P2P Sites and HeartBleed Bug

angrysaveruk Member of DD Central Say No To T.D.S Posts: 1,338 Likes: 790 Member is Online	P2P Sites and HeartBleed Bug Apr 10, 2014 16:03:00 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by angrysaveruk on Apr 10, 2014 16:03:00 GMT Does anyone know if there has been any announcements about the HeartBleed bug from P2P sites. Looks like a very serious security flaw

oldgrumpy
Member of DD Central

Posts: 5,087

Likes: 3,233

P2P Sites and HeartBleed Bug Apr 10, 2014 16:27:52 GMT

Quote

Post by oldgrumpy on Apr 10, 2014 16:27:52 GMT

Apr 10, 2014 16:03:00 GMT angrysaveruk said:

Does anyone know if there has been any announcements about the HeartBleed bug from P2P sites. Looks like a very serious security flaw

Hard to tell whether it is a real problem or a "panic" bandwagon (like the millennium bug). The daily Express made the most of it!!

As my banks and building societies and P2Ps have not mailed us and suggested we all change our passwords (to cover their backs), I have only changed one so far.

badger

Posts: 99

Likes: 29

P2P Sites and HeartBleed Bug Apr 10, 2014 16:29:00 GMT

Quote

Post by badger on Apr 10, 2014 16:29:00 GMT

Thincats have issued the following statement (by email to lenders)

"Password Security: The Heartbleed Bug
You may be aware that a serious vulnerability has just been discovered in the immensely popular OpenSSL cryptographic software library. OpenSSL is the most widely used implementation of a suite of security protocols that help encrypt traffic while surfing the web. This vulnerability (called the Heartbleed Bug) is worrying as it allows anyone to read the memory of systems protected by vulnerable versions of the OpenSSL software. Someone with malicious intent could read this memory, grab the secret keys the service uses to encrypt the traffic, names and passwords of the users and then retrieve all sorts of private data.

How does this affect ThinCats?
Fortunately the ThinCats platform was unaffected because it uses a version of the software that is not as risk from the Heartbleed bug. However if you use the same password on multiple websites it is possible that your ThinCats account may still be vulnerable. As a security precaution we recommend that any member who uses the same password on several different websites changes their ThinCats password immediately."

angrysaveruk
Member of DD Central

Say No To T.D.S

Posts: 1,338

Likes: 790

Member is Online

P2P Sites and HeartBleed Bug Apr 10, 2014 16:57:33 GMT

Quote

Post by angrysaveruk on Apr 10, 2014 16:57:33 GMT

Apr 10, 2014 16:27:52 GMT oldgrumpy said:

Apr 10, 2014 16:03:00 GMT angrysaveruk said:

Does anyone know if there has been any announcements about the HeartBleed bug from P2P sites. Looks like a very serious security flaw

Hard to tell whether it is a real problem or a "panic" bandwagon (like the millennium bug). The daily Express made the most of it!!

As my banks and building societies and P2Ps have not mailed us and suggested we all change our passwords (to cover their backs), I have only changed one so far.

It is a real problem and a very serious one. I am sure there are a number of hackers trying to exploit it this very second and clear out peoples bank accounts. Basically compromises alot of servers and allows people to steal confidential information. Alot of bank websites are probably effected. I have contacted all my banks and told them to put locks on my accounts so no money can be taken out.

Last Edit: Apr 10, 2014 17:01:12 GMT by angrysaveruk

davee39

Posts: 1,010

Likes: 987

P2P Sites and HeartBleed Bug Apr 10, 2014 17:12:36 GMT

Quote

Post by davee39 on Apr 10, 2014 17:12:36 GMT

Apr 10, 2014 16:57:33 GMT angrysaveruk said:

Apr 10, 2014 16:27:52 GMT oldgrumpy said:

Hard to tell whether it is a real problem or a "panic" bandwagon (like the millennium bug). The daily Express made the most of it!!

As my banks and building societies and P2Ps have not mailed us and suggested we all change our passwords (to cover their backs), I have only changed one so far.

It is a real problem and a very serious one. I am sure there are a number of hackers trying to exploit it this very second and clear out peoples bank accounts. Basically compromises alot of servers and allows people to steal confidential information. Alot of bank websites are probably effected. I have contacted all my banks and told them to put locks on my accounts so no money can be taken out.

