Your forum username:
Do you already have an account?
Forgot your password?
  • Log in or Sign up


    Welcome to Sky User - The Unofficial Support Forum for everything Sky! - Proudly helping over 65k members.


    Advertisement

    Results 1 to 8 of 8
    Like Tree1Likes
    • 1 Post By Annie UK

    Serious Security threat

    This is a discussion on Serious Security threat within the General Computing and Internet forums, part of the Community channel category; A very dangerous security threat called Heartbleed has been detected in Internet security where the website uses OpenSSL encryption (the ...

    1. #1
      dms05's Avatar
      dms05 is offline Sky User Beta tester
      Exchange: 0151
      Broadband ISP: Other ISP
      Router: Non Sky Router
      Sky TV: Other
      Join Date
      Dec 2007
      Location
      Wirral
      Posts
      1,694
      Thanks
      12
      Thanked 52 Times in 50 Posts

      Serious Security threat

      A very dangerous security threat called Heartbleed has been detected in Internet security where the website uses OpenSSL encryption (the majority do). It's a simple fault that allows instant access to secure data. Some have suggested the fault is so serious that it might be wise to turn off the whole Internet until it's fixed. The recommendations are (a) change all your password (b) check each site you use. This effects every user and is independent of your OS.

      Google have issued a statement about the status of their services http://googleonlinesecurity.blogspot...o-address.html

      You can check each site with Test your server for Heartbleed (CVE-2014-0160) which will return a result. SkyUser isn't listed as safe, neither is Digital Spy. Sky's official site is OK. Take care.
      Last edited by dms05; 10-04-14 at 11:42 AM.

    2. The Following 2 Users Say Thank You to dms05 For This Useful Post:

      Isitme (10-04-14),Scubbie (11-04-14)


    3. Advertisement
    4. #2
      Isitme's Avatar
      Isitme is offline Sky User Moderator
      Exchange: Bannockburn
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR102
      Sky TV: Sky+ HD
      Join Date
      Dec 2006
      Location
      Central Scotland
      Posts
      34,256
      Thanks
      65
      Thanked 1,655 Times in 1,616 Posts

      Re: Serious Security threat

      Thanks DMS05, as this is very important I have stickied it for a while.

      Further advice and checker-
      The LastPass Blog: LastPass and the Heartbleed Bug

      TomD


      Please note the views and recommendations in my posts are my own and in no way reflect the views of SkyUser.


      Useful Utilites

      http://www.nirsoft.net/utils/wifi_information_view.html/ TCPOptimiser /Test Socket

      Note - When downloading always select the Custom install or you will end up with stuff you don't want.





    5. #3
      Jaheira's Avatar
      Jaheira is offline Sky User Member
      Exchange: Abergavenny
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR102
      Sky TV: Sky+HD box
      Join Date
      Apr 2013
      Posts
      111
      Thanks
      1
      Thanked 1 Time in 1 Post

      Re: Serious Security threat

      I'd take down both those links immediately as concerns have been raised about the legality of probing for the Heartbleed vulnerability as explained in this thread.

      I'd also advise people only to change passwords for sites that have identified that they were using the buggy version of OpenSSL (1.0.1) and then only after they've patched. Doing so before the patch is applied would be worse than useless.

      Let's not get too alarmist here. All the sites you hand personal information to will be big name sites. If they're vulnerable they'll force a password change once they've patched. Changing every one of your passwords would therefore be pointless, not to mention laborious. There again, if you're the type of person who uses the same password for multiple sites, maybe now would be an appropriate time to rectify that risky practice!
      Last edited by Jaheira; 12-04-14 at 03:20 AM.

    6. #4
      dms05's Avatar
      dms05 is offline Sky User Beta tester
      Exchange: 0151
      Broadband ISP: Other ISP
      Router: Non Sky Router
      Sky TV: Other
      Join Date
      Dec 2007
      Location
      Wirral
      Posts
      1,694
      Thanks
      12
      Thanked 52 Times in 50 Posts

      Re: Serious Security threat

      What it actually says is:

      "Testing to see what version of OpenSSL a site is running, and whether it is also supports the vulnerable Heartbeat protocol, would be legal. But doing anything more active – without permission from website owners – would take security researchers onto the wrong side of the law."

      So keep checking the safety of the sites you use. I don't think anyone on this site has the knowledge and ability to go any further!

    7. #5
      Isitme's Avatar
      Isitme is offline Sky User Moderator
      Exchange: Bannockburn
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR102
      Sky TV: Sky+ HD
      Join Date
      Dec 2006
      Location
      Central Scotland
      Posts
      34,256
      Thanks
      65
      Thanked 1,655 Times in 1,616 Posts

      Re: Serious Security threat

      Its a bit ironic that this vulnerability only effects Linux servers, any server running the much maligned Windows are unaffected.

