This Is Bad: Heartbleed Attack Targets VPN Service

Bad craziness
Image via snoopsmaus

Most of the coverage of the Heartbleed bug has focused on the security problems for websites, but there’s another avenue of attack now being exploited by hackers: the Virtual Private Network (VPN) systems used by many large and small businesses.

Security firm Mandiant reports that it is has observed a Heartbleed attack occurring “in the wild.” The attack targeted a Virtual Private Network service at an unnamed organization, gaining access to its internal corporate network — and it shows that hackers are finding the parts of the internet are least likely to have been updated to protect against Heartbleed.

The attack worked like this. When a user logs into a VPN service, it issues a “session token,” a temporary credential that is supposed to prove that a user has already been authenticated. By stealing the authentication token from the server’s memory, the attacker can impersonate the legitimate user and hijack her connection to the server, gaining access to the organization’s internal network.

This disastrous security hole in OpenSSL may have more effect on these kinds of semi-closed systems than on easily upgraded web servers, because the people who use VPNs and other types of networking applications and devices may not even realize they’re relying on the buggy versions of OpenSSL, and it may be difficult (or even impossible in some cases) to update the software.

But web servers are still a big problem as well; the Washington Post’s Brian Fung points out that we may be seeing some large scale disruptions of the Internet in the not too distant future: Heartbleed Is About to Get Worse, and It Will Slow the Internet to a Crawl.

Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information.

The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy.

“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” said Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”

UPDATE at 4/18/14 6:22:46 pm

Please note! We got out in front of the rush to revoke/reissue our SSL certificates right away, the day the bug was announced, so Little Green Footballs is not vulnerable to the problem described in the Washington Post article.

Jump to top

Create a PageThis is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.
Or... you can just click this button to open the Pages posting window right away.
Last updated: 2016-01-01 10:29 am PST
LGF User's Guide RSS Feeds Tweet

Help support Little Green Footballs!

Subscribe now for ad-free access!Register and sign in to a free LGF account before subscribing, and your ad-free access will be automatically enabled.

Recent PagesClick to refresh
Letters From Women Pleading for Abortion, Sent in 1917, Mirror Emails Sent Today In the early 1900s, desperate American women wrote letters to the founder of Planned Parenthood begging for help with unwanted pregnancies. A century later, they're sending eerily similar messages to an international abortion-by-mail service. "I'm in the family way ...
Birth Control Works
1 hour, 44 minutes ago
Views: 137 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 1
Comments: 0
: 1
Pregnant Women Are Being Arrested for Crimes They Didn’t Know They Committed Laurie was five months pregnant when she used methamphetamine. She'd previously been on anxiety medication, but her doctor switched her to an opiate when she told him she had history for drug addiction. She said the opiate made her ...
Birth Control Works
1 hour, 46 minutes ago
Views: 200 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 1
Comments: 0
: 1
Manchester: Defiant and Proud Everybody reading this will have some connection to Manchester. Whether it's music you love (*waves at Charles*), football you enjoy, science you respect or that radical tradition you've read of, Manchester is a World City we all have some ...
Paul Canning
5 hours, 15 minutes ago
Views: 310 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Inclusive Approaches to Preventing Violent Extremism - Carter Center Violent extremism fractures communities, fosters division, and exacerbates political conflicts. It knows no religious, national, or ethnic boundaries. Violent extremist movements continue to fuel the world’s most violent wars in Africa and the Middle East, and right-wing ethno-nationalist extremism ...
Birth Control Works
6 hours, 35 minutes ago
Views: 176 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 1
Comments: 0
: 1
Love It or Hate It-What Saudi Arabia Is Buying in Its $110 Billion Arms Deal Huge deals with israel, and Saudi Arabia. Our industrial war machine grows apace. TanksSaudi Arabia is expecting 153 M1A1/A2 tank structures, which will be turned into 133 Saudi-specification M1A2S main battle tanks. Twenty additional tanks will replace those from ...
Unshaken Defiance
7 hours, 28 minutes ago
Views: 219 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 1
Comments: 0
: 1
On Trump and RussiaPresident Trump’s remarks regarding Russia as a candidate for President of the United States should have alarmed Americans regardless of party. Candidate Trump went out of his way to praise Vladimir Putin’s Russia, while simultaneously belittling the President of the ...
HappyWarrior
1 day ago
Views: 201 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Work, Not Sex? the Real Reason Chinese Women Bound Their Feet Girls who had their feet bound didn't lead a life of idle beauty but rather served a crucial economic purpose, especially in the countryside, where girls as young as 7 weaved, spun and did work by hand, Bossen said.Read ...
Birth Control Works
1 day, 8 hours ago
Views: 308 • Comments: 2 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Why Are All the Anti-Abortion Democrats Men? A troubling pattern emerges if you start looking at who in the Democratic Party supports women's reproductive rights and who doesn't. Though disappointing, it's far from surprising that all of the anti-abortion Democrats are men. Let me put that ...
Birth Control Works
1 day, 8 hours ago
Views: 395 • Comments: 1 • Rating: 1
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Virtual Reality Can Help You Feel More Empathy for Women Harassed at Abortion Clinics It's hard to understand what it feels like to be confronted or bullied outside a women's health center — until it happens to you. I'd never had that experience until last year, while reporting on the Supreme Court case ...
Birth Control Works
1 day, 8 hours ago
Views: 403 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Families of Chechen Gay Men Pressured to Sign ‘No Complaint’ Documents, Org Says The existence of anti-gay pogroms in Chechnya first surfaced in the independent Russian newspaper Novaya Gazet in April, reporting that hundreds of people had been detained and at least three are now thought to have died. Since then, police ...
Birth Control Works
1 day, 9 hours ago
Views: 296 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0