dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
405
Net Citizen
join:2009-01-22
Schenectady, NY

Net Citizen

Member

Which major Canadian sites are affected by the Heartbleed bug?

I called BMO with whom I have an account and the rep didn't even know what the Heartbleed bug was much less tell me if they were affected.

Is there a comprehensive list out there pertaining to Canadian sites that have been affected?

For those unaware: »mashable.com/2014/04/09/ ··· ffected/

elwoodblues
Elwood Blues
Premium Member
join:2006-08-30
Somewhere in

elwoodblues

Premium Member

of course the rep wouldn't know, it's not on the script.

Ian1
Premium Member
join:2002-06-18
ON

Ian1 to Net Citizen

Premium Member

to Net Citizen
Can use this to check. I checked BMO the day it was announced before logging in and it wasn't vulnerable.

»www.ssllabs.com/ssltest/

Other simpler tests out there too.

Banks are more conservative than most and aren't as likely to have been running bleeding-edge OpenSSL. Most banks had announced that they weren't vulnerable.

Hydraglass
Premium Member
join:2002-05-08

Hydraglass

Premium Member

said by Ian1:

Can use this to check. I checked BMO the day it was announced before logging in and it wasn't vulnerable.

»www.ssllabs.com/ssltest/

Other simpler tests out there too.

Banks are more conservative than most and aren't as likely to have been running bleeding-edge OpenSSL. Most banks had announced that they weren't vulnerable.

All of the "Big 5" Canadian banks announced when this came out that their online banking portals were not affected and none of them used the OpenSSL modules. They were all using commercial SSL encryption toolkits that did not have the HeartBleed memory leak.

As for sites that are affected - Facebook, Google+, Yahoo, Hotmail (or whatever MS mail is called these days), E-Bay, most message boards that used SSL (few and far between), Government portals (I know CRA, not sure about Service Canada, Service Ontario, etc.) - and some various other stuff... most have now patched their servers and the issue is closed -- what isn't known is how long people were taking advantage of thise memory leak for the last 2 years while it existed. Could this have been the back-door that let people break into and steal credit card / identity info off some major online e-tailers over the years? Who knows...
PX Eliezer1
Premium Member
join:2013-03-10
Zubrowka USA

PX Eliezer1

Premium Member

said by Hydraglass:

I know CRA

CRA said that despite their efforts, 900 social insurance numbers were hacked.

»business.financialpost.c ··· rtbleed/

Ian1
Premium Member
join:2002-06-18
ON

Ian1 to Hydraglass

Premium Member

to Hydraglass
said by Hydraglass:

most have now patched their servers and the issue is closed

Sort of.... Not all have revoked and replaced possibly compromised certificates.

corster
Premium Member
join:2002-02-23
Oshawa, ON

corster to PX Eliezer1

Premium Member

to PX Eliezer1
said by PX Eliezer1:

said by Hydraglass:

I know CRA

CRA said that despite their efforts, 900 social insurance numbers were hacked.

»business.financialpost.c ··· rtbleed/

RCMP has already made an arrest: »www.rcmp-grc.gc.ca/ottaw ··· -eng.htm

elwoodblues
Elwood Blues
Premium Member
join:2006-08-30
Somewhere in

1 recommendation

elwoodblues

Premium Member

He's a moron, doing it from his home, go to the Library, or a Internet cafe for crying out loud.

Jackorama
I Am Woman
Premium Member
join:2008-05-23
Kingston, ON

Jackorama

Premium Member

Have to throw some morons into the mix or we would never have anyone to make fun of.

Hydraglass
Premium Member
join:2002-05-08

Hydraglass to elwoodblues

Premium Member

to elwoodblues
said by elwoodblues:

He's a moron, doing it from his home, go to the Library, or a Internet cafe for crying out loud.

Just a script kiddie... saw the bug existed, probably downloaded one of the scripts for sucking data off some site posted on 4chan or reddit, and thought "hey it's tax time lets run it against the cra website - they can't be that stupid can they?" and he gets a dump of social insurance numbers... probably freaks out... "oh noes what do i do"... tries to delete the evidence but has never heard of and has no idea how to use anti-forensics... they trace his ip... come to his house.. grab his computer.. find plenty of evidence (probably still has the scripts he used even...)... nailed.

15 years ago - probably just would have had his hand slapped for playing in the cookie jar... 25 years ago they would have hired him to do intrusion and penetration testing on their systems... today... lock 'im up he's just another prick messing with our economy (surprised they didn't call him a terrorist for trying to cause economic chaos within our country)..

Spike5
Premium Member
join:2008-05-16
Toronto, ON

4 edits

Spike5 to Net Citizen

Premium Member

to Net Citizen
Does that mean all the people who ran heartbleed test sites are liable? Maybe he ran such a site? There are absolutely no details at all, just hyperbole. Hacker this, criminal that.

As for the 900 SIN's, likely not his sole responsibility, despite being painted as such, as the heartbleed test sites also copied out memory segments from the CRA's servers. More like hes being singled out to have someone to blame and make an example out of, to take the heat off the CRA for leaving their servers vulnerable for over 24 hours after the disclosure.... despite it being well known they were vulnerable and the severity of the exploit proven.

Also, I think its disgusting that if the CRA had such capability to monitor and playback logs of their unencrypted SSL traffic, be it DPI boxes or whatever, that they still left their systems vulnerable for so long after the fact. Or maybe they kept things running while sniffing traffic/memory for active exploitation of the vulnerability, like a sting operation, with absolutely no regard for taxpayers privacy... nobody will ever know the truth.

ZZZZZZZ
Premium Member
join:2001-05-27
PARADISE

ZZZZZZZ to Net Citizen

Premium Member

to Net Citizen

What a dumb shit..........throw the key away.

»feeds.reuters.com/~r/reu ··· ry01.htm

WhaleOilBee
What a long strange trip it's been
join:2011-08-02
Manotick, ON

WhaleOilBee to corster

Member

to corster

Re: Which major Canadian sites are affected by the Heartbleed bug?

said by corster:

RCMP has already made an arrest: »www.rcmp-grc.gc.ca/ottaw ··· -eng.htm

I hope they bashed in the door brandishing assault weapons, and this little puke shit his pants!
graniterock
Premium Member
join:2003-03-14
London, ON

graniterock

Premium Member

They politely informed him to turn him self in to save the embarrassment of being arrested in class. *sigh*

rogersmogers
@start.ca

rogersmogers to elwoodblues

Anon

to elwoodblues
said by elwoodblues:

of course the rep wouldn't know, it's not on the script.

I know you are like living in the 70's and such but there are no scripts in inbound calling.
PX Eliezer1
Premium Member
join:2013-03-10
Zubrowka USA

PX Eliezer1

Premium Member

said by rogersmogers :

said by elwoodblues:

of course the rep wouldn't know, it's not on the script.

I know you are like living in the 70's and such but there are no scripts in inbound calling.

Of course there are. What are you talking about?!

capdjq
Be Kind, Be Calm & Be Safe
Premium Member
join:2000-11-01
Vancouver

capdjq to ZZZZZZZ

Premium Member

to ZZZZZZZ

Re: What a dumb shit..........throw the key away.

I say hire him to give advice on how to hack proof your outdated Government site.

corster
Premium Member
join:2002-02-23
Oshawa, ON

1 recommendation

corster

Premium Member

said by capdjq:

I say hire him to give advice on how to hack proof your outdated Government site.

Nah, this kid didn't discover anything. He came across the exploit that someone else identified and released into public domain that morning, and thought nobody would notice if he played around with it.

Your suggestion would be akin to hiring me to give advice on how to construct furniture because I once successfully followed IKEA instructions, as opposed to hiring the guy who wrote the instructions in the first place.