Demonstrating yet another way the catastrophic Heartbleed vulnerability threatens users, malicious hackers were able to exploit the bug to successfully bypass multifactor authentication and fraud detection on an organization’s virtual private network (VPN), security researchers said.
When the critical flaw in the OpenSSL cryptographic library came to light 11 days ago, it was best known as a dangerous hole that allowed attackers to siphon out user names, passwords, and even private encryption keys processed by vulnerable Web servers. More recently, researchers confirmed that Heartbleed could be exploited to steal the private keys underpinning the widely used OpenVPN application and likely software for other VPNs that rely on a vulnerable version of OpenSSL.
On Friday, researchers with network security firm Mandiant said Heartbleed had been used to subvert a customer’s VPN concentrator, an appliance that typically provides a secure way for people to access a network from outside the organization. The devices frequently require multiple forms of authentication before granting access to an end user. Passwords, previously set authentication cookies, and other types of security tokens are frequently used. That’s where Heartbleed came in handy for the hackers, who went to work exploiting the bug less than a day after it became public knowledge. A separate researcher theorized such an attack was possible the same day.
Active user sessions hijacked
Instead of probing the client’s VPN for passwords or encryption keys, the attackers looked for session tokens set by the targeted concentrator, which relied on a vulnerable version of OpenSSL. In a blog post, Mandiant researchers Christopher Glyer and Chris DiGiamo explain further:
Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions. Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users. With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.
The exploit method was identified and confirmed by analyzing two sources of information, IDS signatures and VPN logs. The victim organization implemented a set of signatures to identify Heartbleed network activity. The IDS signature “SERVER-OTHER TLSv1.1 large heartbeat response – possible ssl heartbleed attempt”, depicted in figure 1, alerted over 17,000 times during the intrusion. The source of the heartbeat response was the organization’s internal SSL VPN device.
Private encryption keys have been successfully extracted multiple times from a virtual private network server running the widely used OpenVPN application with a vulnerable version of OpenSSL, adding yet more urgency to the call for operators to fully protect their systems against the catastrophic Heartbleed bug.
Developers who maintain the open source OpenVPN package previously warned that private keys underpinning VPN sessions were vulnerable to Heartbleed. But until Wednesday, there was no public confirmation such a devastating theft was feasible in real-world settings, said Fredrik Strömberg, the operator of a Sweden-based VPN service who carried out the attacks on a test server. An attacker carrying out a malicious attack could use the same exploit to impersonate a target’s VPN server and, in some cases, decrypt traffic passing between an end user and the real VPN server.
Wednesday’s confirmation means any OpenVPN server—and likely servers using any other VPN application that may rely on OpenSSL—should follow the multistep path for recovering from Heartbleed, which is among the most serious bugs ever to hit the Internet. The first step is to update the OpenSSL library to the latest version. That step is crucial but by no means sufficient. Because Heartbleed may have leaked the private key that undergirds all VPN sessions, updated users may still be susceptible to attacks by anyone who may have exploited the vulnerability and made off with the key. To fully recover from Heartbleed, administrators should also revoke their old key certificates, ensure all end user applications are updated with a current certificate revocation list, and reissue new keys.
Strömberg reported on Hacker News, and reiterated to Ars, that exploits stealing keys from vulnerable OpenVPN servers aren’t as easy to develop as attacks against Web servers. That’s because OpenVPN traffic wraps encrypted HTTPS traffic inside of an OpenVPN-specific container. His exploit first had to isolate the transport layer security data contained in the OpenVPN packets. With that done, attackers could borrow liberally from one of the many exploit packages that have become publicly available in the nine days since the Heartbleed vulnerability was disclosed.
To fully recreate a private key, Strömberg had to use the exploit code to query the vulnerable server over and over and collect an extremely large amount of leaked memory data that he declined to specify, except to say it was more than one gigabyte and less than 10 gigabytes. He was then able to comb through the data and reconstruct the key. In his Hacker News post, Strömberg, who is co-founder of a consumer VPN service called Mullvad, added:
Our exploit is decently weaponized, and while the code is an abomination that even Eris would be embarrassed to present, we believe it may severely impact those who have not already upgraded. Therefore, we will not be publishing the code. Nevertheless, you should assume that other teams with more nefarious purposes have already created weaponized exploits for OpenVPN. Just to be clear, we don’t intend to use this exploit ourselves. We merely developed it to examine the practical impact on OpenVPN as part of our incident investigation.
The test server was running Ubuntu 12.04 that was virtualized using the KVM application, OpenVPN 2.2.1, and OpenSSL 1.0.1-4ubuntu5.11. He said he suspects just about any version of OpenVPN that relies on a vulnerable version of OpenSSL is similarly susceptible.
One bright spot for some smaller organizations using OpenVPN is that the exploit won’t work against systems that have TLS authentication enabled as long as all the end users connecting are trusted. That’s because TLS authentication uses a separate private key to encrypt and authenticate the TLS traffic. He said the authentication is less of a protection on services with large numbers of users since each one has access to the private key used in the separate authentication step. Strömberg also reiterated assurances provided last week by OpenVPN officials that the risk to users of the OpenVPN Connect Clients is minimal.
researchers at Sucuri reported Friday that just 2 percent of the top 1 million websites on the Internet remain infected and all of the top 1,000 sites have been patched against the OpenSSL vulnerability.
But also on Friday, Mandiant researchers reported an attack they tracked beginning on April 8 in which an attacker “leveraged the Heartbleed vulnerability in a SSL VPN concentrator to remotely access our client’s environment,” culminating in the hijacking of “multiple active user sessions.”
So in short, the good news is that the vast majority of websites, and all of the most heavily trafficked sites on the Web, have fixed this vulnerability, which is an exploit of a bug in Open SSL code responsible for sending “Heartbeat” notifications between servers and clients, including PCs and mobile devices.
The not-so-good news is that there may have been more folks out there using the Heartbleed exploit to steal private data and take over user sessions than we previously thought. There’s been one notable arrest of a Heartbleed attacker to date, a Canadian teen alleged to have exploited the bug to pilfer taxpayer data from the Canada Revenue Agency.
Since we haven’t heard much about any other specific attacks using Heartbleed and with the pretty rapid movement by prominent websites to fix the problem as documented Sucuri, there’s a feeling we all may have dodged a bullet here.
Not so fast, say Mandiant researchers Christopher Glyer and Chris DiGiamo. Their research has led them to believe that too much Heartbleed discussion on the Internet “has focused on an attacker using the vulnerability to steal private keys from a Web server, and less on the potential for session hijacking” like the attack Mandiant tracked.
The researchers offered evidence for their belief that the attacker they tracked had “stolen legitimate user session tokens”:
- A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization’s SSL VPN.
- The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, “flip flopping”, between the malicious IP address and the user’s original IP address. In several cases the “flip flopping” activity lasted for multiple hours.
- The timestamps associated with the IP address changes were often within one to two seconds of each other.
- The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.
- The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.
The Mandiant researchers recommended that all organizations running remote access software and appliances determined to be vulnerable to the Heartbleed exploit both upgrade with available patches immediately and review their VPN logs to see if an attack had occurred in the past.
The Heartbleed saga has just begun, and the problems may not yet be over even if most of the big sites have already gone through the necessary steps to patch up the security bug.
Despite this, there’s bad news on the horizon and that’s that the entire mobilization to protect users from data breaches may lead to slow web performance.
According to Johannes Ullrich from the SANS Internet Storm Center, web browsers may be overloaded by the moves performed by sites and the changes in security certificates. This can lead to error messages, which can ultimately impact web performance, AFP reports.
The aforementioned security certificates are obtained by web operators after the patch is installed and they demonstrate that the web browsers can trust them. In turn, the web browser must update the list of certificates that can and cannot be trusted, or they are rejected.
