News

'Heartbleed' Patches Could Make Things Worse

Stealing new security certificates could be hackers' end game.

The Heartbleed flaw should serve as a case study for developers and system administrators alike. Multiple mistakes were made, and could have been avoided. And the damage is spreading, as patches could actually make things worse in the short term.

According to Kurt Baumgartner, principal security researcher for Kaspersky's Global Research & Analysis team, IT's urgent attempts to patching their OpenSSL software, strengthening encryption software and reissuing new digital certificates could result in a lax focus on making sure their networks are secure and the fixes being issued are legitimate.

"This was all urgent, this is all unexpected, and what happens when people are in a situation where things are unexpected and urgent? Well, they break rules," said Baumgartner to PCWorld.

Baumgartner continued by saying the situation created by Heartbleed is the optimal chance to strike for those attackers specializing in advanced persistent threats. And their top method will be connected with the theft of the newly-issued security certificates. Once stolen, the certificates could be used to break into networks later down the road.

"I would expect to see the results of some of this theft in the next six months to a year," said Baumgartner.

Private OpenVPN Keys At Risk of Heartbleed Bug
A security expert at the Sweden-based OpenVPN service provider Mullvad said that his security team was able to extract private keys multiple times from an OpenVPN server by exploiting the Heartbleed bug.

In a post to the Hacker News message board on Wednesday, Fredrik Strömberg said his team is the first to provide concrete evidence that keys could be stolen from OpenVPN  networks -- networks based off  open source software that allows for secure point-to-point connections.

"As you may know, OpenVPN has an SSL/TLS mode where certificates are used for authentication," wrote Strömberg. "OpenVPN multiplexes the SSL/TLS session used for authentication and key exchange with the actual encrypted tunnel data stream. The default TLS library for OpenVPN is OpenSSL. Since OpenVPN uses the OpenSSL library but merely passes through the TLS traffic to OpenSSL, this means that OpenVPN is exploitable using Heartbleed, in theory."

However, Strömberg pointed out that with the multiple successful tests,  the vulnerability is no longer just a theory and that while his team won't be releasing the exploit code used to show proof of concept, he said that everyone should assume that attackers have already come up with their own weaponized OpenVPN attacks and get their servers patched as soon as possible.  

First Heartbleed-Related Arrest Made
The Royal Canadian Mounted Police (RCMP) arrested 19-year-old Stephen Arthuro Solis-Reye in connection with stealing data of more than 900 taxpayers from the Canada Revenue Agency (CRA).

According to the Canadian law enforcement agency, the suspect allegedly took advantage of the Heartbleed bug to steal the data from the government Web site and is the first publicly disclosed incident of an individual being connected with exploiting the Heartbleed bug.

"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible," said RCMP said Assistant Commissioner Gilles Michaud in a released statement.  "Investigators from National Division, along with our counterparts in 'O' Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.".

According to the CRA, public access to the Web site was pulled last Tuesday after the Heartbleed bug was widely disclosed on Monday evening. However, the suspect was allegedly able to steal six hours of data before the CRA pulled the plug.

Solis-Reyes was charged on Tuesday of Mischief in Relation to Data and Unauthorized Use of a Computer after authorities arrested him and seized computers from his Ontario home.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube