The Heartbleed that can sap an advisory dry

by |
A major new vulnerability called Heartbleed could let attackers gain access to users' passwords and fool people into using bogus versions of websites.

The recently discovered software flaw has the potential to leave millions of servers on the Internet open to an attack which allows sensitive data to be stolen.
Michael Kinens, a senior business development executive at Australian company IRESS, which supplies share market and wealth management systems internationally, told Wealth Professional that advisers should contact their providers to check their system is secure.
“I don't think advisers should be looking to physically undertake the checks themselves, it's just not feasible. I would suggest that advisers should be focused on those providers who haven't already reported their position,” he said.
Kinens is one of many in the industry who say the problem shouldn’t be ignored.
Anu Nayer, Deloitte’s head of security, privacy and resilience, said the issue has been around for over two years but has only recently been discovered.

“This is a major issue and it appears a significant portion of the Internet has been affected. Because this exploit leaves no trace in almost any system it is very difficult to determine the extent to which anyone has been compromised through this,” he said.

The heart of the problem lies in open-source software called OpenSSL that's widely used to encrypt Web communications. Nayer explained that a flaw in the programming on some versions (OpenSSL 1.0.1-1.0.1f) means attackers can view small portions of what is being stored in the server’s memory which includes data such as usernames, passwords, credit card numbers and any other sensitive information.

Grayson Milbourne, director of security intelligence at Webroot, emphasised that this problem is software vulnerability and not an infection.
“A vulnerability is a flaw in the code of an application which allows it to be exploited. In the case of the OpenSSL Heartbleed vulnerability, researchers found a flaw in how the data was being encrypted and transmitted,” he said.

Deloitte’s Nayer said it is vital that any company’s technical team know all the websites and web services the organisation has so they can check the necessary sites. He recommends asking the IT department the following questions in addressing the issue:
  • How have you determined whether each of our websites and web services have OpenSSL service enabled?
  • What type of sensitive information do we have that is accessible from the internet? What type of information would have been at risk?
  • Have we looked at our logs to determine if there have been any successful or unsuccessful attempts to exploit this issue? What did we find? Are we monitoring our network to look for indications of attacks?
  • What steps have we taken to mitigate the issue?
  • How have you confirmed that the fixes have been applied successfully?
  • Have you gotten assurances from our vendors, external hosting providers and application cloud services that they have fixed any vulnerable systems?
Nayer said if the company’s website is internally hosted the organisation can run the command ‘openssl version’ on the server to discover if an affected version is being used. However, if it is hosted externally it is necessary to contact the hosting provider for more information.

He recommends increasing monitoring for unexpected activity in any systems, and training call centre and client facing staff on how to respond to inquiries on the topic.

For more information on how the Heartbleed software flaw works see this infographic courtesy of BAE Systems Applied Intelligence.


The end is “probably” not near for advisers: Technology expert
Could this be the end for advisers?
Advisers: time to connect with 2014