LastPass now includes recommendations for Heartbleed

Himanshu Arora

Himanshu Arora

Posts: 902   +7
Staff

This week, security researchers discovered a major bug called Heartbleed that affects almost two-thirds of the Internet, potentially exposing millions of passwords, credit card numbers, and other valuable information. Many popular websites like Yahoo, OkCupid, Github, and more were vulnerable.

The bad news is that you can't do much about it because it's up to each company to update OpenSSL on their servers and obtain new certificates to deal with the bug. Only after that you are supposed to update your passwords.

To ease some of the pain and guesswork, LastPass has added a new feature to ther security check tool, which highlights websites affected by the bug and whether they've taken the necessary steps to mitigate the risk, suggesting that you go ahead and update your passwords or wait.

lastpass heartbleed

"To help our users take action and protect themselves in the wake of Heartbleed, we've added a feature to our Security Check tool", LastPass said in a blog post yesterday.

To run the security check, existing users need to click on the LastPass extension, and go to Tools->Security Check. A new browser window or tab will open asking you to take the LastPass security challenge. Just click the Start the challenge button, and a list of impacted sites will show up.

If you aren't a LastPass user it's still possible to access their Heartbleed Checker tool and enter the URL of any website individually to check whether it is vulnerable to the bug, and if the site has issued a patch. To download the latest version of LastPass just click here.

Permalink to story.

https://www.techspot.com/news/56341-lastpass-now-includes-recommendations-for-heartbleed.html

 
treeski said:
So, what about Techspot?
Click to expand...
Heartbleed only affects SSL enabled websites (https) which Techspot has so far never been...
I must also say that the article is extremely sensationalist, they say two thirds of the internet's web facing servers.
I beg to differ, most sites are not even SSL enabled and of those who are only a specific version of OpenSSL is vulnerable.
Netcraft has real statistics incase you are interested: http://news.netcraft.com/archives/2...ed-websites-vulnerable-to-heartbleed-bug.html
 
@wastedkill it's a HEARTBEAT type protocol and was munged for the disclosure into a BLEED, due to bleeding private data

To test the website you are accessing for this issue, see this website.

and don't waste your time on HTTP links as @Per Hansson has noted :)
 
Actually, to my dismay, Revenue Canada, the tax department for Canada has had to suspend online filing of income taxes until they fix this. They are even extending the deadline for filing your taxes. When the government is willing to delay taking your money, you know something is really wrong.
 
  • Like
Reactions: TheLastPanda
Raoul Duke said:
Actually, to my dismay, Revenue Canada, the tax department for Canada has had to suspend online filing of income taxes until they fix this. They are even extending the deadline for filing your taxes. When the government is willing to delay taking your money, you know something is really wrong.
Click to expand...

This is relevant to my interests.
 
Per Hansson said:
treeski said:
So, what about Techspot?
Click to expand...
Heartbleed only affects SSL enabled websites (https) which Techspot has so far never been...
I must also say that the article is extremely sensationalist, they say two thirds of the internet's web facing servers.
I beg to differ, most sites are not even SSL enabled and of those who are only a specific version of OpenSSL is vulnerable.
Netcraft has real statistics incase you are interested: http://news.netcraft.com/archives/2...ed-websites-vulnerable-to-heartbleed-bug.html
Click to expand...
Well for a starter, Yahoo, Google, Microsoft are affected which affects practically everyone. Netflix is a massive one. Many Government websites. Banks have to check their sites as well. Credit/debit card terminals may be affected as well.

To say it is sensationalistic is to understate the stakes here. Any service you use regularly that is susceptible (which any site you really care about should be using SSL anyway) should be at the very least checked. In plain text I could have your logins and I don't even need to intercept your comms on the wire. *That* is what we are talking about here. Every single login to a susceptible site in PLAIN TEXT just by sending some queries to the server.

