TwitterFacebook

This Is Bad: Heartbleed Attack Targets VPN Service

Bad craziness
Technology • Views: 15,610
Image via snoopsmaus

Most of the coverage of the Heartbleed bug has focused on the security problems for websites, but there’s another avenue of attack now being exploited by hackers: the Virtual Private Network (VPN) systems used by many large and small businesses.

Security firm Mandiant reports that it is has observed a Heartbleed attack occurring “in the wild.” The attack targeted a Virtual Private Network service at an unnamed organization, gaining access to its internal corporate network — and it shows that hackers are finding the parts of the internet are least likely to have been updated to protect against Heartbleed.

The attack worked like this. When a user logs into a VPN service, it issues a “session token,” a temporary credential that is supposed to prove that a user has already been authenticated. By stealing the authentication token from the server’s memory, the attacker can impersonate the legitimate user and hijack her connection to the server, gaining access to the organization’s internal network.

This disastrous security hole in OpenSSL may have more effect on these kinds of semi-closed systems than on easily upgraded web servers, because the people who use VPNs and other types of networking applications and devices may not even realize they’re relying on the buggy versions of OpenSSL, and it may be difficult (or even impossible in some cases) to update the software.

But web servers are still a big problem as well; the Washington Post’s Brian Fung points out that we may be seeing some large scale disruptions of the Internet in the not too distant future: Heartbleed Is About to Get Worse, and It Will Slow the Internet to a Crawl.

Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information.

The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy.

“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” said Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”

UPDATE at 4/18/14 6:22:46 pm

Please note! We got out in front of the rush to revoke/reissue our SSL certificates right away, the day the bug was announced, so Little Green Footballs is not vulnerable to the problem described in the Washington Post article.

^ back to top ^

TwitterFacebook

Turn off all ads for a full year by subscribing!
For about 33 cents a day (per month) or 22 cents a day (per year), our subscription option turns off all advertisements at LGF!
Read more...

► LGF Headlines

  • Loading...

► Tweeted Articles

  • Loading...

► Tweeted Pages

  • Loading...

► Top 10 Comments

  • Loading...

► Bottom Comments

  • Loading...

► Recent Comments

  • Loading...

► Tools/Info

► Tag Cloud

► Contact

You must have Javascript enabled to use the contact form.
Your email:

Subject:

Message:


Messages may be published unless you request otherwise.
Tech Note:
Using the Contact Form
LGF Pages

This button leads to the main index of LGF Pages, our user-submitted articles. You can post your own LGF Pages simply by registering a free account with us.

Create a Page

This is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.

Or... you can just click this button to open the Pages posting window right away.

Last updated: 2014-03-07 2:19 pm PST

LGF User's Guide
Recent Pages
Randall Gross
Merrill Shapiro Joins Lawsuit Against Rick Scott
A Flagler County resident who heads the local branch of the State Democratic Progressive Caucus of Florida and the board of trustees of Americans United for Separation of Church and State has joined a lawsuit against Governor Rick Scott ...

21 minutes ago
Views: 38 • Comments: 0
Tweets: 1 • Rating: 0
Dr. Matt
Angry Ram Takes Down a Drone…and its Owner
From the youtube page of Buddhanz1: I was looking for the angry ram with my fpv quadcopter, I got a bit close & he managed to hit it knocking it into a bush, luckily no harm done. When I went ...

2 hours, 59 minutes ago
Views: 137 • Comments: 0
Tweets: 1 • Rating: 1
Hyped Up On Ganja
Lindsay Lohan reveals she’s voting for Mitt Romney because ‘employment is really important’
Asked to expound on her comment, Miss Lohan giggled, and replied "Wingnut Mormons are so $$#@#$ hawt and junk" / But this was not the first time the fledgling political pundit has jumped into the presidential twitter fray. In early ...

1 day, 6 hours ago
Views: 245 • Comments: 0
Tweets: 0 • Rating: 0
Souliren
Natalie MacMaster
2 days, 4 hours ago
Views: 149 • Comments: 1
Tweets: 0 • Rating: 1
The War TARDIS
Doctor Who “Into the Dalek” Open Thread
This episode will echo old Dalek episodes, both with a bit of a twist. Also, Clara will be finding someone, as she seems to be moving from her feelings of the 11th. But, this for talking.

3 days, 5 hours ago
Views: 312 • Comments: 42
Tweets: 0 • Rating: 5
FemNaziBitch
Roger Goodell: ‘I Didn’t Get It Right.’ -NFL TAKES A NEW STANCE DOMESTIC VIOLENCE
NFL commissioner Roger Goodell admits he was wrong on the Ray Rice decision, and Goodell took an important step Thursday towards showing the league is serious about cracking down on domestic violence as well as sexual assault. In a ...

4 days, 11 hours ago
Views: 276 • Comments: 1
Tweets: 0 • Rating: 4
sagehen
Doctor Who Spoiler Thread
For those who want to post immediately... live... without having to hide spoilers behind the button.

1 week, 3 days ago
Views: 714 • Comments: 99
Tweets: 0 • Rating: 6
EiMitch
Escapist: Maniac Cop
escapistmagazine.com Link broken? The gist is that this is an impressively sarcastic review of an old slasher flick based on the "unrealistic" premise of a cop abusing his power to murder people.

1 week, 4 days ago
Views: 536 • Comments: 1
Tweets: 0 • Rating: 1
Rightwingconspirator
A Lizard’s Regenerating Tail
Don't ya hate it when that happens? You feel so short for a month. Anoles are curious little lizards capable of ditching their tails when they feel threatened. This self-amputation, called autotomy, takes about 25 days for the tail to ...

1 week, 5 days ago
Views: 542 • Comments: 1
Tweets: 0 • Rating: 5
CriticalDragon1177
Io9 - Everything You Need To Know About Lemuria, The Lost Continent Of Lemurs
Esther Inglis-Arkell talks about the weirdest lost continent myth, I've ever heard. Its the only one I know of that ever included giant telepathic lemurs. No seriously! In 1858 a young zoologist, playing around with an idea, came up with ...

1 week, 5 days ago
Views: 747 • Comments: 4
Tweets: 0 • Rating: 7
 Frank says:

THE VERY BIG STUPID is a thing which breeds by eating The Future. Have you seen it? It sometimes disguises itself as a good-looking quarterly bottom line, derived by closing the R&D Department. -- from The Real Frank Zappa book.