APRIL 25, 2014
Your regular source of security updates from TrendLabsSM
In This Issue

Security Spotlight
Heartbroken by Heartbleed

Security for Home Users
Spring Cleaning on Social Media

Security for Business
Why You Need Application Control



Security Spotlight

Heartbroken by Heartbleed

What really makes the Heartbleed bug dangerous is that exploitation is untraceable. This means vulnerable sites could already have been mined for information long before the bug was discovered.”



The OpenSSL Heartbleed bug made so many waves when it was unveiled to the public early this month, taking both the Internet public and the online security industry by storm. Find out just what it does and how it can affect you.

An Exploit Can Make Hearts Bleed

What exactly is the OpenSSL Heartbleed bug? It’s a vulnerability in the Heartbeat extension of OpenSSL, an open-source toolkit that helps webmasters and developers make transactions like online shopping payment safer and more secure. Heartbeat as an extension makes sure that Secure Sockets Layer (SSL) connections between a user and a site’s server remains active as long as required, saving time and resource.

The vulnerability exists on all OpenSSL implementations that use the Heartbleed extension. Exploitation on a vulnerable server allows a cybercriminal to ask a server to give him up to 64KB of its stored data. This can be anything from garbage data to important information like credit card credentials in the case of online shopping sites’ servers. Even worse, the bug can be exploited again and again, seemingly turning a vulnerable server into a data mine.

But what really makes the Heartbleed bug dangerous is that exploitation is untraceable. This means vulnerable sites could already have been mined for information long before the bug was discovered.

Can Your Heart Bleed?

All sites, apps, and servers that use the beta releases of versions 1.0.1 and 1.0.2 of the OpenSSL Heartbeat extension are vulnerable to the Heartbleed bug.

GitHub recently tested sites to see which were vulnerable to the bug and its findings were quite disturbing. Testing Alexa’s top 10,000 sites revealed that more than 600 were vulnerable, including Yahoo!, Flickr, OkCupid, Rolling Stone, and Ars Technica.

Mobile apps that access HTTP servers when loaded, especially when conducting in-app transactions, were vulnerable, too. Further investigation revealed that the Web services some of the apps available in Google Play accessed were vulnerable. These apps include instant-messaging (IM), health care, keyboard-input, gaming, and mobile payment apps. To date, around 6,000 apps were found vulnerable.

Though we found that Trend Micro Heartbleed Detector app on Google Play may be downloaded free of charge so you can check if:

  • Your mobile device is vulnerable
  • Your installed apps are vulnerable
  • Your installed apps access vulnerable servers

Should any of your apps prove vulnerable, Heartbleed Detector will ask you to uninstall them.

We also released the Trend Micro Heartbleed Detector app for Chrome™ users. It allows you to check if specific sites are vulnerable. It may be downloaded and installed from the Chrome Web Store for free.

You can also go to the Trend Micro Heartbleed Detector site to check if a site you wish to visit is vulnerable. Simply key in the URL in the input box then hit the Check Now button.

We will continue to monitor and report developments on the Heartbleed bug as they unfold. The Heartbleed bug may have broken many hearts but it won’t break our resolve to make the Internet a safe place for everyone.

Copyright ©2014 Trend Micro Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their respective owners. The information contained in this document is subject to change without prior notice.

www.trendmicro.com

  CONNECT WITH US ON: