News

'Heartbleed' Patches Could Make Things Worse

Stealing new security certificates could be hackers' end game.

The Heartbleed flaw should serve as a case study for developers and system administrators alike. Multiple mistakes were made, and could have been avoided. And the damage is spreading, as patches could actually make things worse in the short term.

According to Kurt Baumgartner, principal security researcher for Kaspersky's Global Research & Analysis team, IT's urgent attempts to patching their OpenSSL software, strengthening encryption software and reissuing new digital certificates could result in a lax focus on making sure their networks are secure and the fixes being issued are legitimate.

"This was all urgent, this is all unexpected, and what happens when people are in a situation where things are unexpected and urgent? Well, they break rules," said Baumgartner to PCWorld.

Baumgartner continued by saying the situation created by Heartbleed is the optimal chance to strike for those attackers specializing in advanced persistent threats. And their top method will be connected with the theft of the newly-issued security certificates. Once stolen, the certificates could be used to break into networks later down the road.

"I would expect to see the results of some of this theft in the next six months to a year," said Baumgartner.

Private OpenVPN Keys At Risk of Heartbleed Bug
A security expert at the Sweden-based OpenVPN service provider Mullvad said that his security team was able to extract private keys multiple times from an OpenVPN server by exploiting the Heartbleed bug.

In a post to the Hacker News message board on Wednesday, Fredrik Strömberg said his team is the first to provide concrete evidence that keys could be stolen from OpenVPN  networks -- networks based off  open source software that allows for secure point-to-point connections.

"As you may know, OpenVPN has an SSL/TLS mode where certificates are used for authentication," wrote Strömberg. "OpenVPN multiplexes the SSL/TLS session used for authentication and key exchange with the actual encrypted tunnel data stream. The default TLS library for OpenVPN is OpenSSL. Since OpenVPN uses the OpenSSL library but merely passes through the TLS traffic to OpenSSL, this means that OpenVPN is exploitable using Heartbleed, in theory."

However, Strömberg pointed out that with the multiple successful tests,  the vulnerability is no longer just a theory and that while his team won't be releasing the exploit code used to show proof of concept, he said that everyone should assume that attackers have already come up with their own weaponized OpenVPN attacks and get their servers patched as soon as possible.  

First Heartbleed-Related Arrest Made
The Royal Canadian Mounted Police (RCMP) arrested 19-year-old Stephen Arthuro Solis-Reye in connection with stealing data of more than 900 taxpayers from the Canada Revenue Agency (CRA).

According to the Canadian law enforcement agency, the suspect allegedly took advantage of the Heartbleed bug to steal the data from the government Web site and is the first publicly disclosed incident of an individual being connected with exploiting the Heartbleed bug.

"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible," said RCMP said Assistant Commissioner Gilles Michaud in a released statement.  "Investigators from National Division, along with our counterparts in 'O' Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.".

According to the CRA, public access to the Web site was pulled last Tuesday after the Heartbleed bug was widely disclosed on Monday evening. However, the suspect was allegedly able to steal six hours of data before the CRA pulled the plug.

Solis-Reyes was charged on Tuesday of Mischief in Relation to Data and Unauthorized Use of a Computer after authorities arrested him and seized computers from his Ontario home.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

comments powered by Disqus

Featured

  • Windows Community Toolkit v8.2 Adds Native AOT Support

    Microsoft shipped Windows Community Toolkit v8.2, an incremental update to the open-source collection of helper functions and other resources designed to simplify the development of Windows applications. The main new feature is support for native ahead-of-time (AOT) compilation.

  • New 'Visual Studio Hub' 1-Stop-Shop for GitHub Copilot Resources, More

    Unsurprisingly, GitHub Copilot resources are front-and-center in Microsoft's new Visual Studio Hub, a one-stop-shop for all things concerning your favorite IDE.

  • Mastering Blazor Authentication and Authorization

    At the Visual Studio Live! @ Microsoft HQ developer conference set for August, Rockford Lhotka will explain the ins and outs of authentication across Blazor Server, WebAssembly, and .NET MAUI Hybrid apps, and show how to use identity and claims to customize application behavior through fine-grained authorization.

  • Linear Support Vector Regression from Scratch Using C# with Evolutionary Training

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the linear support vector regression (linear SVR) technique, where the goal is to predict a single numeric value. A linear SVR model uses an unusual error/loss function and cannot be trained using standard simple techniques, and so evolutionary optimization training is used.

  • Low-Code Report Says AI Will Enhance, Not Replace DIY Dev Tools

    Along with replacing software developers and possibly killing humanity, advanced AI is seen by many as a death knell for the do-it-yourself, low-code/no-code tooling industry, but a new report belies that notion.

Most   Popular

Subscribe on YouTube