Heartbleed Turned Against Cyber Criminals 50
Rambo Tribble writes: "In a case of 'live by the sword, die by the sword,' researchers have used the now-infamous Heartlbeed bug in OpenSSL to gain access to black-hat forums. A French researcher named Steven K. is quoted as saying, 'The potential of this vulnerability affecting black-hat services is just enormous.' Reportedly, the criminal-minded sites Darkode and Damagelab have already been compromised."
In related news, U.S. Cybersecurity Coordinator Michael Daniel posted an article at Whitehouse.gov yesterday reaffirming that the U.S. government had no prior knowledge of Heartbleed. He said, 'We rely on the Internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.'
Darned Heartbleed (Score:2, Interesting)
Re: (Score:2)
3 days after the news about Heartbleed is broken, my email account is hijacked and someone is sending my former teachers emails about Viagra. I have a hunch that this bug is the reason...
HINT:
Quit surfing pron sites now.
Re:Darned Heartbleed (Score:5, Funny)
Quit surfing pron sites now.
That's crazy talk. We live in an era of virtual machines, separate browser instances, deep freeze, noscript, Linux..... there's absolutely no compelling reason to give up porn in the name of security.
Re: (Score:1)
That's crazy talk. We live in an era of virtual machines, separate browser instances, deep freeze, noscript, Linux..... there's absolutely no compelling reason to give up porn in the name of security.
This. If one on the internet at all, then one is exposed. The only way to be sure heartbleed won't affect a computer is to isolate it from the internet. Mod this guy up!
Re: (Score:1)
The point was specifically that the guys who highjack e-mail accounts to send viagra offer e-mails all over the net are known to reside on phoney porn sites sitting there like fishermen waiting for some sucker to click their targets which are usually phoney links in the first place. They are the ones who were quick to exploit the Openssl hole and do man in the middle interception of encrypted passwords.
Believe it or not there are still phone calls being made by people claiming to be from Microsoft telling y
Re: (Score:2)
If one on the internet at all, then one is exposed.
I'm only exposed on the internet when I'm watching porn.
I see what you did there! Hah :D
Re: (Score:2)
Don't forget mouse condoms, those are v. important in a shared enviro!
'usually' (Score:2, Insightful)
Ahhh. There it is. The wiggle room.
Core Infrastructure Initiative (Score:5, Insightful)
some blackhats... (Score:3)
I wonder why they didn't patch their system.
Besides the trivial answer that they are incompetent script kiddies, i came up with these:
1 - the site is abandoned
2 - maybe only those who can exploit heartbleed can gain access to the forum (tests for expertise and maintains anonymity)
Re: (Score:3, Insightful)
5. Site is hosted on a compromised server in the first place -- fixing this by recompiling the server would alert the host admin.
Re:Yep. (Score:5, Funny)
5. Site is hosted on a compromised server in the first place -- fixing this by recompiling the server would alert the host admin.
This is my favourite explanation. I can just envision some incompetent sysadmin sleeping at his desk while hackers are frantically securing his system.
less funny than it may sound (Score:2)
NSA: Massively irresponsible/incompetent (Score:3)
Incompetent if they didn't find heartbleed [they are supposed to protect our infrastructure].
And massively irresponsible if they knew and didn't disclose it.
The overall damage is 1,000,000 times whatever the NSA might have gained as a penetration weapon in the arsenal. If they knew and didn't disclose, this is tantamount to doing more damage to U.S. [and world] interests than any cyber-criminal/terrorist/nation-state the NSA might hope to catch.
Re:NSA: Massively irresponsible/incompetent (Score:5, Insightful)
The open source community didn't find it either. If it's any consolation, the NSA is probably about as competent as we are.
Re: (Score:2)
If you look at NSA's TAO division [or some others], they specialize in looking for such zero days. They have used many zero days that are a lot harder to find/utilize than this one. They have 30,000 people working for them. Even if only 1,000 are looking for zero days full time, this is a lot of manpower to throw at the problem
Odds are pretty high that the NSA had, indeed, found the bug. But, they decided they had a shiny new toy for their arsenal. They didn't see the bigger picture that this vulnerabi
Re: (Score:2)
If I were the NSA, I would have specifically targeted regular code review at things like OpenSSL. It's the best vector around. All of these denials just tell me high level government are idiots and don't understand the issue. I don't think its vaulting the NSA to mythical status to suggest they have known about the issue since shortly after the code was committed- and they didn't tell anyone. Furthermore, I don't believe it's far fetched to believe foreign governments were aware of the issue as well
Re: (Score:2)
Don't expect all code to be bug free. Sometimes it's hard to distinguish between intentional coding to optimize speed and a bug - especially in high performance computing.
On the other hand - now that this bug is widely known as a gateway to other systems I suspect that this also opens up for the possibility to set up honeypots to catch intruders.
Re: (Score:2)
I don't expect all code to be bug free. I'm a programmer with 40+ years experience. I looked at the patch diffs, direct from the upstream repo. The bug was missing a simple bounds check on the length of a payload. Sorry to say, but, the original code, stylistically, was newbie quality. If I had been the reviewer, I would have required that it be cleaned up [not even looking for a vuln]. Doing so might have made the bug easier to see [and may have prevented the bloodshed].
Anybody [like the NSA] that lo
Re: (Score:2)
Which is of course why the denial. Does anyone actually believe that denial, not for a second. The US government and it's agencies have all already be caught out repeatedly lying about everything they do, the only things they don't lie about are the ones the keep secret. Now if one were to take those lies into court and count each and every individual criminal action and each and every individual affected and then lied about, you are talking about hundreds of millions even billions of fully automated compu
Re: (Score:2)
I agree; the psychopathy evident here is a group that is more interested in gaining more power, rather than following their anecdotally proclaimed motivation in protecting America.
They let America's infrastructure be the bait. Just like in their pervasive spying they likely came across a lot of banking irregularities, and crimes -- which they did nothing about. For instance if they noticed a lot of this "metadata" connecting banks with Drug Cartels and Terrorists Cells -- it appears no banks have been harme
True.... (Score:2)
The "government" (by and for the people) did NOT know about "Heartbleed"....
But the Shadow (government) knows....
other perspective (Score:1)
This is just as bad as the NSA hacking into your computer.
Defending copyright more valuable than security? (Score:2)
"Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nationâ(TM)s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks."
I'm troubled by the mention of "intellectual property" in Daniel's post. I'd understand it if he restricted his description to theft of military or intelligence secrets, but does this vagu
3 types: Lies, Damn Lies, and State Secret Truths (Score:4, Insightful)
For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.'
Go blow that smoke up someone else's ass. If that was true then the NSA would "usually" publish the black-market zero day exploits they purchase as ammo for their Ferret Cannon exploit launching system. [theatlantic.com] But they don't, ever. They just use them till someone else finds and fixes it.
Those fuckers don't need our shit to be secure at all. They don't want it to be so either. They don't even use the same networks we do for secure coms. Hell, that's what the Number Stations are all about. [wikipedia.org] Every once in a while my scanner will catch one of my favorite broadcasts: Old school, just a monotonous series of digits. I'll fall asleep listening to them droning on and on -- no doubt only decipherable by one-time pads. You know, because public key crypto just moves the key-sharing problem of authentication around -- The endpoints still have to exchange the public keys, just like they'd have to exchange one-time pads (hundreds of Gigs of pad can fit in a micro SD card now). The CA system just moves the authentication problem from "which is their public key" to "which CA are they using" and adds: "Which CA can be trusted?" (none).
Look, if it was so damn important that the SSL systems were secure then the VERY BROKEN CA system would have been fixed a long time ago. As it stands now it's just a collection of single points of failure and any one compromised CA brings the whole thing down (see: Diginotar Debacle). SSL has NEVER provided security, ever. At least with pre-arranged / pre-shared keys if you do manage to transmit the key out of band (in person, at your bank, etc) no one can ever MITM the connection. All TLS / PKI did was ensure that all SSL connections had a potential MITM via the CA. No competent security researcher would design a system like that. You have American, Iranian, Turkish, Chinese, Russian, and etc. root certs trusted in your browser. If they compromise any router between you and your destination they can MITM the connection, you'll see a big green bar too. Even if you did examine the cert chain, you'd have no way to know if the endpoint switched to a new CA, since any CA can create any cert for any domain, you have to trust ALL of them.
Web security is a laughing stock, and any "black-hat" group that was relying on SSL for any coms is probably just a CIA front, because EVERYONE with any snap has known that shit is not safe since its inception. [youtube.com] Would YOU trust a CA to sign certs if they also sell information interception services to governments? Why did you then? We already have accounts and pre-arranged secrets with all the places we need secure so just take your existing HTTP-Auth proof of knowledge hash [wikipedia.org] and feed it to the damn stream cipher and you're done. Well, and remove the basic auth bullshit, that's not needed, since we have cookies and web forms already. Point being: It's trivial to fix the CA system, but they don't do so, thus it's apparent that no government wants this shit to be secure or we wouldn't have the CA system, and they all wouldn't be able to spy on us. If you ask me that's collusion with the enemy against the citizens: Treason.
Re: (Score:3)
"Which CA can be trusted?" (none)
So speaks the man who has never run his own CA. It's not that hard provided you don't want to sign absolutely anyone's certificate (but just ones you know) and provided you're not trying to be trusted by major browsers by default. Not using the PKI to drive commerce and only supporting a few specific clients? You can go entirely private.
Oh, the horror (Score:2)
Perish the very thought. #AmericanExceptionalism
Image to go with this thread (Score:1)
Spy vs. Spy [nocookie.net].