TwitterFacebook

This Is Bad: Heartbleed Attack Targets VPN Service

Bad craziness
Technology • Views: 8,942
Image via snoopsmaus

Most of the coverage of the Heartbleed bug has focused on the security problems for websites, but there’s another avenue of attack now being exploited by hackers: the Virtual Private Network (VPN) systems used by many large and small businesses.

Security firm Mandiant reports that it is has observed a Heartbleed attack occurring “in the wild.” The attack targeted a Virtual Private Network service at an unnamed organization, gaining access to its internal corporate network — and it shows that hackers are finding the parts of the internet are least likely to have been updated to protect against Heartbleed.

The attack worked like this. When a user logs into a VPN service, it issues a “session token,” a temporary credential that is supposed to prove that a user has already been authenticated. By stealing the authentication token from the server’s memory, the attacker can impersonate the legitimate user and hijack her connection to the server, gaining access to the organization’s internal network.

This disastrous security hole in OpenSSL may have more effect on these kinds of semi-closed systems than on easily upgraded web servers, because the people who use VPNs and other types of networking applications and devices may not even realize they’re relying on the buggy versions of OpenSSL, and it may be difficult (or even impossible in some cases) to update the software.

But web servers are still a big problem as well; the Washington Post’s Brian Fung points out that we may be seeing some large scale disruptions of the Internet in the not too distant future: Heartbleed Is About to Get Worse, and It Will Slow the Internet to a Crawl.

Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information.

The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy.

“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” said Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”

UPDATE at 4/18/14 6:22:46 pm

Please note! We got out in front of the rush to revoke/reissue our SSL certificates right away, the day the bug was announced, so Little Green Footballs is not vulnerable to the problem described in the Washington Post article.

Programmer Who Introduced ‘Heartbleed’ Bug Speaks

“Quite trivial”
Technology • Views: 11,198
Image via Shutterstock

The Sydney Morning Herald has a piece on the man who made a lot of Internet system administrators’ lives miserable this week, the German programmer who introduced the Heartbleed bug into the OpenSSL code.

There’s been way too much embarrassing noobish speculation from some quarters of the journalistic arena that the NSA might have planted this bug deliberately, years ago, and has been spying on their emails and cat pictures ever since, but no — developer Robin Seggelmann says it was “a simple programming error,” as I had assumed.

The type of programming mistake he describes is known as a “bounds checking error.” They’re depressingly common and are often the cause of serious security problems.

Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.

“In one of the new features, unfortunately, I missed validating a variable containing a length.”

And about that noobish speculation:

A number of conspiracy theorists have speculated the bug was inserted maliciously.

Mr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.

“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.

“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Mr Seggelmann said.

Seggelmann is correct on that last point; the really awful part of Heartbleed is that it leaves almost no trace it grabbed everything in your web server’s memory. (And I only say “almost no trace” because at this point I don’t believe anyone has a system for detecting it, but it might be possible by analyzing server logs.)

Since the bug has been deployed in the OpenSSL service on countless web servers for more than two years, it’s not wild speculation to think it’s probably already been exploited, and national security services are usually among the first to find these things; but I’m less worried about the NSA than I am about criminal hacking gangs who operate with tacit approval from the Russian and Chinese governments.

And this is a great time to remind everyone that it would be an excellent idea to change your LGF password now (and don’t reuse a password you’ve used somewhere else!), because we have completed all the necessary steps to make sure our servers are no longer vulnerable to this exploit.

Susan Benesch on Troll Wrastling for Beginners: Data-Driven Methods to Decrease Hatred Online

Technology • Views: 16,340

YouTube

Hateful and even violent speech is familiar online; what’s unusual are data-driven efforts to diminish them. Experiments so far have produced intriguing results including: some ‘trolls’ recant or apologize in response to counterspeech, and small changes in platform architecture can improve online discourse norms. In this talk Susan Benesch — founder of the Dangerous Speech Project and professor of American University’s School of International Service — discusses early research and experiments into managing and responding to hateful speech online, especially in climates where online speech may be tied to offline violence.

