Pursuant to the recent libtech discussion about whether resources should be invested in plugging a hole if there’s no known compromise/cost, see this sentence in the below: "several readers reported their Ars accounts were hijacked by people who exploited the bug and obtained other readers' account passwords."
Anyone else know of successful heartbleed exploitation? Best, Eric Ars Technica The Art of Technology Dear readers, please change your Ars account passwords ASAP Apr 9th 2014, 00:49, by Dan Goodin For more than two years, the Internet's most popular implementation of the Transport Layer Security (TLS) protocol has contained a critical defect that allowed attackers to pluck passwords, authentication cookies, and other sensitive data out of the private server memory of websites. Ars was among the millions of sites using the OpenSSL library, and that means we too were bitten by this extraordinarily nasty bug. By mid morning Tuesday, Ars engineers already updated OpenSSL and revoked and replaced our site's old TLS certificate. That effectively plugged the hole created by the vulnerability. By installing the OpenSSL update, attackers could no longer siphon sensitive data out of our server memory. And although there's no evidence the private encryption key for Ars' previous TLS certificate was compromised, the replacement ensured no one could impersonate the site in the event hackers obtained the key. With Ars servers fully updated, it's time to turn our attention to the next phase of recovery. In the hours immediately following the public disclosure of the so-called Heartbleed vulnerability, several readers reported their Ars accounts were hijacked by people who exploited the bug and obtained other readers' account passwords. There's no way of knowing if compromises happened earlier than that. Ars has no evidence such hacks did occur, but two years is a long time. There's simply no way of ruling out the possibility. It's for this reason that Ars strongly recommends all readers change their account passwords. A password change is especially urgent for people who logged in between Monday evening and mid morning on Tuesday. It's also particularly important for anyone who used their Ars password to protect accounts on other sites or anyone whose Ars accounts contained private messages of a sensitive nature. But again, out of an abundance of caution, Ars strongly urges all users to reset their pass codes. As always, security-conscious readers should choose unique, randomly generated passwords at least nine characters long that contain upper- and lower-case letters, numbers, and symbols. For a refresher on good password hygiene, see Ars senior IT reporter Jon Brodkin's The secret to online safety: Lies, random characters, and a password manager. http://arstechnica.com/security/2014/04/dear-readers-please-change-your-ars-account-passwords-asap/ -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
