This Is Bad: Heartbleed Attack Targets VPN Service

Bad craziness
Image via snoopsmaus

Most of the coverage of the Heartbleed bug has focused on the security problems for websites, but there’s another avenue of attack now being exploited by hackers: the Virtual Private Network (VPN) systems used by many large and small businesses.

Security firm Mandiant reports that it is has observed a Heartbleed attack occurring “in the wild.” The attack targeted a Virtual Private Network service at an unnamed organization, gaining access to its internal corporate network — and it shows that hackers are finding the parts of the internet are least likely to have been updated to protect against Heartbleed.

The attack worked like this. When a user logs into a VPN service, it issues a “session token,” a temporary credential that is supposed to prove that a user has already been authenticated. By stealing the authentication token from the server’s memory, the attacker can impersonate the legitimate user and hijack her connection to the server, gaining access to the organization’s internal network.

This disastrous security hole in OpenSSL may have more effect on these kinds of semi-closed systems than on easily upgraded web servers, because the people who use VPNs and other types of networking applications and devices may not even realize they’re relying on the buggy versions of OpenSSL, and it may be difficult (or even impossible in some cases) to update the software.

But web servers are still a big problem as well; the Washington Post’s Brian Fung points out that we may be seeing some large scale disruptions of the Internet in the not too distant future: Heartbleed Is About to Get Worse, and It Will Slow the Internet to a Crawl.

Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information.

The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy.

“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” said Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”

UPDATE at 4/18/14 6:22:46 pm

Please note! We got out in front of the rush to revoke/reissue our SSL certificates right away, the day the bug was announced, so Little Green Footballs is not vulnerable to the problem described in the Washington Post article.

Jump to top

Create a PageThis is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.
Or... you can just click this button to open the Pages posting window right away.
Last updated: 2016-01-01 10:29 am PST
LGF User's Guide RSS Feeds Tweet

Help support Little Green Footballs!

Subscribe now for ad-free access!Register and sign in to a free LGF account before subscribing, and your ad-free access will be automatically enabled.

Donate with
PayPal
Square Cash Shop at amazon
as an LGF Associate!
Recent PagesClick to refresh
The New Respects - Come as You AreMusic video by The New Respects performing Come As You Are. (C) 2017 Credential Recordings vevo.ly
Thanos
16 hours, 14 minutes ago
Views: 305 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
The Isley Brothers, Santana - I Remember (Audio)Music video by The Isley Brothers, Santana performing I Remember (Audio). (P)(C) 2017 Starfaith, LLC and RI Top Ten, LLC, under exclusive license to Sony Music Entertainment vevo.ly
Thanos
16 hours, 16 minutes ago
Views: 170 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
They Kept Us as Slaves: AP Reveals Claims Against ChurchThey kept us as slaves: AP reveals claims against church SPINDALE, N.C. (AP) -- When Andre Oliveira answered the call to leave his Word of Faith Fellowship congregation in Brazil to move to the mother church in North Carolina at ...
Shiplord Kirel, live from behind wingnut lines
21 hours, 51 minutes ago
Views: 175 • Comments: 1 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Stranger Things Season II Trailer The first trailer for Stranger Things 2 is here. It’s 1984 and the citizens of Hawkins, Indiana are still reeling from the horrors of the demogorgon and the secrets of Hawkins Lab. Will Byers has been rescued from the ...
Thanos
2 days, 18 hours ago
Views: 372 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
‘Silent Coup’: Limbaugh Says ?!?! In an impassioned commentary, Rush Limbaugh said he believes the Washington establishment - both Democrats and Republicans - are involved in a "silent coup" against President Trump. Silent coup? Wrong and wrong. As silent as Rachael Maddow, Keith Olberman ...
Unshaken Defiance
5 days, 23 hours ago
Views: 725 • Comments: 0 • Rating: 1
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Immigration: Focus LocallyIn these days of Trump and the Republicans attacking everything decent about America, it's too easy to focus on the immediate threat. Trump's Muslim band is back, but everyone is paying attention to the Republicans trying to steal our healthcare. ...
jhncsy
6 days, 21 hours ago
Views: 504 • Comments: 0 • Rating: 1
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
‘Submit to Your Husbands’: Women Told to Endure Domestic Violence in the Name of God (Australian Broadcasting Corporation) The culprits were obvious: it was the menopause or the devil. Who else could be blamed, Peter screamed at his wife in nightly tirades, for her alleged insubordination, for her stupidity, her lack of sexual pliability, her refusal to ...
Birth Control Works
1 week ago
Views: 962 • Comments: 0 • Rating: 2
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
West Virginia Families, Just Learning About Health-Care Access, Fear It Will Be Taken Away - Rewire In Vienna, West Virginia—just north of Parkersburg, along the Ohio River separating the two states—the only Planned Parenthood health center in the state sits among a scattering of gray and tan buildings beside the main road. A few days ...
Birth Control Works
1 week ago
Views: 970 • Comments: 0 • Rating: 1
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Trump Election Commissioner Used Dubious Data to Allege an “Alien Invasion” - Mother Jones Election officials and experts say there’s plenty of reason to doubt those claims.But they could still provide a blueprint for Trump’s commission, which has so far hinted at tighter restrictions on voting in the name of cracking down on ...
Thanos
1 week, 1 day ago
Views: 977 • Comments: 0 • Rating: 1
Tweets: 2 • Share to Facebook
Shares: 0
Comments: 0
: 0
Inside the Middle East’s First Rape & Domestic Violence Crisis Program For the last year and a half, there’s been a new sight in the Kingdom of Bahrain. Lodged into stacks of newspapers, stuck to mirrors in restaurant bathrooms, and pinned to grocery store notice boards are small, blue-and-white fliers ...
Birth Control Works
1 week, 2 days ago
Views: 927 • Comments: 0 • Rating: 0
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0