Possibly a slight over-reaction. Banks are required to protect you from online fraud provide you have taken basic security measures (Eg not publishing passwords on facebook). Most Banks will have added a second data input screen for access as additional protection. Any passwords which involve selected letters or dropdown boxes are likely to be fairly safe. P2P sites, unfortunately are less secure, the worst offenders are those which make it easy to enter any bank details for withdrawal and have only a single stage user/password entry page.

valerieb

Posts: 252

Likes: 130

P2P Sites and HeartBleed Bug Apr 10, 2014 17:31:20 GMT

Quote

Post by valerieb on Apr 10, 2014 17:31:20 GMT

GSV3MIaC alerted me to this yesterday (FC website thread) and recommended changing all passwords; I've changed all the p2p ones on the 'better safe than sorry' principle but thought the more complex bank ones were ok, probably, possibly ......?

james

Posts: 2,205
Likes: 955

P2P Sites and HeartBleed Bug Apr 10, 2014 17:31:49 GMT wiseclerk and Ton ⓉⓞⓃ like this

Quote

Post by james on Apr 10, 2014 17:31:49 GMT

Bondora was affected and fixed it and replaced their server SSL certificate on Wednesday night. They revoked their old certificate so that anyone who was able to use the vulnerability to steal Bondora's private key could not use the old certificate to impersonate them. It's now prudent to change passwords there.

Now is a bad time to be going and logging in to lots of places that have not been fixed because that just puts you at higher risk by putting your login information into RAM where it could be taken. Best to give it a week or so before mass password updating.

You can click on the names to check each one in this list, here's the decoding key for what the descriptions mean:

A/B/C/F etc is the overall SSl security rating from the checking service and any other comments it has to explain the rating. F means using known insecure things, roughly, even if not vulnerable to heartbleed.
not currently vulnerable: not vulnerable at the time I checked, says nothing about whether it was vulnerable in the past.
old certificate: either never vulnerable or not yet fully completed the work of fixing.
new certificate: certificate from after the fix became known. Probably used to be vulnerable but only probably.

assetzcapital.co.uk: B not currently vulnerable, old certificate
auxmoney.com@ A- not currently vulnerable, old certificate
Bondora.com: A+ not vulnerable any more, was vulnerable before Wednesday, new certificate
communitae.com: A not currently vulnerable, new certificate
finansowo.pl: A- not currently vulnerable, old certificate
fixura.com: A- not currently vulnerable, old certificate
fixura.co.uk: A- not currently vulnerable, old certificate
folk-folk.com: F certificate mismatch with domain, certificate issued to secure33.prositehosting.co.uk. not currently vulnerable, old certificate
fundingcircle.com: B not currently vulnerable, old certificate
fundingknight.com: B not currently vulnerable, old certificate
fundingsecure.com: A- not currently vulnerable, old certificate
geldvoorelkaar.nl: F, uses obsolete and insecure SSL2, not currently vulnerable, old certificate
Kokos.pl: B, not currently vulnerable, old certificate
lendingclub.com: A-, not currently vulnerable, old certificate
myc4.com: F, uses obsolete and insecure SSL2, not currently vulnerable, old certificate
pret-dunion.fr: B, uses only older protocols, not currently vulnerable, old certificate
prosper.com: B, not currently vulnerable, old certificate
ratesetter.com: F but probably not relevant, see next entry
members.ratesetter.com: F, uses obsolete and insecure SSL2, not currently vulnerable, old certificate
rebuildingsociety.com: B, not currently vulnerable, old certificate
smartika.it: F, APPEARS VULNERABLE TO HEARTBLEED TODAY, old certificate
smava.de: A-, not currently vulnerable, old certificate
thincats.com: C, vulnerable to CRIME attack, only older protocols, no secure negotiation support, not currently vulnerable, old certificate
wellesley.co.uk: F, supports anonymous suites, not currently vulnerable, old certificate
Zopa: B, not currently vulnerable, old certificate.

Note that the test result descriptions come from the testing service, not me except to summarise them.

It's also worth noting that except in a few cases the test uses the obvious server name and they might use more secure versions for logins and member sessions than for the main site. Ratesetter did this sort of thing, not having SSL for the main site but for logins and presumably other things. Where I did followup tests I left just the main link so you can see what I did to get to a testable server.

Last Edit: Apr 10, 2014 18:02:26 GMT by james

angrysaveruk
Member of DD Central

Say No To T.D.S

Posts: 1,338

Likes: 790

Member is Online

P2P Sites and HeartBleed Bug Apr 10, 2014 17:36:56 GMT

Quote

Post by angrysaveruk on Apr 10, 2014 17:36:56 GMT

Apr 10, 2014 17:12:36 GMT davee39 said:

Apr 10, 2014 16:57:33 GMT angrysaveruk said:

It is a real problem and a very serious one. I am sure there are a number of hackers trying to exploit it this very second and clear out peoples bank accounts. Basically compromises alot of servers and allows people to steal confidential information. Alot of bank websites are probably effected. I have contacted all my banks and told them to put locks on my accounts so no money can be taken out.

