situation is. Kurt I
have given facts for you to consider, whether or not you take these facts to heart is out of our
control. So really there is no more to be said. Individuals will take what actions they choose.

[ElSecundo]

Not blind panic, but downplaying this one is a serious mistake and a disservice. Typically, when there is a bug or a virus in the wild, there are normal and easy steps one can take to significantly reduce their risk. With this one, the risk is severely elevated, and the proper steps don't actually reduce your individual risk by much.

There are always sharks in the water. Most of the time, you might as well just keep swimming. Other times, sensible people realize that it's time to get out of the water for a while. This is the time for sensible people to get out of the water. There are a lot of fins in the water, there's a lot of splashing, and your bathing suit is made of bloody meat. There's no need to panic -- you can go swimming, or stay on the beach for a while. :banana-dance: