Heartbleed Links June 6, 2014

Hearbleed

New Heartbleed Attack Vectors Impact Enterprise Wireless, Android Devices - Eduard Kovacs - Security Week

Nearly two months after the Heartbleed bug was discovered, new attack vectors are being discovered. The vectors in this article involve wireless and Android smart phones. It's a very technical article and not for the uninitiated.

Beware Of Fake 'HeartBleed Bug Remover Tool,' Hijacks System with Malware - Wang Wei - The Hacker News

Repeat after me. "Heartbleed is a bug, not a virus, trojan or any other form of malicious software." A bug is code in a piece of software or application that when exploited gives an unexpected, unattended result. A virus, trojan and keylogger all fall under the malicious software (or malware) category. They are software or a program designed to perform malicious acts on your computer for nefarious gains. Now that we've established that, don't fall for any scams that say you need to remove Heartbleed from your computer, because Heartbleed is a bug, not a piece of malware. The Hearbleed bug is located in a critical piece of infrastructure on the internet called OpenSSL, and there is no removing it. The entities that use OpenSSL have to patch the bug for you to be safe. Again, Heartbleed is not something on your computer that can be removed.

The Human Side of Heartbleed - Bruce Schneier - Schneier on Security

This Schneier special dives into some of the nuances involved in reporting the Heartbleed bug. Which was discovered several days before the rest of us heard about it, by two separate researchers:

One of the biggest problems we face in the security community is how to communicate these sorts of vulnerabilities. The story is technical, and people often don't know how to react to the risk. In this case, the Codenomicon researchers did well. They created a public website explaining (in simple terms) the vulnerability and how to fix it, and they created a logo -- a red bleeding heart -- that every news outlet used for coverage of the story.

As bad as Heartbleed was, the InfoSec community handled it really well.