More info on this event here: cyber.law.harvard.edu

Felix Baumgartner’s 24-Mile High Space Jump, Captured by His GoPro Camera

Baumgartner was wearing a GoPro camera, and the footage is incredible
Technology • Views: 16,622

YouTube

October 14, 2012, Felix Baumgartner ascended more than 24 miles above Earth’s surface to the edge of space in a stratospheric balloon. Millions across the globe watched as he opened the door of the capsule, stepped off the platform, and broke the speed of sound while free falling safely back to Earth. Felix set three world records that day—and inspired us all to reach beyond the limits of our own realities, and reimagine our potential to achieve the incredible.

GoPro was honored to be a part of this epic achievement, with seven HERO2 cameras documenting every moment. From the airless freeze of outer space, to the record-breaking free fall and momentous return to ground—see it all through Felix’s eyes as captured by GoPro, and experience this incredible mission like never before. No one gets you closer than this.

Shot 100% on the HD HERO2(r) camera from gopro.com.

Music
East of the River
“Wilderness is Their Home Now”
“Satellites”
eastoftheriveruk.bandcamp.com

Additional Music Courtesy of ExtremeMusic
extrememusic.com

Special Thanks
Red Bull
Ed Herlihy
The Internet Archive
archive.org

Jeremy Hammond, Hacker for Anonymous, Sentenced to 10 Years

While pretending to be about freedom these groups are really about getting personal info and credit cards
Technology • Views: 16,569

A Chicago computer hacker tied to the group known as Anonymous was sentenced Friday to 10 years in prison for cyberattacks on various government agencies and businesses, including a global intelligence company.

Jeremy Hammond, 28, was handed the maximum term for the December 2011 hacking of Strategic Forecasting, an attack his lawyers contend was driven by concern about the role of private firms in gathering intelligence domestically and abroad.

…resulted in the theft of 60,000 credit card numbers and records for 860,000 clients, which were then uploaded online. Prosecutors say the hack of Strategic Forecasting, or Stratfor, resulted in the theft of 60,000 credit card numbers and records for 860,000 clients, which were then uploaded online. Hammond admitted being behind it in May.

He also admitted to hacking several law enforcement agencies and organizations, including the Arizona Department of Public Safety, and releasing personal details of officers as part of an attack by the Anonymous-affiliated group LulzSec.

More: Jeremy Hammond, Hacker for Anonymous, Sentenced to 10 Years

^ back to top ^

TwitterFacebook

Turn off all ads for a full year by subscribing!
For about 33 cents a day (per month) or 22 cents a day (per year), our subscription option turns off all advertisements at LGF!
Read more...

► LGF Headlines

  • Loading...

► Tweeted Articles

  • Loading...

► Tweeted Pages

  • Loading...

► Top 10 Comments

  • Loading...

► Bottom Comments

  • Loading...

► Recent Comments

  • Loading...

► Tools/Info

► Tag Cloud

► Contact

You must have Javascript enabled to use the contact form.
Your email:

Subject:

Message:


Messages may be published unless you request otherwise.
Tech Note:
Using the Contact Form
LGF Pages

This button leads to the main index of LGF Pages, our user-submitted articles. You can post your own LGF Pages simply by registering a free account with us.

Create a Page

This is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.

Last updated: 2014-03-07 2:19 pm PST

LGF User's Guide
Recent Pages
Skip Intro
A Birther No More? Trump Makes Maximum Donation to Ted Cruz’s PAC
Donald Trump may not be sure if Senator Ted Cruz (R-TX) is eligible to be president, but he has no problem giving the Tea Party hero a chunk of his fortune. According to a report in The Hill, Trump has donated $5,000 -- the maximum legal amount under current election law -- to Senator Cruz's political action committee, the Jobs Growth and Freedom ...

3 hours, 11 minutes ago
Views: 49 • Comments: 1
Tweets: 0 • Rating: 0
FemNaziBitch
‘MOM BABY GOD’ Offers Outsider’s Inside View of Pro-Life Movement : The (402)/411
"It always comes back to God in the end," Burrows said of pro-life efforts. "They try to rebrand themselves as focusing on women's rights, but it really comes down to reinforcing conservative Christian values and pushing it on people." She tried to understand the pro-life movement from the perspective of other young women. Burrows said she could see why they were persuaded by ...

6 hours, 36 minutes ago
Views: 110 • Comments: 0
Tweets: 1 • Rating: 1
Randall Gross
Godzilla - Nature Has an Order [HD]
godzillamovie.comfacebook.comIn theaters May 16th. In Summer 2014, the world's most revered monster is reborn as Warner Bros. Pictures and Legendary Pictures unleash the epic action adventure "Godzilla." From visionary new director Gareth Edwards ("Monsters") comes a powerful story of human courage and reconciliation in the face of titanic forces of nature, when the awe-inspiring Godzilla rises to restore balance as humanity stands defenseless. ...

7 hours, 51 minutes ago
Views: 111 • Comments: 0
Tweets: 1 • Rating: 0
palmerskiss
Debate Discrimination - Houston Chronicle
We're glad to see Mayor Annise Parker finally stand up and propose a human rights commission that will provide local due process for victims of public discrimination. Parker told the Chronicle editorial board that she plans to release a formal version of her proposal within the next few weeks, but sometimes the process is just as important as the result. As the energy ...

8 hours, 21 minutes ago
Views: 81 • Comments: 0
Tweets: 0 • Rating: 0
cycroft
Russ Campbell’s Blog: Bill C-23, Fair Elections Act Seems Now on Solid Ground
Now that a Sen­ate com­mit­tee has rec­om­mended nine changes to Bill C-23, Fair Elec­tions Act, the leg­is­la­tion seems pretty solid. And, since Pierre Poilievre has, ap­par­ently, in­di­cated pri­vately that he's open to changes, an amended ver­sion of the bill will likely be­come law by this sum­mer. We would prob­a­bly have got­ten to this point ear­lier had not the min­is­ter re­spon­si­ble for the bill ...

10 hours, 51 minutes ago
Views: 65 • Comments: 1
Tweets: 0 • Rating: 0
MichaelJ
Live now - 2014 Rip Curl Pro Bells Beach - ASP World Tour
More: 2014 Rip Curl Pro Bells Beach - ASP Iconic Bells Beach in Victoria, Australia once again hosts the world's best surfers for the 41st running of the Bells Beach Contest. New feature in this broadcast: drone cam!

1 day, 6 hours ago
Views: 169 • Comments: 0
Tweets: 3 • Rating: 0
Idle Drifter
Calgary stabbings: How knife crime in Canada can cause ‘moral panic’
What Calgary police chief Rick Hanson called the "worst mass murder" in the city's history didn't end at the barrel of a gun. Instead, the 22-year-old suspect identified on Tuesday as Matthew de Grood is accused of entering the kitchen at a house party, taking "a large knife" and using it to fatally stab four men and one woman, all of whom were students ...

2 days, 22 hours ago
Views: 231 • Comments: 4
Tweets: 0 • Rating: 0
aagcobb
New York Electoral College: State Joins National Popular Vote Interstate Compact.
Ben Mathis-Lilley, Slate: New York Electoral College: State Joins National Popular Vote Interstate Compact. Instead of pushing for a Constitutional amendment, which would have to be ratified in 38 states, advocates ask individual state legislatures to pass an agreement: that they'll pledge all their presidential electors to the winner of the national popular vote as soon as enough other states pass the law to ...

3 days, 4 hours ago
Views: 245 • Comments: 7
Tweets: 0 • Rating: 2
Political Atheist
The Insane History of Rockets at Jet Propulsion Laboratories
The Rocket Boys In the late 1930s, a group of Caltech graduate students were booted off campus after blowing up (part of!) their building during a rocket test gone awry. Unwilling to give up on the joy of semi-controlled explosions, the students and a few of their friends headed into the San Gabriel Mountains. They picked a deserted gully -- Arroyo Seco -- ...

4 days, 1 hour ago
Views: 278 • Comments: 0
Tweets: 0 • Rating: 2
iossarian
Drug Companies Want Your Money
Two thematically-related stories on the BBC at the moment: UK drug company Glaxo 'paid bribes to Polish doctors' UK drug company GlaxoSmithKline is facing a criminal investigation in Poland for allegedly bribing doctors, BBC Panorama has discovered. Tamiflu: Millions wasted on flu drug, claims major report Hundreds of millions of pounds may have been wasted on a drug for flu that works no better ...

4 days, 8 hours ago
Views: 271 • Comments: 0
Tweets: 8 • Rating: 0
 Frank says:

The language and concepts contained herein are guaranteed not to cause eternal torment in the place where the guy with the horns and pointed stick conducts his business.