Heartbleed Vulnerability

Printer-friendly version

Some of you may have noticed in the news, recent info about the Heartbleed Vulnerability. While we have been silent until now about the issue, it does not mean in any way that we don't take your privacy or security seriously. In fact it means quite the opposite.

When news of Heartbleed first hit the public wires, we rushed to check all our servers and services to discover that only our newest servers were vulnerable. The older servers were always using an older version of SSL that never had the Heartbleed Vulnerability. As many of you know, BigCloset was only on the new servers for a matter of days before Heartbleed was announced, and they were patched almost immediately, just as soon as our upstream OS vendor made a patch available.

On the flip side of the coin, I should mention that when you connect to BigCloset using SSL you aren't actually connecting to our SSL server, you are connecting to Cloudflare, our CDN service. Cloudflare patched their servers before Heartbleed was made public, and has since revoked all their SSL Certificates and Key Pairs.

On the Other flip side, after everything was patched, we tested ALL our services known to use SSL (Webservers, Mailservers [inbound and outbound], File Transfer Servers, etc) and found them ALL to be patched or Not Affected by Heartbleed. We also tested several tools that go out and "request" information from other servers, to see if they were vulnerable to the less talked about, but just as malicious "Reverse Heartbleed" only to have the same, results aka, the absence of any vulnerabilty.

While we feel we have done EVERYTHING possible to protect your data, and privacy it might be best if you went ahead, and Changed Your Password just in case.

Changing your Password is as simple as clicking on "My Account" in the menu on the Right Hand column, then clicking the "Edit" tab at the top, filling out the "Password" and "Confirm Password" boxes and then scrolling to the bottom and clicking "Save".

Please remember, not everyone on the internet is as diligent with your privacy and data as we are, so be careful with your passwords, and try to NOT use the same password on every site!

-Piper, Erin, Cat and the BigCloset Elves.

Author: 

Other Keywords: 

Comments

It's Only Going To Get Worse

Is there anything you can do, or anywhere you can go, without someone trying to fuck you?

Bill Hicks was right, we're a virus with shoes.

Ban nothing. Question everything.

Maybe so, but...

> Bill Hicks was right, we're a virus with shoes.

Nonsense. A few hundred years back, the Problem of the Homeless was the squishy mess they made on your carriage wheels when you ran over them; we really are getting better. Consider that the OpenSSL library with the Heartbleed bug everybody's scrambling to patch was all unpaid volunteer work in the first place; so is a good deal of the Drupal/LAMP stack BCTS runs on. Some people are rotten no matter what, but enough people are good when they're allowed to be that I have confidence that the human race is eminently worthwhile.

Hmmm

Is BC member login via SSL? I do not recall it being tied to an https page.

HTTPS / SSL Available

Piper's picture

Login is not via SSL but for those that want to surf the site securely we offer a full SSL encrypted version of the site at https://bigclosetr.us/topshelf/


"She was like a butterfly, full of color and vibrancy when she chose to open her wings, yet hardly visible when she closed them."
— Geraldine Brooks


As a ... retired...

thliwent's picture

As a ... retired... consumer-grade computer security expert, I'm going to remind people that it's a good idea to regularly change passwords anyway.

Heartbleed just serves as a reminder of this.

Also, a bit of basic info on making passwords more secure, as an example:

All lowercase letter password: max 26 possible options, an 8 character password = 208,827,064,576 combinations, pure bruteforce as a salted SHA-1 hash, to decrypt: about 11 hours.

Upper and lowercase: max 52 options, 8 character password: 54,507,958,502,660 combinations, same salted SHA-1, about 122 days.

Upper and lowercase + numbers: 221,919,451,578,090, or 1 year, 131 days.

Upper and lowercase + numbers + symbols + space: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+= - 1,251,995,979,594,360, or almost 8 years.

These are just an example, based on a single form of encryption and it's known vulnerabilities.

So, noticably, kittenss is far less secure than Kitten$2

I also know that remembering all sorts of different passwords can be annoying, so I offer this advice: Keep the most secure passwords for things which have access to any personal or credit data. For most other things, easier to remember passwords will suffice, but it is still recommended to change the password regularly.

If you would like to use a password manager, such as LastPass, I will say that they are very useful, but be warned that unless you keep your own records, it's a single source of failure if the service is offline.

I'll point out, however, that

I'll point out, however, that a password such as ButtM0nk3y!, despite fitting what most banks will insist on, is a less secure password than fourscoreandsevenyearsagoapicklerodeabicycle

What so-called security experts keep forgetting is that it's not what characters you use to make up the password that is important. It's degrees of entropy.

