White Hats Use Heartbleed to Steal Keys

The tech industry reeled last week when security researchers discovered a flaw in a key security technology in the Internet’s infrastructure.

Heartbleed OpenSSL zero-day vulnerability

The bug, ghoulishly named “Heartbleed,” was found in an open source library, OpenSSL, used by the protocol, SSL, used to encrypt data in transit on the Net. By exploiting the flaw with a specially crafted packet, hackers can extract data from a server’s memory in 64K chunks.

“This is indeed one of the worst vulnerabilities in the history of the Web,” Amit Sethi, a technical manager at Cigital, told TechNewsWorld. “It has been present in OpenSSL for over two years, during which time it has made it into a lot of software.”

“Unlike many other vulnerabilities in SSL implementations that we have heard about in recent years,” he continued, “this one does not require the attacker to be positioned between your computer and the server. The attacker can go directly to the server and get any information that you recently exchanged with it over a secure channel.”

Keys May Be Safe… or Not

One of the most serious concerns raised by the bug is that the private encryption keys to a whole host of websites may have fallen into the hands of Net marauders. Those keys are used not only to unscramble encrypted data, but also to authenticate websites.

“The best short-term fix — patching or upgrading the software — may prevent future breaches, but the horse may already be out of the barn, so to speak, if passwords or SSL keys were compromised before the patch was in place,” Nathaniel Couper-Noles, a principal security consultant with Neohapsis, told TechNewsWorld.

After a week, though, there were no reports of any private keys being compromised — and that may be one scenario that won’t materialize in the wild.

“After extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data,” blogged Nick Sullivan, a software engineer and security architect with CloudFlare.

“Note that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that,” he cautioned.

“However, if it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible,” Sullivan continued.

“Even with Apache, which we think may be slightly more vulnerable … we believe the likelihood of private SSL keys being revealed with the Heartbleed vulnerability is very low,” he added.

As low as it may be, it appears it can indeed be done. Following the posting of Sullivan’s blog, at least four white hat hackers used Heartbleed to snatch the private key to a CloudFlare server placed online to allow security researchers to test the firm’s analysis of Heartbleed and key theft.

Phishing Attack Increase

Unique phishing attacks numbered 115,565 in the second half of 2013, down 6 percent from the second half of 2012, when 123,486 attacks were reported, according to figures the Anti-Phishing Work Group released last week.

However, phishing attacks jumped 60 percent in the second half of last year compared with the first half, when only 72,758 were reported.

“One reason for the increase is that the Chinese are phishing each other a lot more,” Rod Rasmussen, author of the report and president and CTO of Internet Identity, told TechNewsWorld.

Eighty-five percent of the domain names registered for phishing were registered by Chinese phishers, according to the report.

Also contributing to the increase was an expansion of phishing targets.

“The traditional thing for phishing was to get access to someone’s financial information,” Rasmussen explained. “We’re seeing as lot more of that, but also a lot of targeting retail and smaller outlets.”

The median time to take down a phishing site is at a near historic low — seven hours, 54 minutes, the report notes.

“That may be another driving factor for why there are more phishing sites,” Rasmussen said. “If they’re getting taken down faster, they have to put more up. So we’re making the bad guys work a little harder.”

Vulnerable shared-hosting providers were a favorite target of phishers, with 18 percent of all phishing attacks originating from that source, the APWG reported.

“If a bad guy breaks into one server, he can have a 100 or more primo phishing sites ready to go for him,” Rasmussen said. “He doesn’t have to work as hard, and it keeps the resources flowing.”