It’s not unusual for browsers to update dozens of keys each day, but due to Heartbleed, the number has skyrocketed into the tens of thousands.
This leads to a significant slowdown of the browsing process, which you may have noticed already with sites that take a long time to load or don’t load at all, giving an error.
This could, indeed, get frustrating, but you shouldn’t make the mistake of disabling these browser lists because a hacker could use this to get in, putting everyone in a difficult situation.
Last week, Google, along with security firm Cloudflare, revealed Heartbleed, the biggest security bug in recent years. Heartbleed affects OpenSSL by creating a way for hackers to snatch packets of data from servers. This creates the possibility of hackers stealing passwords, personal data and encryption keys which are normally used to protect entire sites and servers.
The bug is extremely widespread, affecting a range of OpenSSL versions released over the past two years. These versions were used by about two thirds of the world’s secure websites, including by those owned by companies such as Google, Yahoo and Facebook.
Furthermore, government sites were also affected, including some belonging to the Canadian authorities. In fact, last Friday, some 900 social insurance mumbers were stolen in a breach that used the Heartbleed backdoor.
Mobile apps aren’t safe either, so users should be careful about the ones they install on their phones so that their details don’t get hacked.
Perhaps the worst part about Heartbleed is that attacks exploiting it don’t leave any traces behind, making it impossible to know how many attacks have taken place or how much data was stolen.
Revoking all the SSL certificates leaked by the Heartbleed bug will cost millions of dollars, according to Cloudflare, which provides services to website hosts.
SSL, the technology used to secure much of the internet, relies on private keys that must be kept hidden, but the Heartbleed flaw allows an attacker to steal them by pummelling a server with carefully crafted requests.
Cloudflare initially speculated that such an attack was impossible on the type of web server they use, but after opening it up to the public to test, the firm was soon proved wrong. As a result, it has decided to revoke and reissue all SSL certificates for its customers – well over 100,000 of them.
The company also responded to queries as to why it had not done so earlier, as a preventative measure. “The answer,” cofounder Matthew Prince writes, “is that the revocation process for SSL certificates is far from perfect and imposes a significant cost on the internet’s infrastructure.”
In revoking their customers’ SSL certificates, CloudFlare caused the size of the file which contains a list of all revoked certificates to grow by more than 200 times, from 22KB to 4.7MB, still held by CloudFlare’s certificate authority Globalsign, which issues the certificates. That list has to be served to every single internet user, to ensure that their browsers know to reject stolen certificates.
As a result, Prince writes, “if you assume that the global average price for bandwidth is around $10/Mbps, just supporting the traffic to deliver the CRL would have added $400,000USD to Globalsign’s monthly bandwidth bill … The total cost to Globalsign if they were using [Amazon’s] infrastructure, would be at least $952,992.40/month”
Cloudflare had an extra reason to hesitate, because the firm was one of the few given forewarning about Heartbleed. The company was told about the flaw a week before researchers from Codenomicon disclosed it publicly – even before it was given a name, which is why CloudFlare’s initial release on the matter just refers to “a new vulnerability … in OpenSSL”. Since no patch was available, it fixed it by simply turning off the affected functionality altogether.
But even with that early warning, the company still had to act. The Heartbleed flaw has been in OpenSSL for two years, and with no way of telling whether it had been hit, the safest option was to replace all the certificates.
The Heartbleed vulnerability is so widespread that the Australian Privacy Commissioner Timothy Pilgrim has admitted that there’s no way for his office to investigate organizations vulnerable to the bug, unless there are allegations that private information has been stolen.
Hundreds of thousands of sites, if not more, have been forced to patch up their systems following last week’s revelations. Not only did they have to update, but they had to reissue SSL certificates in order to make sure that sensitive data couldn’t be extracted from the servers, something that has messed up browser speeds.
Part of the companies and organizations that had to go through this came from Australia and delaying the patching process can only be a risk for them since customer information can be hacked. One example is Canada, which managed to lose 900 social insurance numbers in a recent hack because it did not move fast enough to fix the Heartbleed bug.
