Heartbleed Hacker Arrested

Heartbleed Roundup: Hacking Made Easy, First Victims Come To Light And Heartbleed Hacker Arrested

The Heartbleed bug which enables attackers to retrieve chunks of sensitive information from websites, services and devices has now been patched on a large number of systems globally, though as outlined in my previous articles there will be a long tail of systems that will be vulnerable for an extended period of time. Now, the week following the initial worldwide panic (and in some instances hype and inaccuracy, such as Heartbleed being called a virus) the first actual victims of the Heartbleed bug have come to light, an attacker has been arrested and methods for extracting information from vulnerable systems is being integrated in to readily available attack tools. If you still aren’t clear on what heartbleed is you can get more information here or if you need to know what to do about it you can find the steps here.

First Heartbleed Victims Come To Light

When Heartbleed first hit the news companies reactions around the world varied significantly. Yahoo was exposed for about 24 hours where other sites like the Canadian Revenue Agency immediately took their website down while they worked on patching and remediation. Many commented on the significantly different behaviour of the American IRS vs the Canadian Revenue Agency but now the reasons become clear. The CRA commissioner Andrew Treusch announced that 900 taxpayers details have been exposed by an attacker using Heartbleed. The statement outlines how the data was extracted over a 6 hour period and that the CRA was notified by one of “Canada’s leading security intelligence agencies”. The scale of this particular breach is not vast compared to many of the other data breaches that we have seen in the news over the past 12 months, although the nature of information here is particularly sensitive. Shortly following the announcement the Royal Canadian Mounted Police announced the arrest of Mr Solis-Reyes who is accused of stealing the 900 records and is due to appear in court on July the 17th 2014.

Another victim of Heartbleed also announced to it’s users that it had been attacked, Mumsnet. The e-mail to users stated “On Thursday 10 April we at Mumsnet HQ became aware of the bug and immediately ran tests to see if the Mumsnet servers were vulnerable. As soon as it became apparent that we were, we applied the fix to close the OpenSSL security hole… However, it seems that users’ data was accessed prior to our applying this fix”. Mumsnet posted an article outlining how the attacker was able to log in as the founder of Mumsnet, Justine Roberts after using Heartbleed to steal her username and password. This demonstrates practically how Heartbleed could cause damage after many of the debates between experts last week.

Both victims have been transparent, notified their users and taken steps to advise users on how to protect themselves. There will likely be more announcements in the following weeks but I also suspect there are companies not disclosing their suspicions and waiting to see if they are forced to own up to their breach. This is a common behaviour and the majority of legal jurisdictions do not mandate breach disclosure, it is an optional practice. That said, as I identified in my previous article one of the challenges with Heartbleed is that, unlike many data breaches, there is no clear evidence of the attack to be reviewed. Many simply may not now how much damage was done.

Easy Heartbleed Hacking Coming to Metasploit

A wide variety of tools have been released to enable people to check their systems for Heartbleed but actually extracting useful sensitive information as an attacker is more of an ‘art’. There is now code in the ‘Metasploit pull’ (a queue for inclusion if you will) which simplifies extraction of private keys (the secret that is used to encrypt information when people securely connect to a service). Metasploit is a readily available (and very powerful) tool that allows penetration testers to emulate the behaviours and tactics of attackers to educate businesses on their vulnerabilities so that they can proactively deal with the issues. Of course, given the tool is easy to obtain (and there is a free open source version) there is nothing to stop more nefarious characters using it too.


Metasploit, a tool which simplifies exploiting computers and demonstrating attacks to a business

This new module provided by jjarmoc would enable someone with less skill to use Heartbleed to search for the all important private keys on a system. Given that there are a large number of systems and network infrastructure devices which will be running this code for some time anyone assessing the risks of Heartbleed should take note of the imminent availability of code to make the attack easier for lower skill attackers (conventionally called script kiddies). This will prove a useful tool for penetration testers, but should certainly be taken in to account in enterprises risk assessment processes.


Sponsor Ad.
Earn a chance to win $100,000! Join for a chance at $100,000. Then participate in surveys and earn additional rewards!

No comments:

Post a Comment