      Although there is no way to detect if a server has been compromised it is unlikely that any have been. As this vulnerability has been there for 2 years, undetected by security experts, any intrusions would have surfaced by now. It is now that there is more risk as the hackers know what to look for. Be careful out there and change your security details as soon as it is confirmed that the server has been patched.

      TomD


      Please note the views and recommendations in my posts are my own and in no way reflect the views of SkyUser.


      Useful Utilites

      http://www.nirsoft.net/utils/wifi_information_view.html/ TCPOptimiser /Test Socket

      Note - When downloading always select the Custom install or you will end up with stuff you don't want.





    8. #6
      Annie UK's Avatar
      Annie UK is offline Sky User Member
      Exchange: LWFEL
      Broadband ISP: BT Infinity 2
      Router: TP-Link Archer C7
      Sky TV: Sky+HD box
      Join Date
      Aug 2006
      Location
      Milky Way, Sol, Earth, UK, London
      Posts
      511
      Thanks
      18
      Thanked 22 Times in 20 Posts

      Re: Serious Security threat

      Quote Originally Posted by Isitme View Post
      Its a bit ironic that this vulnerability only effects Linux servers, any server running the much maligned Windows are unaffected.

      Although there is no way to detect if a server has been compromised it is unlikely that any have been. As this vulnerability has been there for 2 years, undetected by security experts, any intrusions would have surfaced by now. It is now that there is more risk as the hackers know what to look for. Be careful out there and change your security details as soon as it is confirmed that the server has been patched.
      Hacker successfully uses Heartbleed to retrieve private security keys | The Verge
      Isitme likes this.
      Annie 🦋..........
      My Sky+HD FAQ
      (now with more questions)
      My Sky hardware and setup
      The links above are only available between 9am and 10pm (UK)



    9. #7
      Jaheira's Avatar
      Jaheira is offline Sky User Member
      Exchange: Abergavenny
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR102
      Sky TV: Sky+HD box
      Join Date
      Apr 2013
      Posts
      111
      Thanks
      1
      Thanked 1 Time in 1 Post

      Re: Serious Security threat

      Quote Originally Posted by dms05 View Post
      So keep checking the safety of the sites you use. I don't think anyone on this site has the knowledge and ability to go any further!
      What it says, regardless of the nuances of a poorly though out law is that "Unauthorised security probing is illegal under section 3 of the UK's Computer Misuse Act 1990, whatever the intent, as case law has established." If you incite others to break the law, then you yourself are liable, dms05. And if it is a US site, then you fancy the risk of 99,105 years in a US pen, however small the risk (and the fact you're a brit means special 'treatment')!?

      Quote Originally Posted by Isitme View Post
      Although there is no way to detect if a server has been compromised it is unlikely that any have been. As this vulnerability has been there for 2 years, undetected by security experts, any intrusions would have surfaced by now. It is now that there is more risk as the hackers know what to look for. Be careful out there and change your security details as soon as it is confirmed that the server has been patched.
      The NSA has probably known about this hole for 2 years. And it is under active attack. I wonder if our Sky Routers use an implementation of OpenSSL? Even my network key would fit in a 64k munch. Make sure you DON'T have remote management enabled or respond to pings on the WAN to show you're alive!

      Affected sites so far:- https://www.ivpn.net/blog/heartbleed-passwords-change
      Last edited by Jaheira; 13-04-14 at 02:23 AM.

    10. #8
      Isitme's Avatar
      Isitme is offline Sky User Moderator
      Exchange: Bannockburn
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR102
      Sky TV: Sky+ HD
      Join Date
      Dec 2006
      Location
      Central Scotland
      Posts
      34,256
      Thanks
      65
      Thanked 1,655 Times in 1,616 Posts

      Re: Serious Security threat

      Make sure you DON'T have remote management enabled or respond to pings on the WAN to show you're alive!
      Good advice, although these are useful for various checks they should only be enabled when required. The Thinkbroadband BQM requires Respond to Ping to be enabled, so I don't think it is a good thing to run this Monitor on a permanent basis. Some will argue that allowing WAN Pings is a good thing, I don't. It should only be enabled when required.

      Hacker successfully uses Heartbleed to retrieve private security keys | The Verge
      As I said 'It is now that there is more risk as the hackers know what to look for'

      TomD


      Please note the views and recommendations in my posts are my own and in no way reflect the views of SkyUser.


      Useful Utilites

      http://www.nirsoft.net/utils/wifi_information_view.html/ TCPOptimiser /Test Socket

      Note - When downloading always select the Custom install or you will end up with stuff you don't want.





     

     

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •  
    SkyUser - Copyright © 2006-2017. SatDish and NewsreadeR | SkyUser is in no way affiliated with Sky Broadband / BSkyB
    RIPA NOTICE: NO CONSENT IS GIVEN FOR INTERCEPTION OF PAGE TRANSMISSION