1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Greetings Guest!!

    In order to combat SPAM on the forums, all users are required to have a minimum of 2 posts before they can submit links in any post or thread.

    Dismiss Notice

Origin Site, EA/Mythic Account Site, and Heartbleed

Discussion in 'UHall' started by GalenKnighthawke, Apr 10, 2014.

  1. GalenKnighthawke

    GalenKnighthawke Grand Poobah
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    6,641
    Likes Received:
    1,163
    Does anyone happen to know if the Origin site and/or the EA/Mythic account site or both were vulnerable to the "Heartbleed" security issue?

    If they were, does anyone happen to know if they have plugged the hole?

    -Galen's player
     
  2. DJAd

    DJAd Stratics Legend
    Stratics Veteran

    Joined:
    Aug 17, 2007
    Messages:
    7,932
    Likes Received:
    3,574
    Good luck anyone trying to change their password on the EA/Mythic/Origin website. Maybe now is the ideal time to change that utter **** billing system to something new.
     
    kRUXCg7 likes this.
  3. The Zog historian

    The Zog historian Babbling Loonie
    Stratics Veteran

    Joined:
    Feb 25, 2010
    Messages:
    2,165
    Likes Received:
    870
    G.v.P likes this.
  4. Spiritless

    Spiritless Seasoned Veteran
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    486
    Likes Received:
    466
    That tool is using a really poor detection method for this vulnerability. Just because a server is using Apache and OpenSSL certainly doesn't make it automatically vulnerable to this problem.

    I've tested origin.com and it is reporting as not vulnerable. It may have been in the past, though, as they could have recently patched it. Or, it may never have been. They'd have to answer that directly. It doesn't appear as though they've regenerated their certificates though so if the site was vulnerable then the private keys could be comprimised.
     
  5. kRUXCg7

    kRUXCg7 Sage

    Joined:
    Oct 21, 2010
    Messages:
    620
    Likes Received:
    227
    Tried that not long ago and it did not work. A friend of mine had troubles, too. Also tried the "I forgot my password" option, did not work either. Some useless error message when trying to save a new password from the link in the email.
     
    DJAd likes this.
  6. The Zog historian

    The Zog historian Babbling Loonie
    Stratics Veteran

    Joined:
    Feb 25, 2010
    Messages:
    2,165
    Likes Received:
    870
    Actually, running OpenSSL is the highest risk factor. That's why the test's point, the only point, is to see if a site has been/still is vulnerable based on what's running on the server. There is no test, apart from what a website's own admins can do, that can tell if any given site has been exploited against. A corollary is determining someone's risk for HIV: "Are you promiscuous?" or "Do you share needles?" do not test for the actual guarantee infection, but it can give someone an idea if he should get tested.

    This is why Microsoft's statement said: "Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections. Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability."

    The next paragraph explains that one might be vulnerable, however, if "running Linux images in Azure Virtual Machines, or software which uses OpenSSL..."
     
  7. Spiritless

    Spiritless Seasoned Veteran
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    486
    Likes Received:
    466
    You are incorrect on almost everything you've said.

    1) Only specific versions of OpenSSL are affected by this vulnerability. They are 1.0.1, 1.0.1a through to 1.0.1f inclusive. 1.0.2-beta is also affected but this isn't a stable release. 1.0.1g is the fixed version. Many sites running OpenSSL are absolutely fine by virtue of the fact they are not, and never were, using a vulnerable version.

    2) There is a very specific test which can be performed that shows precisely whether a web server using OpenSSL is vulnerable to this. That is, quite simply, trying to send a malformed SSL heartbeat packet and observing the server's response.
     
  8. The Zog historian

    The Zog historian Babbling Loonie
    Stratics Veteran

    Joined:
    Feb 25, 2010
    Messages:
    2,165
    Likes Received:
    870
    I'm hardly "incorrect," whether "almost everything" or not. I was speaking in a very broad sense about "running OpenSSL," because most on this forum don't need or don't care about the particulars. Do you note the original question? It wasn't about whether Origin or EA are running vulnerable versions of OpenSSL, but the broad question that 99.9% of users are asking. It's a rare home user will ask, "Hey, has the admin patched the latest fixed version of OpenSSL?"

    That web-based test, and any others, merely look for, ahem, if a server is running potentially affected software. Which do you think a home user is going to do, run a script (David Grant from the EFF has one to test multiple servers), or do a relatively simple web-based test? If a site has been "possibly" affected, then someone can go through the routine of changing passwords, checking any statements, and so on. Similarly, only high risk factors for HIV warrant the expense of a genuine test.

