Heartbleed Links June 6, 2014

Hearbleed

New Heartbleed Attack Vectors Impact Enterprise Wireless, Android Devices - Eduard Kovacs - Security Week

Nearly two months after the Heartbleed bug was discovered, new attack vectors are being discovered. The vectors in this article involve wireless and Android smart phones. It's a very technical article and not for the uninitiated.

Beware Of Fake 'HeartBleed Bug Remover Tool,' Hijacks System with Malware - Wang Wei - The Hacker News

Repeat after me. "Heartbleed is a bug, not a virus, trojan or any other form of malicious software." A bug is code in a piece of software or application that when exploited gives an unexpected, unattended result. A virus, trojan and keylogger all fall under the malicious software (or malware) category. They are software or a program designed to perform malicious acts on your computer for nefarious gains. Now that we've established that, don't fall for any scams that say you need to remove Heartbleed from your computer, because Heartbleed is a bug, not a piece of malware. The Hearbleed bug is located in a critical piece of infrastructure on the internet called OpenSSL, and there is no removing it. The entities that use OpenSSL have to patch the bug for you to be safe. Again, Heartbleed is not something on your computer that can be removed.

The Human Side of Heartbleed - Bruce Schneier - Schneier on Security

This Schneier special dives into some of the nuances involved in reporting the Heartbleed bug. Which was discovered several days before the rest of us heard about it, by two separate researchers:

One of the biggest problems we face in the security community is how to communicate these sorts of vulnerabilities. The story is technical, and people often don't know how to react to the risk. In this case, the Codenomicon researchers did well. They created a public website explaining (in simple terms) the vulnerability and how to fix it, and they created a logo -- a red bleeding heart -- that every news outlet used for coverage of the story.

As bad as Heartbleed was, the InfoSec community handled it really well.


This post first appeared on Exploring Information Security.

InfoSec Links May 2, 2014

Skimmers put inside Pearland gas pumps to steal credit, debit card info - Jeff Ehling - ABC 13 Houston

Skimmers are, actually, being found inside of pumps instead of on the outside. Which almost sounds like something out of the movies. Bad guy walks up to pump in maintenance uniform inserts device, walks away. Movie or not, the best course of action here is to make sure you're using your credit card, not your debit card to pay for gas or anything else for that matter.

Heartbleed Over-Hype - Tyler Reguly - The State of Security

One of the challenges of the information security community is educating users on what vulnerability, virus, trojan, etc. mean to them. This article brings up some good points on the heartbleed virus and educating users overall.

Heartburn from heartbleed forces wide-ranging rethink in open source world - Seth Rosenblatt - CNet

This article discusses how we could do a better job in open source and vetting the tools better that we use on the internet. The Heartbleed bug resulted from a vulnerability in OpenSSL, which is maintained by volunteers. If that sounds weird, it should. Major corporations and websites are relying on a volunteer open source project to secure their transmissions on the internet. It's a good technical read for those of you interested.

This post first appeared on Exploring Information Security.