During an event that took place in Sydney, Tim Pilgrim admitted that due to the extent of the vulnerability, his office had no intention of starting to investigate random sites.
“The Heartbleed issue is obviously an extraordinarily complex one for all of us to be dealing with,” he said. “At this point in time we won’t be going out and undertaking an assessment or an investigation at the moment randomly of any particular organisation because of the sheer volume of organisations that have been impacted by this particular issue,” Pilgrim explained.
It will, however, look into the issue if something comes up, or if there’s an allegation that data has been lost from either an organization or a government agency. In that case, the Information Commissioner would look into what steps were taken by the affected entities to patch Heartbleed.
Heartbleed was revealed last week as OpenSSL issued a patch that fixed the vulnerability. The bug had been affecting several OpenSSL versions that had been around for a couple of years.
Since the error has gone unnoticed, any amounts of data could have been stolen, especially since attacks taking advantage of this malleability leave no traces on the affected servers.
These two combined provide a frightening situation in which no one has any idea if the vulnerability was exploited and if so, how much information has been stolen in the past two years.
Secure networking service Tor isn’t faring very well after the Heartbleed encryption disaster. The service may, in fact, be forced to shut down an eighth of its capacity.
Tor helps people browse the Internet without leaving any traces and without having to worry about security. It runs on a network of donated servers that bounce encrypted data between them before returning them back to the open web.
This makes it impossible for anyone to track down which traffic is coming from which computers, and that’s how the anonymity element that Tor promises is delivered.
Unfortunately, however, some of those particular servers that people have donated are running OpenSSL versions affected by Heartbleed, which makes them vulnerable to attacks. This means that hackers could exploit said servers and find information that Tor promised would be impossible to find.
One of the initial developers of Tor, Roger Dingledine, has suggested that perhaps it’s a good idea to kick off the network nodes running the faulty OpenSSL versions.
“I also thought for a while about trying to keep my list of fingerprints up-to-date (i.e. removing the !reject line once they’ve upgraded their OpenSSL), but on the other hand, if they were still vulnerable as of yesterday, I really don’t want this identity key on the Tor network even after they’ve upgraded their OpenSSL. If the other directory authority operators follow suit, we’ll lose about 12% of the exit capacity and 12% of the guard capacity,” he said.
Heartbleed is an OpenSSL vulnerability that was exposed last week after affecting various versions of the software over the past two years. A patch has already been issued, as well as ways to fix the bug manually, but there are still sites and servers affected by it, which makes the Internet less safe.
Hackers could exploit the vulnerability quite easily and demand that the server reveal more information than it should, which poses a threat to data encryption. Basically, the passing data is not safe at any time of an attack, even if the servers are supposedly protected by encryption.
The worst part is that exploiting Heartbleed leaves no traces behind, which means that there is no way to tell whether hackers or spy agencies knew about the vulnerability before or not, if there have been any attacks or what data could have been stolen.
For this reason, users have been advised to change their passwords even for services run by companies such as Google, Facebook or Yahoo.
People who have accounts on the enrollment website for President Barack Obama’s signature health care law are being told to change their passwords following an administration-wide review of the government’s vulnerability to the confounding Heartbleed Internet security flaw.
Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government’s Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page.
The Heartbleed programming flaw has caused major security concerns across the Internet and affected a widely used encryption technology that was designed to protect online accounts. Major Internet services have been working to insulate themselves against the problem and are also recommending that users change their website passwords.
Officials said the administration was prioritizing its analysis of websites with heavy traffic and the most sensitive user information. A message that will be posted on the health care website starting Saturday reads: “While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution.”
The health care website became a prime target for critics of the Obamacare law last fall when the opening of the insurance enrollment period revealed widespread flaws in the online system. Critics have also raised concerns about potential security vulnerabilities on a site where users input large amounts of personal data.
The website troubles were largely fixed during the second month of enrollment and sign-ups ultimately surpassed initial expectations. Obama announced this week that about 8 million people had enrolled in the insurance plans.