Edit: What's more you don't know WHO has the logon details. It could be the NSA, some high school geek, Russian crackers, Chinese crackers, the list goes on. Do *you* care about someone having unfettered access to those accounts? Sure for some sites you won't care...

Also, it is an interesting point you make about Techspot. Not using HTTPS? Does that mean our logons are currently being sent in plain text over the web? If so are there plans to update this?
 
Actually this is an interesting exercise. Maybe we should have a checklist of services you should look at and decide if you care about what they protect and have to do something about this?

  • Banks, credit institutions in general
  • Government logins (general govt ID sites, public healthcare services, voting enrollments)
  • Internet service provider account
  • Company payroll services
  • Email sites (Outlook, Yahoo, GMail, etc)
  • Private health sites
  • Insurance websites (car, personal medical, home & contents etc)
  • Other bill provider sites (your account being compromised might expose payment details to a hacker)
  • VPNs (your VPN service might be compromised and all your data and logins viewable by Govt, hackers etc). Corporate highly sensitive VPNs included. If they have random sequence tokens, sessions could still be viewed decrypted and possibly sessions stolen.
  • Online media services (Netflix, iTunes if affected, Samsung, Sony, Foxtel, Google)
  • Open source projects (GitHub, CollabNet etc)
  • Forums (probably low priority but can be used to harvest information)
  • (Edit) Games services such as Steam, EA, Battlenet
  • (Edit) Online website hosts. Inc cloud services like Azure.
That's 5 minutes of me thinking out aloud. Question is which services would you care if they were compromised? The ones you want secure, I'd highly recommend you check if they are affected and when you can update your passwords.
 
Last edited:
Darth Shiv said:
To say it is sensationalistic is to understate the stakes here. Any service you use regularly that is susceptible (which any site you really care about should be using SSL anyway) should be at the very least checked.
Click to expand...
I did not mean to say that the issue is not serious, it most certainly is.
But it just irks me when someone puts up a number like that which is blatantly incorrect.
It's not "two thirds of the Internet"
There is almost one billion websites on the Internet, and of those ca half a million have been vulnerable. While that is certainly a big number it is also only 0.5% "the Internet"
Quite a far away from the 66.6% claimed by the article!
Darth Shiv said:
Also, it is an interesting point you make about Techspot. Not using HTTPS? Does that mean our logons are currently being sent in plain text over the web? If so are there plans to update this?
Click to expand...
The majority of online forums are running in plain text http only.
I have been looking at switching to https but not for reasons of security, but speed.
Google's SPDY protocol requires https...
However after researching it things are not so simple, for example all content needs to be served via https, so all advertisements must support it. (Only a subset does, very hard to get an accurate number)

Then there is also the problem that if someone would post an inline image for example in the forums linking to a regular http website that would throw up a warning about "insecure content" when you visit such a post, because as I mentioned _all_ content must be sent via https...
So we would need to implement something to get around that aswell.
All in all it's a very difficult change with questionable benefits for the end-users.

But rest assured we are looking into it, however not because of Heartbleed or any such vulnerability.
Truth be told if you look at the latest high-profile vulnerabilities they have all required https enabled websites, take a look at the security changelog on nginx.org for example...
So one could argue that yes, passwords are sent in plain text but then again you should probably not use the same password for Techspot as you do for your online banking ;)
 
Last edited:
  • Like
Reactions: TheLastPanda
Thank you for the info!!! Also a good point on passwords. If you don't have one for social media, one for your primary email, and one for banking then you are not doing the bare minimum.
 
You must log in or register to reply here.

Similar threads

midian182
Beware: Fake LastPass app sneaks onto Apple's App Store
Replies
3
Views
230
m4a4
m4a4
midian182
Government review criticizes Microsoft for security lapses in "preventable" Exchange hack
Replies
0
Views
74
midian182
midian182
A
Sony just fixed a security hole that made the PlayStation Portal more useful
Replies
0
Views
67
Alfonso Maruccia
A

Latest posts

Back