News

'Heartbleed' Patches Could Make Things Worse

Stealing new security certificates could be hackers' end game.

The Heartbleed flaw should serve as a case study for developers and system administrators alike. Multiple mistakes were made, and could have been avoided. And the damage is spreading, as patches could actually make things worse in the short term.

According to Kurt Baumgartner, principal security researcher for Kaspersky's Global Research & Analysis team, IT's urgent attempts to patching their OpenSSL software, strengthening encryption software and reissuing new digital certificates could result in a lax focus on making sure their networks are secure and the fixes being issued are legitimate.

"This was all urgent, this is all unexpected, and what happens when people are in a situation where things are unexpected and urgent? Well, they break rules," said Baumgartner to PCWorld.

Baumgartner continued by saying the situation created by Heartbleed is the optimal chance to strike for those attackers specializing in advanced persistent threats. And their top method will be connected with the theft of the newly-issued security certificates. Once stolen, the certificates could be used to break into networks later down the road.

"I would expect to see the results of some of this theft in the next six months to a year," said Baumgartner.

Private OpenVPN Keys At Risk of Heartbleed Bug
A security expert at the Sweden-based OpenVPN service provider Mullvad said that his security team was able to extract private keys multiple times from an OpenVPN server by exploiting the Heartbleed bug.

In a post to the Hacker News message board on Wednesday, Fredrik Strömberg said his team is the first to provide concrete evidence that keys could be stolen from OpenVPN  networks -- networks based off  open source software that allows for secure point-to-point connections.

"As you may know, OpenVPN has an SSL/TLS mode where certificates are used for authentication," wrote Strömberg. "OpenVPN multiplexes the SSL/TLS session used for authentication and key exchange with the actual encrypted tunnel data stream. The default TLS library for OpenVPN is OpenSSL. Since OpenVPN uses the OpenSSL library but merely passes through the TLS traffic to OpenSSL, this means that OpenVPN is exploitable using Heartbleed, in theory."

However, Strömberg pointed out that with the multiple successful tests,  the vulnerability is no longer just a theory and that while his team won't be releasing the exploit code used to show proof of concept, he said that everyone should assume that attackers have already come up with their own weaponized OpenVPN attacks and get their servers patched as soon as possible.  

First Heartbleed-Related Arrest Made
The Royal Canadian Mounted Police (RCMP) arrested 19-year-old Stephen Arthuro Solis-Reye in connection with stealing data of more than 900 taxpayers from the Canada Revenue Agency (CRA).

According to the Canadian law enforcement agency, the suspect allegedly took advantage of the Heartbleed bug to steal the data from the government Web site and is the first publicly disclosed incident of an individual being connected with exploiting the Heartbleed bug.

"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible," said RCMP said Assistant Commissioner Gilles Michaud in a released statement.  "Investigators from National Division, along with our counterparts in 'O' Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.".

According to the CRA, public access to the Web site was pulled last Tuesday after the Heartbleed bug was widely disclosed on Monday evening. However, the suspect was allegedly able to steal six hours of data before the CRA pulled the plug.

Solis-Reyes was charged on Tuesday of Mischief in Relation to Data and Unauthorized Use of a Computer after authorities arrested him and seized computers from his Ontario home.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

comments powered by Disqus

Featured

  • AI for GitHub Collaboration? Maybe Not So Much

    No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.

  • Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

    As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.

  • .NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

    Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.

  • Data Anomaly Detection Using a Neural Autoencoder with C#

    Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.

  • What's New for Python, Java in Visual Studio Code

    Microsoft announced March 2024 updates to its Python and Java extensions for Visual Studio Code, the open source-based, cross-platform code editor that has repeatedly been named the No. 1 tool in major development surveys.

Most   Popular

Subscribe on YouTube