Is any bank system affected by heartbleed?

Javan

Yesterday we learned of a critical defect in an implementation of SSL. 
SSL is essential is providing secure communication of data to websites and also to services like mobile banking.

Has Bank of Ireland done any assessment of our vulnerability as customers to this flaw that may be on bank systems now?
If the bank has any servers that use an affected version of OpenSSL then private keys could already be in the hands of attackers and these private keys could be used to read all traffic to and from the bank from now until the flaw is fixed and the bank changes the keys.

Tow

What... They cant even fix a basic invalid certificate on their main IE site and you expect them to do something about an obscure vulnerability : https://www.boi.ie

Javan

Certainly the response so far is underwhelming.

At this point the prudent thing to do is assume that attackers (anyone from script kiddies to the mafia) already have private keys to any system that uses OpenSSL; that traffic to those systems is being decrypted in real time; and that anyone who has logged in to online or mobile banking (where OpenSSL was deployed) has already had their account details compromised.

Start with those assumptions, then audit systems to disprove the assumptions.

In the meantime inform customers of the risks.

Tow

There is no such thing as a secure IT system, and that has been my starting point for many years.

Javan

Fair enough.

Unfortunately today we have a real and specific threat that is being active exploited using code readily available to script kiddies.
Banks are an obvious and easy target and until the bank takes effective action to mitigate the risk using online or mobile banking is an exceptionally high-risk activity.

Bank of Ireland: Billy

Hi Folks, 

Thanks for your posts. 

We're aware of the conversations about this matter. We're not technical experts here however we've passed your queries on to our technical departments and will let you know when we hear back. 

Thanks

Billy

Bank of Ireland: Billy

[font=Arial, sans-serif]Hi Folks, [/font]
[font=Arial, sans-serif] [/font]
[font=Arial, sans-serif]We've received the following update from our technical teams:[/font]
[font=Arial, sans-serif] [/font]
[font=Arial, sans-serif]We can confirm that this vulnerability does not exist on the Bank’s core systems and we will continue to be vigilant in this regard. The security of our systems are maintained to the highest standards.[/font]
[font=Arial, sans-serif] [/font]
[font=Arial, sans-serif]Thanks[/font]
[font=Arial, sans-serif] [/font]

[font=Arial, sans-serif]Billy[/font]

Javan

Bank of Ireland: Billy wrote: »

[font=Arial, sans-serif]Hi Folks, [/font]
[font=Arial, sans-serif] [/font]
[font=Arial, sans-serif]We've received the following update from our technical teams:[/font]
[font=Arial, sans-serif] [/font]
[font=Arial, sans-serif]We can confirm that this vulnerability does not exist on the Bank’s core systems and we will continue to be vigilant in this regard. The security of our systems are maintained to the highest standards.[/font]
[font=Arial, sans-serif] [/font]
[font=Arial, sans-serif]Thanks[/font]
[font=Arial, sans-serif] [/font]

[font=Arial, sans-serif]Billy[/font]

Thanks Billy.

Hopefully 'core systems' here is some sort of marketechture phrase, since this problem exists specifically at the edge (the interface between bank systems and the customers) not at the core.

Impetus

You can test any server for this vulnerability by entering the https:// url address in the box on this site

https://www.ssllabs.com/ssltest/

It does not affect Microsoft servers.

SniperPaddy

Highest standards? Experts?
DON'T MAKE ME LAUGH !! :eek:



"We can confirm that this vulnerability does not exist on the Bank’s core systems and we will continue to be vigilant in this regard. The security of our systems are maintained to the highest standards."

• For a start, BOI don't implement the SSL extension "Forward Secrecy" in your 365 domain so that's your "highest standards" down the drain. :eek:
• A direct statement that (1) you have no vulnerable systems anywhere OR (2) that you have patched all vulnerable systems, would be a "highest standards" response. :rolleyes:
• The disingenuous answer about "core systems" doesn't exactly help your credibility since 365 is an "edge" interface and you avoided the question.
• I'd like to deal directly with one of your "qualified experts" since most of those I dealt with are clock punching script kiddies.
  

[*]


The least I should expect is transparency. If I do not hear a comprehensive and clear announcement by the end of the week, I am shutting our BOI accounts and would recommend anyone else to, at the very least, keep a close eye on their credit card statements.

Impetus

Unfortunately Ireland has an incompetent banking system which is run and regulated by morons – viz the Irish banking crisis and bailout etc.


The least one should expect is effective dual mode multi-factor authentication (ie a login factor that changes every time you log in), and once you have logged in, a digital signature on  every payment – again which varies each time it is performed, linked perhaps to the last n digits of the IBAN receiving the money.   Making replay attacks from anyone able to crack the encryption or who has installed malware on the client PC impossible.


And yes, perfect forward secrecy please, to prevent long term keys from being compromised into the future.

northwestramble

Just did a quick check of how well BOI websites are rated from a security point of view. I understand that this is a very crude test, but it does show a few interesting things. All tests were done on this website. https://www.ssllabs.com/ssltest/

356online.com gets a B rating
bankofireland.com B rating
bankofirelandlife.ie gets a B rating. 
bankofireland.ie Certificate name mismatch
365online.ie Assessment failed: No secure protocols supported 


In fairness, the last two, do a redirect to the .com addresses, but still looks a little unprofessional not to have the Irish domains correctly set up.  

The comment that no core systems were affected by heartbleed, would tend to suggest that some systems were affected (but may not be the case)

I think it would have being more reassuring if the statement had said something like
"Having carried out an investigation into all of our online services we offer to our customers, we can report and reassure you our customers, that no online services provided by BOI, that you may be using, were affected in any way by heartbleed"
We work hard to constantly protect and secure our online services and endeavor to provide the highest level of security for our customers"

Am sure there is a way to make it sound even better and still contain the key points . I am more a techie so market speak not the best   

I think any good statement should answer and reassure especially when security is at risk, instead we are left to guess  what might be a core system, is it core to me as a customer and my security, or core system to the bank, such as key servers that run all of the operations, or simply a spreadsheet that stores a lot of key information into how the bank runs  

Javan

I've also run a very crude test of my own. From that it appears that the servers supporting 365 online and mobile banking are running IIS. IIS is not susceptible to this bug.
This test was limited to a couple of minutes looking at the headers returned by the server, so it is not fully reliable. It is possible there is a transparent proxy inserted for load balancing purposes that runs a different server and is responsible for the SSL termination. It is also possible there are other systems that might be running affected server software. I made no attempt to look at BOI-BOL, or interfaces for credit card processing, direct debit processing, ATMs, SWIFT, other inter-bank interfaces, etc.

It would be nice to get a stronger statement from the bank that they have audited all these systems to ensure there is no detail of the infrastructure running the affected software.

There is now definitive evidence that it is possible to get the private keys for a site using this exploit. A challenge website was created and within a day three people had obtained the private key using only heartbleed.
http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge
There is also some limited evidence that the bug was being exploited last November.
https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013

Put those two facts together and you should consider that any system that was vulnerable at any time should be considered insecure until the software patch is applied AND all relevant certificates are revoked AND new certificates are issued from a NEW private key.