    But in the end, the only way to determine if a site has indeed been compromised, not just has been vulnerable, is by its admins themselves. I seem to remember saying something about that.
     
  9. Winter

    Winter Lore Keeper

    Joined:
    Mar 19, 2013
    Messages:
    996
    Likes Received:
    716
    Lastpass reports accounts.eamythic.com as Now Safe

    So, the accounts server has been updated. Was it safe (and our passwords) before? Not sure.

    On a related note - no site or server has been reported attacked via this vulnerability.
     
    Spiritless likes this.
  10. GalenKnighthawke

    GalenKnighthawke Grand Poobah
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    6,641
    Likes Received:
    1,163
    I am glad for both but I am sure you will appreciate the importance of a sense of caution.

    -Galen's player
     
  11. GalenKnighthawke

    GalenKnighthawke Grand Poobah
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    6,641
    Likes Received:
    1,163
    Origin.com still shows as possibly vulnerable, however.

    -Galen's player
     
  12. Spiritless

    Spiritless Seasoned Veteran
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    486
    Likes Received:
    466
    Err, actually the original question was precisely whether EA/Origin were vulnerable and whether the admin had patched it...

    As I said, the tool you linked identified them as vulnerable. This isn't accurate. Neither are leaking data which shows the presence of the heartbleed vulnerability. As I also said though, whether they were vulnerable previously is another matter. The origin.com SSL certificate was generated prior to the release of this bug so if it was vulnerable, those private keys could now be exposed. Interestingly, it appears as though the cert attached to accounts.eamythic.com was generated yesterday which indicates an attempt at mitigating the exploit after patching (which may suggest it was previously vulnerable.)

    Actually, there are now web-based tests which are specifically aimed at checking for this vulnerability. No scripts needed:

    http://filippo.io/Heartbleed
    https://www.ssllabs.com/ssltest/analyze.html

    Unfortunately, since this exploit leaves no trace of its operation on the server, even administrators cannot tell if they have been compromised by this issue. From a security perspective, it is always best to assume the worst case and if a vulnerable version was known to be used then users should change their passwords and admins should patch and regenerate their SSL certificates accordingly (which appears to have been precisely what they have done for the accounts.eamythis.com domain.)

    Of course, that advice applies to users too. Changing your passwords and assuming the current passwords you're using are comprimised won't do you any harm. :)

    There are probably thousands of them being attacked by it right now after its public disclosure. The Yahoo servers were used in one of the initial tests to retrieve passwords.
     
    #12 Spiritless, Apr 10, 2014
    Last edited: Apr 10, 2014
  13. Winter

    Winter Lore Keeper

    Joined:
    Mar 19, 2013
    Messages:
    996
    Likes Received:
    716
    I does no good to change passwords before the servers are patched. If you are worried about this vulnerability, anything you type to a vulnerable server can be intercepted.
     
  14. Spiritless

    Spiritless Seasoned Veteran
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    486
    Likes Received:
    466
    That is true. But, as I've said, the account management domain is not presently vulnerable and had its certificate regenerated yesterday.

    EA should probably clarify this themselves to all of its users, beyond UO, really since it looks very likely they have at minimum took preventative measures by regenerating that cert. The status of origin.com, since it has an old cert, is a relevant point of interest especially.
     
  15. The Zog historian

    The Zog historian Babbling Loonie
    Stratics Veteran

    Joined:
    Feb 25, 2010
    Messages:
    2,165
    Likes Received:
    870
    My point was that the original question was very general, not asking about any OpenSSL versions. Most home users don't care what particularly needs fixing or what needs to be, just that it is.

    You realize, don't you, that you just implied origin.com may have been vulnerable? I myself wasn't paying attention to the dates of EA's certificates, but that's interesting. At least it appears someone heard early enough for them to check.

    That's now (in fact I had been checking out the latter link a while ago). But when someone asked in the early morning, I was giving an answer that was valid as an assessment of general risk. That's hardly "incorrect" in "almost everything," don't you think?

    I was again talking in a general sense about "only admins can know." Sometimes they can't, of course. It's this kind of exploit that makes an admin's hair fall out, but the regular home user still had tests early on for determining if a specific site could have been compromised.
     