I'll tell you right now - that second password? It's in the trillions of centuries for a brute force cracking attempt. The first one? 1.8 years. (according to one of the online testers)

Which one is easier to remember?

I'd rather have the option to have a 22 character lower case password than to be forced to have an 8 character password with an upper case, lower case, numeric, and non-alphanumeric character.


I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.

Yes and no

Rainbow tables make familiar quotations as part of a password more 'guessable'. Length matters but weird combos help a lot too. Me, I keep my serious passwords if allowed in the mid 20s length, with lots of non letters/non numbers thrown in for fun.

Okay -

Okay - horsepicklebatterychecksluaghdubh

It's still easier to remember :)


I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.

it's very true that the

thliwent's picture

it's very true that the longer password is far more secure, however, the reason we suggest alternatives is that many systems are not designed to handle passwords greater than 16-20 characters, some not even that much. Some systems will reject excessive length passwords, and some will silently cut them, reducing overall security.

Also, there is a relevant xkcd to your suggestion Correct Horse Battery Staple.

Yup, I know the XKCD strip in

Yup, I know the XKCD strip in question. I actually have a copy saved.

Note that I was talking about being given an _option_. It's not like it's a hardship to have a string variable of 150 characters. (that's assuming at least a fourfold increase in length after hashing)


I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.

Changing passwords...

Puddintane's picture

Although BC now appears to be "safe," that doesn't mean that there aren't exploits available that could potentially exploit either the site itself or the traffic to and from the site, most of which travels over diverse paths to waft along the electronic highway. The act of initiating a password change is itself a vulnerability, unless one is using SSL or other "secure" technology in the first place.

The safest method of accessing sensitive data is by using a professional password manager such as LastPass or 1Password or... whatever one chooses from the utilities on offer.

This tool will more-or-less guarantee that strong passwords are available to you, but the overall strategy fails to take into account that many people use their passwords in many different contexts, including one or more computers at work, in the home, and mediated through mobile devices.

Most people will find that compromises have to be made, since they find it difficult to remember serious passwords like: 5}%1B[<8vqV:bFs or 8r{aQ }6qF]$X3Q

In fact, some sites limit the characters which one can use in a password through misguided assumptions by their designers about what sort of passwords their users actually use. Banks are notorious, since most of them allow access through "teller machines" whose only keyboard input is a numeric keypad, and many of these even restrict the number of figures one can use, so one has four digit passwords through compulsion. It doesn't take a genius to figure out that there are only ten thousand passwords available in such schemes, which is laughably insecure by any modern standard, but that's pretty much all that stands between some sorts of criminals and your money.

I personally don't worry very much about this site, or most sites whose content is largely public, other than the very small probability that a "hacker" might be motivated to delete or change a story. So what? I keep backups, so my story can be replaced with a few moment's effort, although it might be annoying. More than that, other than malice, what's the point? Is my story going to be held hostage for ransom? Where's the threat, really? "Put ten thousand dollars in a duffle bag and drop it in the trash can at the corner of Hollywood and Vine or we're going to incorporate stupid misspellings and grammar mistakes into the text! We're going to make your story bleed!"

Yeah, right...

The serious security exploits usually go after either money (the assault direct) or access to one's computer so the hacker can use your computer's processing power as a "zombie" to generate spam or other annoyance (the assault indirect), which translates to money through third-party payments to the hacker's account.

http://www.techrepublic.com/blog/tech-sanity-check/lastpass-vs-1password-which-is-better-post-your-perspective/#.

Lastpass versus 1Password discussion

http://lifehacker.com/can-anyone-explain-how-1password-beats-lastpass-i-use-510298032

Similar discussion

http://www.imore.com/best-password-manager-apps-mac-1password-onesafe-lastpass-more

Review

-

Cheers,

Puddin'

A tender heart is an asset to an editor: it helps us be ruthless in a tactful way.
--- The Chicago Manual of Style

Adding entropy

Password padding is an easy way add security to a password if the site allows long strings.

Mypassword000000000000000000000000000000000000000

Is much more secure than

^7}hQ!jk

and a hella lot more easy to remember

even a dedicated attack using cracking tools takes years to guess a long padded string, as opposed to minutes on an 8 character password no matter what rules are used to generate it.

Not allowed on many sites

Many sites won't let you have more than TWO characters the same in succession.

Using MyPasswordstring1000 is not allowed but MyPasswordstring1001 would be allowed.