Heartbleed went from a dangerous Internet-wide vulnerability over the weekend to one with real exploits, real victims and real problems for private SSL server keys.
Mumsnet, a U.K.-based parenting website, said it was victimized by hackers exploiting the vulnerability in OpenSSL to steal passwords, as was the Canada Revenue Agency, who reported the loss of social insurance numbers for 900 citizens, according to a BBC report today.
Hackers were using the stolen Mumsnet credentials to post messages to the site on Friday, while the CRA said hackers were busy exploiting Heartbleed during a six-hour period before its systems were patched.
While experts warned it was possible from the outset to steal credentials and other sensitive information in plaintext, it was thought that stealing private SSL keys that would provide unfettered access to web traffic emanating from a server was a much more difficult proposition.
Starting on Friday, however, three researchers had in fact managed to do just that.
Russian engineer Fedor Indutny was the first to break the so-called CloudFlare Challenge set up by web traffic optimization vendor CloudFlare. The company had set up a nginx server running an unpatched version of OpenSSL and issued a challenge to researchers to steal the private SSL key.
Indutny replayed his attack more than two million times before he was able to steal the key, which he submitted at 7:22 Eastern time on Friday, less than an hour before Ilkka Mattila of NCSC-FI submitted another valid key using just 100,000 requests.
Since then, two more submissions were confirmed on Saturday, one by Rubin Xu, a PhD student at Cambridge University and researcher Ben Murphy.
The vulnerability is present in OpenSSL versions 1.0.1 to 1.0.1f and it allows attackers to snag 64KB of memory per request per server using its heartbeat function. The bits of memory can leak anything from user names and passwords to apparently private keys if the attack is repeated often enough. A number of large sites, including Yahoo, Lastpass and many others were vulnerable, but quickly patched. Once the vulnerability is patched, old certificates must be revoked and new ones validated and installed.
Users, meanwhile, would need to change their passwords for accounts on these sites, but only after the patch is applied, or their new credentials could be stolen as well. Worse, the attacks don’t show up in logs and leave no trace behind. Therefore, it’s impossible to know whether a private key has been stolen and malicious sites signed by a legitimate certificate key, for example, would appear benign.
The story took a strange twist Friday night when Bloomberg reported that the U.S. National Security Agency had been exploiting Heartbleed for two years, according to a pair of unnamed sources in the article. A bug such as Heartbleed could simplify surveillance efforts for the agency against particular targets, but given the arsenal of attacks at its disposal, the NSA might have more efficient means with which to gather personal data on targets.
To that end, the agency via the Office of the Director of National Intelligence issued a rare denial Friday night. The memo said the NSA was not aware of the flaw in OpenSSL. “Reports that say otherwise are wrong,” it said.
The DNI’s office also said the Federal government uses OpenSSL to encrypt a number of government sites and services and would have reported the vulnerability had it discovered it.
“When Federal agencies discover a new vulnerability in commercial and open source software – a so-called ‘Zero day’ vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose,” the DNI said.
Meanwhile, a report in the New York Times on Saturday said that President Obama has given the NSA leeway in using bugs such as Heartbleed where there is a “clear national security or law enforcement need.” The NSA has thrived on such loopholes, according to numerous leaks made public in the Snowden documents. The president’s decision was made in January, the Times article said, after he addressed the nation on the government’s surveillance of Americans.
The U.S. government, it was made public in September, had bought a subscription to a zero-day exploit service sold by VUPEN of France.
The contract, made public through a Freedom of Information Act request by MuckRock, an open government project that publishes a variety of such documents, shows that the NSA bought VUPEN’s services on Sept. 14, 2012. The NSA contract is for a one-year subscription to the company’s “binary analysis and exploits service.”