Security Advisor

Attackers Could Use Heartbleed Chaos To Steal Enterprise Data

Plus: OpenVPN keys are also at risk of theft due to bug; first Heartbleed-connected arrest made.

The frantic environment created by trying to patch the OpenSSL flaw known as Heartbleed could provide hackers with the ideal opportunity to leverage data-stealing attacks against a network.

According to Kurt Baumgartner, principal security researcher for Kaspersky's Global Research & Analysis team, IT's urgent attempts to patching their OpenSSL software, strengthening encryption software and reissuing new digital certificates could result in a lax focus on making sure their networks are secure and the fixes being issued are legitimate.

"This was all urgent, this is all unexpected, and what happens when people are in a situation where things are unexpected and urgent? Well, they break rules," said Baumgartner to PCWorld.

Baumgartner continued by saying the situation created by Heartbleed is the optimal chance to strike for those attackers specializing in advanced persistent threats. And their top method will be connected with the theft of the newly issued security certificates. Once stolen, the certificates could be used to break into networks later down the road.

"I would expect to see the results of some of this theft in the next six months to a year," said Baumgartner.

Private OpenVPN Keys At Risk of Heartbleed Bug
A security expert at the Sweden-based OpenVPN service provider Mullvad said that his security team was able to extract private keys multiple times from an OpenVPN server by exploiting the Heartbleed bug.

In a post to the Hacker News message board on Wednesday, Fredrik Strömberg said his team is the first to provide concrete evidence that keys could be stolen from OpenVPN  networks -- networks based off  open source software that allows for secure point-to-point connections.

"As you may know, OpenVPN has an SSL/TLS mode where certificates are used for authentication," wrote Strömberg. "OpenVPN multiplexes the SSL/TLS session used for authentication and key exchange with the actual encrypted tunnel data stream. The default TLS library for OpenVPN is OpenSSL. Since OpenVPN uses the OpenSSL library but merely passes through the TLS traffic to OpenSSL, this means that OpenVPN is exploitable using Heartbleed, in theory."

However, Strömberg pointed out that with the multiple successful tests,  the vulnerability is no longer just a theory and that while his team won't be releasing the exploit code used to show proof of concept, he said that everyone should assume that attackers have already come up with their own weaponized OpenVPN attacks and get their servers patched as soon as possible.  

First Heartbleed-Related Arrest Mad
e The Royal Canadian Mounted Police (RCMP) arrested 19-year-old Stephen Arthuro Solis-Reye in connection with stealing data of more than 900 taxpayers from the Canada Revenue Agency (CRA).

According to the Canadian law enforcement agency, the suspect allegedly took advantage of the Heartbleed bug to steal the data from the government Web site and is the first publicly disclosed incident of an individual being connected with exploiting the Heartbleed bug.

"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible," said RCMP said Assistant Commissioner Gilles Michaud in a released statement.  "Investigators from National Division, along with our counterparts in 'O' Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.".

According to the CRA, public access to the Web site was pulled last Tuesday after the Heartbleed bug was widely disclosed on Monday evening. However, the suspect was allegedly able to steal six hours of data before the CRA pulled the plug.

Solis-Reyes was charged on Tuesday of Mischief in Relation to Data and Unauthorized Use of a Computer after authorities arrested him and seized computers from his Ontario home.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube