AFP compiles the most alarming—and informative—payments fraud news relevant to corporates in AFP Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization.
By now, you have probably heard about the Heartbleed bug—a serious vulnerability in recent versions of OpenSSL, software that millions of websites use to encrypt communications with users. Making matters worse is the fact that an easy-to-use exploit that allows criminals to abuse the vulnerability is being widely traded online.
What is Heartbleed?
Information protected by the SSL/TLS encryption—which provides communication security and privacy to more than half a million websites and for applications like email, instant messaging and some virtual private networks, is now up for grabs thanks to Heartbleed. The bug “allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” according to Heartbleed.com. “This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Carnegie Mellon University’s CERT learned that the vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f, noted Brian Krebs of Krebs on Security. More than half a million websites comprise this group.
CERT also found that a tool is being traded online that allows attackers to intercept up to 64 kilobytes of memory processed by vulnerable website servers. Although attackers can only recover small chunks of data at a time, they can launch as many attacks as they want until they retrieve all the information they need. “I have seen firsthand data showing that some attackers have done just that; for example, compiling huge lists of credentials stolen from users logging in at various sites that remained vulnerable to this bug,” Krebs wrote.
In addition to websites, it has also been revealed that mobile devices are also vulnerable to Heartbleed. Google revealed that it the majority of its Android products are immune to Heartbleed except for Android 4.1.1. Patching information for that version has been sent out to Android partners. Google said that less than 10 percent of Android devices run 4.1.1, however, that number is still very high as nearly 1 billion people use Android.
BlackBerry has also found that users of its Secure Work Space corporate email and its BBM messaging program for Android and Apple iOS are susceptible to Heartbleed. Scott Totzke, senior vice president of BlackBerry, told Reuters that the level of risk is “extremely small” because hackers would have to launch a “very complex” attack in a “very small window.” Nevertheless, BlackBerry plans to release security updates for the messaging service by Friday.
Moreover, smartphone and tablet users who have downloaded applications from commercial app stores are at risk due to apps connecting to vulnerable servers, Forbes noted. At least 66 percent of servers connected to the internet have been exposed to this bug for the past two years. Trend Micro scanned 390,000 apps in Google Play and found 1,300 of them were connected to vulnerable servers, including 15 bank-related apps, 39 online payment-related apps and 10 online shopping-related apps.
How should treasurers respond?
What should treasury and finance professionals do in response? Krebs recommends that companies using the vulnerable version upgrade to the latest version of OpenSSL as soon as possible. This page allows people to test web pages to see if they are vulnerable.
Recognizing that the bug has the potential to seriously impact businesses, BAE Systems Applied Intelligence has released an infographic to provide organizations with a better understanding of Heartbleed.
“A successful attack can extract information from the memory of web servers and other applications which could contain private keys, usernames, passwords and other sensitive information,” said Dr. David Bailey, CTO, cyber security, at BAE. “This specific issue will pass but it does highlight an important feature of the connected world and illustrates the need for businesses and security providers to both be agile in how they address issues such as these and adopt intelligence-led techniques that improve defenses before weak spots are attacked.”
Joram Borenstein, vice president at NICE Actimize, insists that the Heartbleed vulnerability will be utilized in account takeover fraud schemes. “This reinforces the need for systems that monitor activity for changes in behavior,” he said. “Fraud management in layers is robust even in the face of failures in one layer. The fact that the flaw is in newer versions of the SSL software also indicates a lack of robust software testing in the software development lifecycle used. Functionality testing has to be augmented with vulnerability testing in the SDLC.”
Borenstein acknowledged that there have not yet been any confirmed reports of account takeover fraud occurring as a direct result of Heartbleed. However, he believes this may be due to cybercriminals purloining as much information as possible from vulnerable systems right now, knowing that it is taking some financial institutions longer than others to get of their all systems patched and reconstructed. “In such scenarios, fraudsters can at a later point in time analyze what it is precisely they have stolen and then determine how to use it, whether it be for an account takeover scheme or something else,” he told AFP Fraudwatch.
Borenstein advises corporate banking clients to receive confirmation from their financial institutions that all appropriate steps are being taken. Many banks are already stating this explicitly and publicly smack on their homepages. “Also, remember two additional points. Not all servers and sites in all institutions are impacted, so if a bank attests to the fact that certain systems remain unconnected from the Heartbleed vulnerability, this is probably a truthful statement. And alternatives to OpenSSL do exist and are in use. While perhaps not as widespread or ubiquitous as OpenSSL, Network Security Services from Mozilla and other alternatives may have been employed pre-Heartbleed by your financial institution,” he said.
The Federal Financial Institutions Examination Council (FFIEC) sent a letter to U.S. banks last week, requesting that they incorporate patches to systems and services, applications, and appliances using OpenSSL and upgrade their systems as soon as possible. After applying the patch, the regulator also recommended that banks replace private keys and X-509 encryption certificates and require customers and administrators to change passwords. The FFIEC also recommended that banks using third-party service providers ensure they are aware of the bug and take appropriate action.
Canada Revenue Agency attacked
The effects of the bug are already being felt. The Canada Revenue Agency (CRA) said Monday that 900 Canadian taxpayers have had their social insurance numbers (SIN) stolen from its website due to Heartbleed. The agency discovered the breach on April 8 while it was attempting to patch the bug.
“The CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” the CRA said in a statement. “Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”
The agency added that it was able to contain the infiltration and has found no evidence that any other breaches occurred before or after this one. The CRA said it would inform any individuals affected by the breach and provide them with credit protection services at no cost.