Huge OpenSSL Bug - Heartbleed

[Osem]

Quote:

Originally Posted by Qtx

The information like credit card details which are already stored on a website should be safe (famous last words?). Simply put, it never enters the region of memory on the server that can be read by this attack.

If someone did get your login details through the flaw, they could login to a site and look at the account page but these often hold back enough details to stop criminals making use of it.

A nasty person hanging out on your wifi (or someone running a naughty coffee shop type hotspot with their laptop, which happens more than you think) who managed to get the encryption keys to a site you visit, could log your traffic to that site and decrypt it. So if you brought something on that site by entering your credit card details, they could decrypt it and see your card details that way. Slim chance but possible. The server changing the keys after patching fixes this for future attacks of this kind but traffic logged previous to this can still be decrypted.

TVM for clarifying.

---------- Post added at 09:26 ---------- Previous post was at 09:25 ----------

Quote:

Originally Posted by Matt D

Not necessarily...

Of all the sites and services I've registered with, only three have contacted me about Heartbleed: Tumblr and IFTTT emailed me to admit they were vulnerable and warn me to change me password, while 1Password emailed me to reassure me that it didn't use OpenSSL and there was nothing to worry about regarding 1P.

Yahoo was probably the highest profile site to suffer from Heartbleed, because unlike Google and various others it was not patched until *after* the vulnerability was made public (seems it wasn't warned in advance!)...From reading Twitter and other sites, many people apparently had a field day with Yahoo last Tuesday...

But, despite that, I've had no contact from Yahoo saying I should change my password.

Most "big sites" have relied upon statements to the media, and/or posts buried on their own sites... Some of which gave a lot of detail, others of which have been very vague... I would not take lack of contact as being equivalent to lack of vulnerability or risk.

Cheers.

[joglynne]

The Register has released a further article this morning. Not sure how much of the content has already been discussed but just in case there is something new covered here is the link.

Quote:

Software that claims to detect the presence of OpenSSL's Heartbleed bug in servers, PCs and other gear may falsely report a system to be safe when users are actually in danger, according to a security consultancy. <snip>

http://www.theregister.co.uk/2014/04...tion_glitches/

[Qtx]

Attackers Exploit the Heartbleed OpenSSL Vulnerability to Circumvent Multi-factor Authentication on VPNs

Quote:

Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions. Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users. With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.

Lots of companies run VPN's so that employees can access network resources while at home or out of the office so worth remembering that this bug doesn't just affect websites. As well as VPN's other services like email, FTP servers etc are also vulnerable.

[Ignitionnet]

Quote:

Originally Posted by Qtx

Attackers Exploit the Heartbleed OpenSSL Vulnerability to Circumvent Multi-factor Authentication on VPNs



Lots of companies run VPN's so that employees can access network resources while at home or out of the office so worth remembering that this bug doesn't just affect websites. As well as VPN's other services like email, FTP servers etc are also vulnerable.

If a company has the management of their VPN appliances exposed to the internet at large they are in real trouble generally and need to fire their security guy.

There are tons of different devices all over the place whose GUIs are vulnerable to this kind of attack, none of which should be exposed to the internet.

[Qtx]

Ignition, they don't need to have any gui running to exploit this on a VPN. The exploit works over multiple services, not just webservers/http servers. So the attack described above happened by attacking the OpenVPN service on port 1194, not port 80. You can attack mail/ftp servers on their standard ports. The same SSL libraries are used across all these different protocols.

[Tezcatlipoca]

The "Not valid before" date for Google's certificate has changed again, from 2nd April to 9th April.

[Tezcatlipoca]

Heartbleed disclosure timeline

So is there any news of anyone being 'hacked'?

[Qtx]

Quote:

Originally Posted by Maggy J

So is there any news of anyone being 'hacked'?

Yahoo mail accounts, ars technica, Mumsnet and the Canadian tax office are the ones the media got hold of. Some companies have had their networks broken in to with this but they probably wont admit it as no customer type information was at risk. Amazon web services (AWS) which is their webserver hosting side of the business was vulnerable and many companies that used them were vulnerable, such as Logitech who still havn't muttered a word.

Probably a lot more to come but most wont even know they were hacked. The Internet Storm Centre at Sans has a nice writeup on how they spotted one of the attacks. Finding the bleeders

[Stuart]

Quote:

Originally Posted by qasdfdsaq

While I agree it can be done over WiFi the effort required makes it unlikely unless someone is specifically targeting you.

This is actually an example of one important thing we were taught when I learned software engineering in my degree. You cannot design a totally infallible security system. The best you can hope for is to make it unfeasible for anyone to successfully attack you, or at least not worth the attackers while. For an example of this, look at viruses. Arguably, even Windows is a lot more secure than some OSes from the 90s and before, but no one writes viruses for them as it's not worth anyone's while.

[qasdfdsaq]

Quote:

Originally Posted by Ignitionnet

If a company has the management of their VPN appliances exposed to the internet at large they are in real trouble generally and need to fire their security guy.

There are tons of different devices all over the place whose GUIs are vulnerable to this kind of attack, none of which should be exposed to the internet.

You forget the widespread proliferation of SSL VPNs that seem to be getting everywhere these days.

---------- Post added at 19:00 ---------- Previous post was at 18:59 ----------

Quote:

Originally Posted by Stuart

This is actually an example of one important thing we were taught when I learned software engineering in my degree. You cannot design a totally infallible security system. The best you can hope for is to make it unfeasible for anyone to successfully attack you, or at least not worth the attackers while. For an example of this, look at viruses. Arguably, even Windows is a lot more secure than some OSes from the 90s and before, but no one writes viruses for them as it's not worth anyone's while.

Quantum cryptography? Not read about it in a while but last I heard there was a form of it which is "uncrackable", at least without detection.

[Ignitionnet]

Quote:

Originally Posted by Qtx

Ignition, they don't need to have any gui running to exploit this on a VPN. The exploit works over multiple services, not just webservers/http servers. So the attack described above happened by attacking the OpenVPN service on port 1194, not port 80. You can attack mail/ftp servers on their standard ports. The same SSL libraries are used across all these different protocols.

I see what you are saying but was referring to your quote where the guy was attacking the appliance's GUI.

Quote:

Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users.

Obviously anything compiled with the OpenSSL libraries and exposed to the internet is problematic.

---------- Post added at 10:30 ---------- Previous post was at 10:21 ----------

Quote:

Originally Posted by qasdfdsaq

You forget the widespread proliferation of SSL VPNs that seem to be getting everywhere these days.

Absolutely, I remember their starting to get popular in my formative years in IT. Which was over a decade ago. Ugh. I'm old.

Quote:

Originally Posted by qasdfdsaq

Quantum cryptography? Not read about it in a while but last I heard there was a form of it which is "uncrackable", at least without detection.

Indeed, you're probably thinking of quantum key distribution. Due to quantum indeterminacy bits encoded as quantum data become mangled as soon as they are measured, hence intercepted en route.

It should be remembered that the actual encryption here is robust and remains strong. The issue is with one part of the standard not related in any way to the maths, the TLS heartbeat extension, and a badly written implementation of it. This isn't actually related to encryption at all, it's a plain, simple software bug. It just happens to be a bug on a bit of software attached to a socket that an awful lot of servers have exposed to the internet.

---------- Post added at 10:33 ---------- Previous post was at 10:30 ----------

Quote:

Originally Posted by thenry

Police have charged a 19-year-old man from London, Ont., in connection with the loss of taxpayer data from the Canada Revenue Agency website.

http://www.calgaryherald.com/news/na...952/story.html

What a noob.

Quote:

Solis-Reyes is a computer science student at Western University, a spokesman for the university said.

He'd have failed the degree anyway if he seriously thought he could exploit such a high profile bug without in any way covering his tracks.

[Qtx]

Quote:

Originally Posted by Ignitionnet

I see what you are saying but was referring to your quote where the guy was attacking the appliance's GUI.

So it does!

[Stuart]

Quote:

Originally Posted by Ignitionnet

There are tons of different devices all over the place whose GUIs are vulnerable to this kind of attack, none of which should be exposed to the internet.

Unfortunately, that is a massive problem. Bit like an article I read a couple of years ago where someone demonstrated how to use Google to search for HP printers.

I think the reasons behind this are twofold:

1. A lot of these appliances are installed by someone with little or no knowledge of network security.
2. "Ease of Maintenance". Exposing the admin tools of any network connected device (be it a VPN, printer or even power station control system) to the internet is obviously a stupid thing, but it also seems to be seen as a good way to save money. After all, one technician can sit at his or her desk and diagnose or fix problems with multiple systems, some of which may be thousands of miles away. Unfortunately, when presented with that kind of "saving", a lot of managers will not think about it any further, and a lot won't think of the security implications. They certainly won't think that they may be saving the salary of four or five technicians, but may have to pay out hundreds of thousands of pounds to fix the problems caused when their system is hacked.

[Ignitionnet]

Quote:

Originally Posted by Stuart

Unfortunately, that is a massive problem. Bit like an article I read a couple of years ago where someone demonstrated how to use Google to search for HP printers.

I think the reasons behind this are twofold:

1. A lot of these appliances are installed by someone with little or no knowledge of network security.
2. "Ease of Maintenance". Exposing the admin tools of any network connected device (be it a VPN, printer or even power station control system) to the internet is obviously a stupid thing, but it also seems to be seen as a good way to save money. After all, one technician can sit at his or her desk and diagnose or fix problems with multiple systems, some of which may be thousands of miles away. Unfortunately, when presented with that kind of "saving", a lot of managers will not think about it any further, and a lot won't think of the security implications. They certainly won't think that they may be saving the salary of four or five technicians, but may have to pay out hundreds of thousands of pounds to fix the problems caused when their system is hacked.

The first of the two shouldn't be an issue. An appliance like this should be privately addressed and using a mapped IP on the firewall for access for access to the services it provides only, not its management interface.

The second isn't saving money so much as lazy. If you want to manage a VPN appliance from outside of your network why not VPN into the appliance to manage it?

If access from the Internet is required in case of VPN failure simply ensure that the guy managing devices has a static IP address on the interwebs and permit them access, only, to the management interfaces.

Zero excuse for a leaky perimeter. Internal security is problematic, holes are punched in firewalls to allow services to work, but perimeter should really have a single management point, the big scary security/network guy.