Breach Diary

  • April 7. Google’s Finnish security team reveals Heartbleed bug in OpenSSL library that allows sensitive data, such as private encrytpion keys, to be stolen from websites and a variety of devices, including routers and mobile phones.
  • April 7. United States District Court in New Jersey finds Federal Trade Commission has the authority to bring enforcement actions against companies over lax data security practices.
  • April 7. Security Mentor and Enterprise Management Associates release survey reporting that 56 percent of employees receive no security awareness training.
  • April 8. HID Global releases survey showing more than half of organizations have not upgraded their Physical Access Control systems in the last year, and more than 20 percent in the last three years.
  • April 8. Symantec releases 2014 Internet Security Threat Report finding that 552 million identities were exposed in data breaches in 2013. It also reveals that the number of breaches in 2013 increased 62 percent over the previous year.
  • April 8. Court of Justice of European Union declares invalid a Data Retention Directive that requires member states to store citizens’ telecommunications data for a minimum of six months and maximum of 24 months and allows law enforcement to access that data with the approval of a court.
  • April 9. Electronic Frontier Foundation launches medical privacy project to identify the emerging issues and to give advocates the information they need to fight for stronger protections for patients.
  • April 10. Microsoft reveals that the European Union’s data protection authorities have found the company’s enterprise cloud contracts meet the EU’s high standards for privacy.
  • April 10. Canada’s national revenue agency suspends filing of tax returns at its website until it finishes an investigation of the impact of Heartbleed on the site.
  • April 10. The Federal Financial Institutions Examination Council puts financial institutions on notice that it expects them to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the Heartbleed vulnerability.
  • April 10. Cisco issues threat metrics for March showing an increase in the likelihood of encountering malware on the Web. The median encounter in March was 1:260 compared 1:341 in February. Cisco attributed interest in the NCAA basketball tournament as a driver of the increase.
  • April 12. 20th anniversary of first mass commercial spam on the Internet. Husband and wife immigration lawyers Laurence Canter and Martha Siegel used a Perl script to post a spam message to more than 5,500 message boards on Usenet in about 90 minutes.

Upcoming Security Events

  • April 15-16. Secureworld Expo. Cobb Galleria Centre, Atlanta. Registration: Conference, US$295; with training, $695; exhibits and free sessions, $25.
  • April 17-18. Suits and Spooks Monterey. Monterey Institute of International Studies. Irvine Auditorium. Registration: members, $323; non-members, $380; government, military and academics, $175. April 26. BSides Chicago 2014. The Abbey Pub, 3420 W. Grace, Chicago. Free.
  • April 27-28. BSides Dubai 2014. Free.
  • April 29. BSides London 2014. Kensington & Chelsea Town Hall, Horton Street, London. Free.
  • April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • April 29-May 1. InfoSecurity Europe. Earl’s Court, London. Admission: Free.
  • April 30. SecureWorld Expo. Hood Center, 452 South Anderson Rd., Rock Hill, SC. One day pass, $165; SecureWorld Plus, $545; VIP, $315; exhibits and open sessions, $25.
  • May 9-10. B-Sides Boston 2014. New England Research & Development Center, Kendall Square, Cambridge, Mass. Fee: $20.
  • May 9-10. B-Sides Algiers 2014. Ecole Nationale Suprieure d’Informatique, Oued Smar, Algiers. Free.
  • May 10. B-Sides San Antonio 2014. Texas A&M, San Antonio-Brooks City Base. Fee: $10.
  • May 13. Kansas City SecureWorld Expo. Kansas City Convention City, 301 West 13th Street #100, Kansas City, Mo. One Day Pass: $165; SecureWorld Plus, $545; exhibits and open sessions, $25.
  • May 17. B-Sides Nashville 2014. Lipscomb University Camps, Nashville, Tenn. Free.
  • May 17. B-Sides New Orleans 2014. Hilton Garden Inn, New Orleans Convention Center, 1001 South Peters Street, New Orleans. Fee: $10.
  • May 17. B-Sides Cincinnati 2014. Main Street Theater, Tangeman Hall, University of Cincinnati, Cincinnati. Free registration, pizza and beer.
  • May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • May 21. Houston SecureWorld. Stafford Centre, 10505 Cash Road, Stafford, Texas. One Day Pass: $165; SecureWorld Plus, $545; exhibits and open sessions, $25.
  • June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 21-30. SANS Fire. Hilton Baltimore, 401 W. Pratt St., Baltimore. Courses: by April 30, $1,249-$4,695; by May 14, $1,249-$4,845; after May 14, $1,249-$5,095.
  • Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595. Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50. Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels