It’s been a few months since the Heartbleed bug was announced to the world, and we continue to see the lingering effects, both directly involving Heartbleed and OpenSSL security.
Symantec announced a spam campaign making the rounds that claims to provide a tool to eradicate Heartbleed from your computer, but instead downloads malware. As eSecurity Planet pointed out:
As the researchers note, the email targets victims who don't have enough technical knowledge to understand that the Heartbleed bug isn't malware and can't infect computers.
The article goes on to state that malware appears to give the computer a “clean bill of health,” but in reality, the malware is a keylogger that records everything being typed and takes screen shots from the computer. The malware may be more dangerous to individuals than Heartbleed itself, so employees should be warned not to fall for the spam message at work or on their personal computers.
Symantec has also warned that OpenSSL continues to have security problems. Open SSL recently released a security advisory that includes patches for two critical vulnerabilities. The Symantec blog described the issue:
One of the critical vulnerabilities, OpenSSL CVE-2014-0224 Man in the Middle Security Bypass Vulnerability (CVE-2014-0224), could let an attacker carry out a man-in-the-middle attack, allowing them to intercept traffic between a vulnerable client and a vulnerable server. One way that attackers could exploit this flaw is by setting up a rogue Wi-Fi hotspot in a public area. If a user connects to this rogue access point, the attackers controlling the hotspot could steal their data, even though the traffic is encrypted.
According to an Ars Technica article, this vulnerability is not as severe as Heartbleed because the attacks are more difficult to conduct:
Whereas Heartbleed allowed anyone to send malicious packets that would force a vulnerable machine to divulge passwords, cryptographic keys, and other highly sensitive data, the latest attacks can only bypass encryption for a single targeted connection. And they can only be executed by people with some degree of control over the connection. Without doubt, that's serious, but not the catastrophe visited by Heartbleed.
The other critical vulnerability affects the secure network communications protocol.
Unfortunately, this news is another hit against open source security, and as Andy Rolfe, CTO at Authentify, told me in an email:
This vulnerability shines a light on the increasing need for financial institutions (FI) to involve account holders in the “backend” protection of their own accounts. A “deputized” customer base can help protect an FI and themselves. Out-of-band transaction verification processes that display transaction or account change details for approval before final execution (post-login) effectively accomplishes that “deputization.” Many FI’s use multi-factor login, but once the login is successfully completed, the MITM vulnerability still exists. Post login verification is the key.