Possibly a slight over-reaction. Banks are required to protect you from online fraud provide you have taken basic security measures (Eg not publishing passwords on facebook). Most Banks will have added a second data input screen for access as additional protection. Any passwords which involve selected letters or dropdown boxes are likely to be fairly safe. P2P sites, unfortunately are less secure, the worst offenders are those which make it easy to enter any bank details for withdrawal and have only a single stage user/password entry page.

Possibly not a slight over reaction. This bug allows them to dumpthe memory of the server which is alot more danergous than just listening in on your communications. It could be used to totally compromise security even if they have secondary passwords or partial passwords. If the server knows what you are meant to type in then the hacker will know.

Last Edit: Apr 10, 2014 17:41:49 GMT by angrysaveruk

james

Posts: 2,205
Likes: 955

P2P Sites and HeartBleed Bug Apr 10, 2014 17:44:33 GMT

Quote

Post by james on Apr 10, 2014 17:44:33 GMT

Apr 10, 2014 16:29:00 GMT badger said:

Thincats have issued the following statement (by email to lenders)

...

"How does this affect ThinCats?
Fortunately the ThinCats platform was unaffected because it uses a version of the software that is not as risk from the Heartbleed bug. However if you use the same password on multiple websites it is possible that your ThinCats account may still be vulnerable. As a security precaution we recommend that any member who uses the same password on several different websites changes their ThinCats password immediately."

According to the test report they are still vulnerable to other attacks like CRIME. Using old stuff means that they didn't have the update from two years ago that introduced the heartbleed vulnerability, or were using something other than OpenSSL that has the problems described in the report.

I assume that they will fix this given all of the current attention so I suggest that you do no more for a week or so than asking them to look at the test result and fix the issues reported compared to say Bondora that does a lot of things right even if it was affected, and received the best rating of all I checked.

Don't over-react to the test results. While they are significantly less good than for many others things could be far worse.

Last Edit: Apr 10, 2014 17:50:39 GMT by james

angrysaveruk Member of DD Central Say No To T.D.S Posts: 1,338 Likes: 790 Member is Online	P2P Sites and HeartBleed Bug Apr 10, 2014 17:48:14 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by angrysaveruk on Apr 10, 2014 17:48:14 GMT Thanks for the info on that james.

JamesFrance Member of DD Central Port Grimaud 1974 Posts: 1,323 Likes: 897	P2P Sites and HeartBleed Bug Apr 10, 2014 18:44:22 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by JamesFrance on Apr 10, 2014 18:44:22 GMT If you are using LastPass to manage your passwords, you can run their security check to see if any of your sites are a problem.
	James

james Posts: 2,205 Likes: 955	P2P Sites and HeartBleed Bug Apr 10, 2014 18:55:47 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by james on Apr 10, 2014 18:55:47 GMT Zopa have blogged that they "were not running the vulnerable version of OpenSSL". From the test results it appears that if they were using OpenSSL they were using a version before 1.0.0.

pikestaff
Member of DD Central

Posts: 2,189

Likes: 1,546

P2P Sites and HeartBleed Bug Apr 15, 2014 6:22:46 GMT james likes this

Quote

Post by pikestaff on Apr 15, 2014 6:22:46 GMT

Apr 10, 2014 17:44:33 GMT james said:

Apr 10, 2014 16:29:00 GMT badger said:

Thincats have issued the following statement (by email to lenders)

...

"How does this affect ThinCats?
Fortunately the ThinCats platform was unaffected because it uses a version of the software that is not as risk from the Heartbleed bug. However if you use the same password on multiple websites it is possible that your ThinCats account may still be vulnerable. As a security precaution we recommend that any member who uses the same password on several different websites changes their ThinCats password immediately."

According to the test report they are still vulnerable to other attacks like CRIME. Using old stuff means that they didn't have the update from two years ago that introduced the heartbleed vulnerability, or were using something other than OpenSSL that has the problems described in the report.

I assume that they will fix this given all of the current attention so I suggest that you do no more for a week or so than asking them to look at the test result and fix the issues reported compared to say Bondora that does a lot of things right even if it was affected, and received the best rating of all I checked.

Don't over-react to the test results. While they are significantly less good than for many others things could be far worse.

This question has been raised and responded to on one of the TC fora. Extract from response:

... The person who made the original post did point out that the tests were done on the most obvious server (this case the one used by http://www.thincats.com). It should be noted that the actual ThinCats platform is hosted at app.thincats.com and uses a different server...
(Original post includes link to test results, omitted here because it was published on a private forum)
There are of course still areas that we can improve on, but it is important to note that the main platform is not vulnerable to CRIME attacks.

Last Edit: Apr 15, 2014 6:27:32 GMT by pikestaff

yorkshireman

Posts: 1,531

Likes: 660

P2P Sites and HeartBleed Bug Apr 15, 2014 10:24:53 GMT

Quote

Post by yorkshireman on Apr 15, 2014 10:24:53 GMT

Apr 10, 2014 17:44:33 GMT james said:

Apr 10, 2014 16:29:00 GMT badger said:

Don't over-react to the test results. While they are significantly less good than for many others things could be far worse.

So why post the results?

Sure, HeartBleed is potentially a serious problem and we all need to be on our guard but posting such info is nothing more than gossip which may panic some people.

As you say, don’t over react.

james

Posts: 2,205
Likes: 955

P2P Sites and HeartBleed Bug Apr 15, 2014 12:05:02 GMT

Quote

Post by james on Apr 15, 2014 12:05:02 GMT

Apr 15, 2014 10:24:53 GMT yorkshireman said:

Apr 10, 2014 17:44:33 GMT james said:

So why post the results?

Sure, HeartBleed is potentially a serious problem and we all need to be on our guard but posting such info is nothing more than gossip which may panic some people.

As you say, don’t over react.

Because HeartBleed is a massive problem with major fraud and other nastiness potential and people are right to worry about it, as the original poster who asked about it in this topic did. While the checks I did at 24 different P2x sites showed that all but one appeared to either not be vulnerable to it or to have dealt with the problem and that people should be reassured about P2x sites.

For ThinCats, the result was as reassuring as for others but did indicate - as it did for most - that there was room for improvement on the main site. It's worthwhile for customers to know that there is such room for improvement and for the P2x firms to do that while there is still a keen and necessary interest in improving SSL security internet-wide. app.thincats.com has signifiantly better results but still gets a C score so there's room for improvement there but as ThinCats indicated, it shows as not vulnerable to the CRIME attack. In the fullness of time I assume that they will take care of those things. So some prudent security work to do but nothing that's a really big deal for their customers to be worried about in the near future.

It is also a good thing that ThinCats uses a different server for the main and secured sites.

However, one thing HeartBleed will have done is focus a lot of attention on SSL-related issues so it is an effective certainty that attempts to exploit other weaknesses in SSL setups will increase. So it is something that ThinCats and other places should act on, lest their customers become victims of those instead.

Beyond that, there's more to security than just SSL. If a place uses only SSL they have just one layer that needs to be compromised and logins are vulnerable. There are other ways to secure logins so that they are not vulnerable to a single failure. Challenge-response in ways other than a password is one of those. In such ways the server does something like sending a test challenge encoded via the password and the client browser responds in a way that proves that it had the password so it could give the correct response to the challenge without ever sending the password itself. While this doesn't protect the rest of the data transfer, it would protect the login details and potential for fraud using stolen credentials.

I don't know whether ThinCats already does something like that. They might. Kudos to them if they have.

That reliance on just a single layer of login protection is one of the big lessons that needs to be learned from HeartBleed and dealt with industry-wide.

For most P2x customers there's no big deal now but for the professionals running the sites, most still do have more work that they could usefully do. That won't surprise anyone with any security-related experience.

Last Edit: Apr 15, 2014 12:14:54 GMT by james

Post by angrysaveruk on Apr 10, 2014 16:03:00 GMT

Post by oldgrumpy on Apr 10, 2014 16:27:52 GMT

Post by badger on Apr 10, 2014 16:29:00 GMT

Post by angrysaveruk on Apr 10, 2014 16:57:33 GMT

Post by davee39 on Apr 10, 2014 17:12:36 GMT

Post by valerieb on Apr 10, 2014 17:31:20 GMT

Post by james on Apr 10, 2014 17:31:49 GMT

Post by angrysaveruk on Apr 10, 2014 17:36:56 GMT

Post by james on Apr 10, 2014 17:44:33 GMT

Post by angrysaveruk on Apr 10, 2014 17:48:14 GMT

Post by JamesFrance on Apr 10, 2014 18:44:22 GMT

Post by james on Apr 10, 2014 18:55:47 GMT

Post by pikestaff on Apr 15, 2014 6:22:46 GMT

Post by yorkshireman on Apr 15, 2014 10:24:53 GMT

Post by james on Apr 15, 2014 12:05:02 GMT