  16. Spiritless

    Spiritless Seasoned Veteran
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    486
    Likes Received:
    466
    Putting aside the issue of who/what was correct or incorrect, I believe and hope the discussion that followed has clarified some things to everyone both about the vulnerability and the status of EA's servers. :)

    Again, I reiterate, EA should really be making a statement themselves about this issue and informing their customers as many companies who hold sensitive data have already done.
     
  17. Sauteed Onion

    Joined:
    Oct 23, 2011
    Messages:
    679
    Likes Received:
    512
  18. The Zog historian

    The Zog historian Babbling Loonie
    Stratics Veteran

    Joined:
    Feb 25, 2010
    Messages:
    2,165
    Likes Received:
    870
    I'll just say that I never go into a thread thinking "who" is correct, just "what" is correct. And I never make it personal unless the other does. ;D
     
  19. GalenKnighthawke

    GalenKnighthawke Grand Poobah
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    6,641
    Likes Received:
    1,163
    Sex references and egos aside....I think we really should know about this stuff. I mean this isn't the usual "this is my priority and I think everyone should care as much as me." This is something that has the internet security crowd really creeped out. With excellent reason.

    -Galen's player
     
  20. Sauteed Onion

    Joined:
    Oct 23, 2011
    Messages:
    679
    Likes Received:
    512
    I'm not sure about who is making sex references but if my video leads somebody to believe that nope.
    In reality this has been going on for years, and the people who decide what stories to run and when in the A.P. knew about it, and very unfortunate people knew about it, but the information at least by the press (not to mention companies with their future to consider) is held until the breaking point where either enough people know enough to let everybody else know and cause a panic or two it would be a ratings success and advertisers would pay out precious $$ to get eyes on their Rosland Capital commercials and political campaign shorts.

    Yeah it is creepy though. But it's not like something that just happened one night and now we're all being exploited like never before. It's been going on.
     
  21. Promathia

    Promathia EM Bennu Fanclub
    Premium Stratics Veteran

    Joined:
    Aug 30, 2009
    Messages:
    3,425
    Likes Received:
    2,114
    It would be really nice to get an answer about this.

    Blizzard has informed its players that they are fine. Arenanet has posted about it to their Guild Wars 2 players. Minecraft has let people know it was at risk...ect ect.
     
    Nails Warstein and DJAd like this.
  22. GalenKnighthawke

    GalenKnighthawke Grand Poobah
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    6,641
    Likes Received:
    1,163
    Good news is that another site, SSLLabs.com or something, gave Origin.com a pass for Heartbleed (said was not vulnerable).

    Bad news is that SSLLabs gave Origin.com an F overall for other reasons.

    *chuckles and sighs*

    We're doomed. Oh well.

    -Galen's player
     
    Sauteed Onion likes this.
  23. GalenKnighthawke

    GalenKnighthawke Grand Poobah
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    6,641
    Likes Received:
    1,163
    2 of the 3 places I know of that check for this say that origin.com either is clear or never was vulnerable. The third says it isn't sure and that its security certificate was dated from before the discovery of the vulnerability.

    Sadly I think that's about as good as we're likely to get with EA being EA.

    It's really pretty sad what a war zone the Internet is these days. And pretty sad how EA is most of the time.

    -Galen's player
     
  24. GalenKnighthawke

    GalenKnighthawke Grand Poobah
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    6,641
    Likes Received:
    1,163
    When you type in EA heartbleed into Google, the first hit is this thread.

    I'm famous! For a pretty ****ed up reason though.

    The 2nd hit is about the same thread on the SW:TOR boards.

    Eventually you get an announcement from Pogo (that's EA too, right?) that says Pogo's secure.

    -Galen's player
     
    Arrgh likes this.
  25. G.v.P

    G.v.P Stratics Legend
    Stratics Veteran Stratics Legend

    Joined:
    Jul 11, 2004
    Messages:
    9,644
    Likes Received:
    831
    Here's another good resource:
    http://www.extremetech.com/computing/180261-heartbleed-which-passwords-you-should-change-right-now

    Pinterest (yes, I use Pinterest ;P) sent users a direct E-Mail asking for users to change their password. What a **** storm. I guess we have to pretty much change all our passwords lol.

    I recently lost all of my AIM accounts and my old AOL E-Mail account due to what most people believe is an AOL-based reset, but now I wonder if it has to do with Heartbleed. Meh.

    Anyway, happy birthday :). :p.