The full extent of the damage caused by the Heartbleed is unknown. The security hole exists on a vast number of the Internet’s Web servers and went undetected for more than two years. Although it’s conceivable that the flaw was never discovered by hackers, it’s difficult to tell.
The White House has said the federal government was not aware of the Heartbleed vulnerability until it was made public in a private sector cybersecurity report earlier this month. The federal government relies on the encryption technology that is impacted — OpenSSL — to protect the privacy of users of government websites and other online services.
The Homeland Security Department has been leading the review of the government’s potential vulnerabilities. The Internal Revenue Service, a widely used website with massive amounts of personal data on Americans, has already said it was not impacted by Heartbleed.
“We will continue to focus on this issue until government agencies have mitigated the vulnerability in their systems,” Phyllis Schneck, DHS deputy undersecretary for cybersecurity and communications, wrote in a blog post on the agenda website. “And we will continue to adapt our response if we learn about additional issues created by the vulnerability.”
Officials wouldn’t say how government websites they expect to flag as part of the Heartbleed security review, but said it’s likely to be a limited number. The officials insisted on anonymity because they were not authorized to discuss the security review by name.
The entire Internet was set on fire. Millions upon millions of sites were affected and they’ve all been scrambling to patch up Heartbleed ever since.
While most of them have already managed to fix things, there are still sites out there that are not safe to use or that could be exploited by hackers.
There are ways, however, to find out if you’re on such a dangerous website or if everything is fine. Last week, Chromebleed was released – a Chrome extension that displays a pop-up each time you visit a website that could still be affected by the most dangerous malleability in a long time.
Now, there’s another way to make sure you’re navigating safe seas – Netcraft ?
The toolbar can be installed on a number of browsers – Chrome, Firefox and Opera. Normally, it gives information about websites to show you their attributes during your visits. The list includes the site’s hosting location, country, longevity and even popularity.
What steps should you take?
Heartbleed needs to be taken VERY seriously, and as a result the steps to start solidifying your internet security again are going to be cumbersome.
“Due of the complex nature of this vulnerability, changing your passwords before sites update their version of OpenSSL won’t fully protect you.
Here are some simple steps you can take as a precaution:
- Change your passwords on any website that contains sensitive information about you. You should first confirm that the site does not contain the Heartbleed vulnerability by using this tool HERE.
- If you’ve reused passwords on multiple sites, it’s especially important to change them.To change your Norton Account password, visit manage.norton.com and click Account Information.
- Beware of phishing emails and type website addresses directly in your browser instead of clicking on a link through an email.
- Monitor your bank and credit card accounts for unusual activity.
We recommend you only exchange personal or sensitive information such as your credit card number if the site is not affected by Heartbleed.” – Norton Antivirus
Sources: http://news.softpedia.com/news/Tor-Could-Lose-Part-of-Its-Network-Because-of-Heartbleed-438478.shtml , http://news.softpedia.com/news/Heartbleed-Install-Netcraft-Browser-Toolbar-to-Detect-Dangerous-Sites-438284.shtml , http://news.softpedia.com/news/Australian-Privacy-Watchdog-Heartbleed-Is-Too-Big-to-Investigate-438221.shtml , http://news.softpedia.com/news/Heartbleed-May-Be-the-Cause-of-Your-Browser-s-Slow-Performance-438046.shtml , http://arstechnica.com/security/2014/04/heartbleed-exploited-to-hack-network-with-multifactor-authentication/ , http://www.theguardian.com/technology/2014/apr/18/heartbleed-bug-will-cost-millions , http://arstechnica.com/security/2014/04/confirmed-nasty-heartbleed-bug-exposes-openvpn-private-keys-too/ , http://www.startribune.com/politics/national/255847961.html , http://www.pcmag.com/article2/0,2817,2456805,00.asp , http://helpinghandpc.wordpress.com/2014/04/18/more-on-heartbleed-and-the-steps-you-need-to-take/