|
Which major Canadian sites are affected by the Heartbleed bug?I called BMO with whom I have an account and the rep didn't even know what the Heartbleed bug was much less tell me if they were affected. Is there a comprehensive list out there pertaining to Canadian sites that have been affected? For those unaware: » mashable.com/2014/04/09/ ··· ffected/ |
|
elwoodbluesElwood Blues Premium Member join:2006-08-30 Somewhere in |
of course the rep wouldn't know, it's not on the script. |
|
Ian1 Premium Member join:2002-06-18 ON |
to Net Citizen
Can use this to check. I checked BMO the day it was announced before logging in and it wasn't vulnerable. » www.ssllabs.com/ssltest/Other simpler tests out there too. Banks are more conservative than most and aren't as likely to have been running bleeding-edge OpenSSL. Most banks had announced that they weren't vulnerable. |
|
|
said by Ian1:Can use this to check. I checked BMO the day it was announced before logging in and it wasn't vulnerable.
»www.ssllabs.com/ssltest/
Other simpler tests out there too.
Banks are more conservative than most and aren't as likely to have been running bleeding-edge OpenSSL. Most banks had announced that they weren't vulnerable. All of the "Big 5" Canadian banks announced when this came out that their online banking portals were not affected and none of them used the OpenSSL modules. They were all using commercial SSL encryption toolkits that did not have the HeartBleed memory leak. As for sites that are affected - Facebook, Google+, Yahoo, Hotmail (or whatever MS mail is called these days), E-Bay, most message boards that used SSL (few and far between), Government portals (I know CRA, not sure about Service Canada, Service Ontario, etc.) - and some various other stuff... most have now patched their servers and the issue is closed -- what isn't known is how long people were taking advantage of thise memory leak for the last 2 years while it existed. Could this have been the back-door that let people break into and steal credit card / identity info off some major online e-tailers over the years? Who knows... |
|
|
CRA said that despite their efforts, 900 social insurance numbers were hacked. » business.financialpost.c ··· rtbleed/ |
|
Ian1 Premium Member join:2002-06-18 ON |
to Hydraglass
said by Hydraglass:most have now patched their servers and the issue is closed Sort of.... Not all have revoked and replaced possibly compromised certificates. |
|
corster Premium Member join:2002-02-23 Oshawa, ON |
to PX Eliezer1
|
|
elwoodbluesElwood Blues Premium Member join:2006-08-30 Somewhere in
1 recommendation |
He's a moron, doing it from his home, go to the Library, or a Internet cafe for crying out loud. |
|
JackoramaI Am Woman Premium Member join:2008-05-23 Kingston, ON |
Have to throw some morons into the mix or we would never have anyone to make fun of. |
|
|
|
to elwoodblues
said by elwoodblues:He's a moron, doing it from his home, go to the Library, or a Internet cafe for crying out loud. Just a script kiddie... saw the bug existed, probably downloaded one of the scripts for sucking data off some site posted on 4chan or reddit, and thought "hey it's tax time lets run it against the cra website - they can't be that stupid can they?" and he gets a dump of social insurance numbers... probably freaks out... "oh noes what do i do"... tries to delete the evidence but has never heard of and has no idea how to use anti-forensics... they trace his ip... come to his house.. grab his computer.. find plenty of evidence (probably still has the scripts he used even...)... nailed. 15 years ago - probably just would have had his hand slapped for playing in the cookie jar... 25 years ago they would have hired him to do intrusion and penetration testing on their systems... today... lock 'im up he's just another prick messing with our economy (surprised they didn't call him a terrorist for trying to cause economic chaos within our country).. |
|
Spike5 Premium Member join:2008-05-16 Toronto, ON 4 edits |
to Net Citizen
Does that mean all the people who ran heartbleed test sites are liable? Maybe he ran such a site? There are absolutely no details at all, just hyperbole. Hacker this, criminal that.
As for the 900 SIN's, likely not his sole responsibility, despite being painted as such, as the heartbleed test sites also copied out memory segments from the CRA's servers. More like hes being singled out to have someone to blame and make an example out of, to take the heat off the CRA for leaving their servers vulnerable for over 24 hours after the disclosure.... despite it being well known they were vulnerable and the severity of the exploit proven.
Also, I think its disgusting that if the CRA had such capability to monitor and playback logs of their unencrypted SSL traffic, be it DPI boxes or whatever, that they still left their systems vulnerable for so long after the fact. Or maybe they kept things running while sniffing traffic/memory for active exploitation of the vulnerability, like a sting operation, with absolutely no regard for taxpayers privacy... nobody will ever know the truth. |
|
ZZZZZZZ Premium Member join:2001-05-27 PARADISE |
to Net Citizen
What a dumb shit..........throw the key away. |
|
WhaleOilBeeWhat a long strange trip it's been join:2011-08-02 Manotick, ON |
to corster
Re: Which major Canadian sites are affected by the Heartbleed bug?I hope they bashed in the door brandishing assault weapons, and this little puke shit his pants! |
|
|
They politely informed him to turn him self in to save the embarrassment of being arrested in class. *sigh* |
|
|
to elwoodblues
said by elwoodblues:of course the rep wouldn't know, it's not on the script. I know you are like living in the 70's and such but there are no scripts in inbound calling. |
|
|
said by rogersmogers :said by elwoodblues:of course the rep wouldn't know, it's not on the script. I know you are like living in the 70's and such but there are no scripts in inbound calling. Of course there are. What are you talking about?! |
|
capdjqBe Kind, Be Calm & Be Safe Premium Member join:2000-11-01 Vancouver |
to ZZZZZZZ
Re: What a dumb shit..........throw the key away.I say hire him to give advice on how to hack proof your outdated Government site. |
|
corster Premium Member join:2002-02-23 Oshawa, ON
1 recommendation |
corster
Premium Member
2014-Apr-17 10:54 am
said by capdjq:I say hire him to give advice on how to hack proof your outdated Government site. Nah, this kid didn't discover anything. He came across the exploit that someone else identified and released into public domain that morning, and thought nobody would notice if he played around with it. Your suggestion would be akin to hiring me to give advice on how to construct furniture because I once successfully followed IKEA instructions, as opposed to hiring the guy who wrote the instructions in the first place. |
|