It has come to light over the last few days that for the past two years (!), a bug has existed in the way that many web servers handle secure connections. This meant that it is easy for an attacker to go to any server, and sniff things like:
Usernames, passwords, credit card numbers, secure encryption keys...
Non-techy explanation here:
www.smh.com.au/technology/web-security-in-doubt-after-discovery-of-heartbleed-flaw-20140409-zqsif.html
More in depth info here:
heartbleed.com/
This is the most serious vulnerability I've seen, pretty much ever. Our sysadmin spent the night sorting out all our systems.
It pretty much means that if you put a credit card number into a secure website (that uses ) then that info might have found its way into the hands of hackers.
Many people are suggesting that the NSA knew about this backdoor a while ago, and might even be responsible for getting the 'bug' into the source code.
Gosh.
Freaky .. an amazing hole that has existed for almost two years!
Seabreeze does use "https", but we don't/haven't used the library that has the flaw..
From what I've read, a hacker can send a simple 1 byte request to any linux based server (which hasn't been patched), and the server will send back a random 64,000 bytes of it's internal memory. 
Lots of requests = lots of data, and at some point, the hacking will gleen something, such as passwords, credit cards, etc...
Sigh ... 
Select to expand quotelaurie said..
a hacker can send a simple 1 byte request to any linux based server (which hasn't been patched), and the server will send back a random 64,000 bytes of it's internal memory.
...
Well that's why it is called random access memory
Geez, basic computer stuff guys
Speaking of heartbleed, Nebbs' article just about gave me nosebleed as I tried to understand it 
Select to expand quotelaurie said..
Freaky .. an amazing hole that has existed for almost two years!
If you a the NSA (or any other three letter agency) maybe it's more of a feature... 
Aww shucks - not I have to move this thread to heavy weather. lol 
OMG only me and now THREE nerds here. I feel like Penny in Big Bang Theory. Actually, no....
nevermind.
SO if we've bought anything via CC on SB do we need to worry..Just looking for the short answer
Select to expand quotelaurie said..
..... a hacker can send a simple 1 byte request to any linux based server (which hasn't been patched), and the server will send back a random 64,000 bytes of it's internal memory.....
Sounds a bit like reading a thread started by PM33.
A simple 1 byte copy and paste generates 64,000 pages of random replies.
And then both your heart and your head start to bleed.
Select to expand quoteMark _australia said..
OMG only me and now THREE nerds here. I feel like Penny in Big Bang Theory. Actually, no....
nevermind.
i feel like penny in big bang theory also. Got her number?
Short answer re credit cards: no need to worry, but as always you should carefully check each and every item on your statements to make sure they are yours. Of course you do that anyway right? Select to expand quotemyusernam said...Mark _australia said..
OMG only me and now THREE nerds here. I feel like Penny in Big Bang Theory. Actually, no....
nevermind.
i feel like penny in big bang theory also. Got her number?
I'm not sure that this really changes anything.
There are any number of credit card number generators out there.
The reality is that you need to read your credit card statements every single month and account for every line item, particularly in the $20-$99 range, as this is often targeted to avoid arousing suspicion.
Visa / Mastercard repay any and every fraudulent transaction - it's the cheapest option for them.
Sometimes it takes time but you can always recover the money eventually.
Select to expand quotelaurie said..
Freaky .. an amazing hole that has existed for almost two years!
Seabreeze does use "https", but we don't/haven't used the library that has the flaw..
From what I've read, a hacker can send a simple 1 byte request to any linux based server (which hasn't been patched), and the server will send back a random 64,000 bytes of it's internal memory.
Lots of requests = lots of data, and at some point, the hacking will gleen something, such as passwords, credit cards, etc...
Sigh ...
Nah, that'd be awesome. All you'd need to do is setup some server to impersonate this flaw and start sending out fake 'random data'. You could seed usernames and passwords that would have the hackers trying these and wasting their time.
Select to expand quotejbshack said..
SO if we've bought anything via CC on SB do we need to worry..Just looking for the short answer
No. Seabreeze was NOT affected by it.
And.. NO credit card numbers are stored on our servers.
Select to expand quotelaurie said..jbshack said..
SO if we've bought anything via CC on SB do we need to worry..Just looking for the short answer
No. Seabreeze was NOT affected by it.
And.. NO credit card numbers are stored on our servers.
just to be on the safe side, can you just check that my card details are not on the server please laurie?
it's a visa- card number 4518 8655 9432 1136. expiry 08/15, ccv is 582.
Select to expand quoteSpaceCoyote said..
Throw that card out. Just tried to get a new kite, it declined
that can't be right. the royal nigerian credit card inspection company checked it for me only this afternoon (i was lucky enough to be selected for a special online discount- it only cost me $50 to have it checked)
Select to expand quotelaurie said..
From what I've read, a hacker can send a simple 1 byte request to any Linux based server (which hasn't been patched), and the server will send back a random 64,000 bytes of it's internal memory.
This type of thing used to be my business before I left the industry 10 years ago, but still have a passing interest. The last serious open source exploit that I can recall was a fairly dangerous Apache (web server) bug about 10 years ago, which got fixed within 24 hours of the announcement. There was also an OpenSSH bug that researchers discovered and that got fixed quickly (I think around about 2005). Before that, a heap bug in one of the early 2.x.x Linux kernels that created chaos for a few days in the late 90's. Not bad track record for free to use operating system and software :). Compare that to Microsoft.
J
Something that I got email to me~
From McAfee Security systems
Consumer Threat Alerts:
Recently, a major security vulnerability named "Heartbleed" has made headlines around the world. This is a severe vulnerability stemming from a coding mistake in a widely-used security utility called OpenSSL.
The bug affects the encryption technology designed to protect your sensitive data on the Internet, like usernames, passwords and emails.
This is a flaw in the OpenSSL encryption code, not a virus that can be stopped by McAfee or other consumer security software. Because this vulnerability takes advantage of servers, and not consumer devices, businesses need to update to the latest version of OpenSSL to mitigate and address the dangers posed.
McAfee is currently in the process of auditing all of our services, and the services provided by our partners, for any dangers posed by Heartbleed. If there is any instance that the vulnerable version of OpenSSL is in use we will remediate with the utmost urgency.
The severity of the Heartbleed vulnerability cannot be overstated: several major enterprises use OpenSSL, and are likely affected by this vulnerability as well. The dangers posed by this vulnerability are very real and could affect you if exploited.
So what do you need to do?
?Right now, the best thing you can do is wait to be notified about affected services and patches or you can investigate this list provided by Mashable that has some well known brands listed.
?If you'd like to investigate whether or not a website you frequent has been affected, you can use this tool.
?Reset your password for every online service affected by Heartbleed. But beware: you should only change your password after the afflicted business has fixed its servers to remove the Heartbleed vulnerability. Changing your passwords before a company's servers are updated will not protect your credentials from being leaked.
?For additional details, please click here.
We at McAfee apologize for any inconvenience this may cause you. We will be contacting you again as we update our services that use OpenSSL.
Thank you for your time, and safe surfing.
Sincerely,
Gary Davis
