Slashdot Mirror

← Back to Stories (view on slashdot.org)

Heartbleed Turned Against Cyber Criminals

Posted by Soulskill on from the bringing-balance-to-the-force dept.

Rambo Tribble writes: "In a case of 'live by the sword, die by the sword,' researchers have used the now-infamous Heartlbeed bug in OpenSSL to gain access to black-hat forums. A French researcher named Steven K. is quoted as saying, 'The potential of this vulnerability affecting black-hat services is just enormous.' Reportedly, the criminal-minded sites Darkode and Damagelab have already been compromised." In related news, U.S. Cybersecurity Coordinator Michael Daniel posted an article at Whitehouse.gov yesterday reaffirming that the U.S. government had no prior knowledge of Heartbleed. He said, 'We rely on the Internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.'

50 comments

  1. Darned Heartbleed by relisher · · Score: 2, Interesting

    3 days after the news about Heartbleed is broken, my email account is hijacked and someone is sending my former teachers emails about Viagra. I have a hunch that this bug is the reason...

    1. Re:Darned Heartbleed by deviated_prevert · · Score: 2

      3 days after the news about Heartbleed is broken, my email account is hijacked and someone is sending my former teachers emails about Viagra. I have a hunch that this bug is the reason...

      HINT:

      Quit surfing pron sites now.

      --
      This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
    2. Re:Darned Heartbleed by Shakrai · · Score: 5, Funny

      Quit surfing pron sites now.

      That's crazy talk. We live in an era of virtual machines, separate browser instances, deep freeze, noscript, Linux..... there's absolutely no compelling reason to give up porn in the name of security.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    3. Re:Darned Heartbleed by GarethIwanFairclough · · Score: 0

      That's crazy talk. We live in an era of virtual machines, separate browser instances, deep freeze, noscript, Linux..... there's absolutely no compelling reason to give up porn in the name of security.

      This. If one on the internet at all, then one is exposed. The only way to be sure heartbleed won't affect a computer is to isolate it from the internet. Mod this guy up!

    4. Re:Darned Heartbleed by Anonymous Coward · · Score: 0

      Also, moar pr0n!

    5. Re:Darned Heartbleed by deviated_prevert · · Score: 1

      The point was specifically that the guys who highjack e-mail accounts to send viagra offer e-mails all over the net are known to reside on phoney porn sites sitting there like fishermen waiting for some sucker to click their targets which are usually phoney links in the first place. They are the ones who were quick to exploit the Openssl hole and do man in the middle interception of encrypted passwords.

      Believe it or not there are still phone calls being made by people claiming to be from Microsoft telling you that you have a problem with your Windows. These guys come from the same places that pull all these scams. They have been at it for years and are starting to worry about the down fall of the Windows operating system on the home desktop. Many are out looking for jobs and some even apply for unemployment insurance, others are trying to find easy ways to target other devices.

      As long as phoney certs can happen these guys will find ways to redirect or intercept data from unsuspecting users and create havoc on the net. It does not matter if you are using a VM if your instance is hacked and your password to a site is stolen you are cooked because it has nothing to do with being "infected" with a virus it has to do with being hacked while on the net and your network stack being temporarily hosed to expose your sensitive data.

      --
      This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
    6. Re:Darned Heartbleed by Anonymous Coward · · Score: 0

      If one on the internet at all, then one is exposed.

      I'm only exposed on the internet when I'm watching porn.

    7. Re:Darned Heartbleed by GarethIwanFairclough · · Score: 1

      If one on the internet at all, then one is exposed.

      I'm only exposed on the internet when I'm watching porn.

      I see what you did there! Hah :D

    8. Re:Darned Heartbleed by TexNex · · Score: 1

      Don't forget mouse condoms, those are v. important in a shared enviro!

    9. Re:Darned Heartbleed by Anonymous Coward · · Score: 0

      Nah, you're probably just using Yahoo mail.

  2. but that was the whole point of heartbleed! by Anonymous Coward · · Score: 0

    duh!

  3. 'usually' by Anonymous Coward · · Score: 2, Insightful

    Ahhh. There it is. The wiggle room.

  4. Why the fuch do we believe Michael Daniel? by Anonymous Coward · · Score: 0

    Chances are better that he is:
    - lying
    - is purposefully kept in the dark so he can say these things

  5. Core Infrastructure Initiative by John.Banister · · Score: 4, Insightful

    Perhaps Michael Daniel's office would care to contribute. It might benefit their ability to project power abroad.

    1. Re:Core Infrastructure Initiative by Anonymous Coward · · Score: 0

      The only power they should be projecting is the power of love and compassion, possibly with flowers and big beards for the continual happiness in the world. Peace out Michael Daniel, and have some yellow sunshines! Perhaps that will finally expand the security consciousness enough to replace the ego and feelings of invulnerability in all branches and levels of the government.

    2. Re:Core Infrastructure Initiative by Anonymous Coward · · Score: 0

      Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.'

      Oxymoron statement, since we keep reading the lack of security from government.

  6. Black hat forums? by Anonymous Coward · · Score: 0

    Oh good, you accessed a scriptkiddie forum that any 12 year old and his Imac could visit.

    1. Re:Black hat forums? by Anonymous Coward · · Score: 0

      iMacs are more likely to be used by professionals, if anyone visits a scripkiddie forum it's a kid on his l33t gaming pc.

    2. Re:Black hat forums? by Anonymous Coward · · Score: 0

      I think you made a typo, you typed "professionals" instead of "pretentious douche nozzles"

  7. some blackhats... by someone1234 · · Score: 2

    I wonder why they didn't patch their system.
    Besides the trivial answer that they are incompetent script kiddies, i came up with these:
    1 - the site is abandoned
    2 - maybe only those who can exploit heartbleed can gain access to the forum (tests for expertise and maintains anonymity)

    --
    Patents Drive Free Software as Hurricanes Drive Construction Industry
  8. NSA: Massively irresponsible/incompetent by Forever+Wondering · · Score: 2

    Incompetent if they didn't find heartbleed [they are supposed to protect our infrastructure].

    And massively irresponsible if they knew and didn't disclose it.

    The overall damage is 1,000,000 times whatever the NSA might have gained as a penetration weapon in the arsenal. If they knew and didn't disclose, this is tantamount to doing more damage to U.S. [and world] interests than any cyber-criminal/terrorist/nation-state the NSA might hope to catch.

    --
    Like a good neighbor, fsck is there ...
    1. Re:NSA: Massively irresponsible/incompetent by Pseudonym · · Score: 4, Insightful

      Incompetent if they didn't find heartbleed [they are supposed to protect our infrastructure].

      The open source community didn't find it either. If it's any consolation, the NSA is probably about as competent as we are.

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
    2. Re:NSA: Massively irresponsible/incompetent by Anonymous Coward · · Score: 0

      Incompetent if they didn't find heartbleed [they are supposed to protect our infrastructure].

      You actually believed that? Of course they don't know about heartbleed, they called that vulnerability by a different name!

      And massively irresponsible if they knew and didn't disclose it.

      They call that "national security", which trumps everything you can throw at them.

    3. Re:NSA: Massively irresponsible/incompetent by Z00L00K · · Score: 1

      Don't expect all code to be bug free. Sometimes it's hard to distinguish between intentional coding to optimize speed and a bug - especially in high performance computing.

      On the other hand - now that this bug is widely known as a gateway to other systems I suspect that this also opens up for the possibility to set up honeypots to catch intruders.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    4. Re:NSA: Massively irresponsible/incompetent by rtb61 · · Score: 1

      Which is of course why the denial. Does anyone actually believe that denial, not for a second. The US government and it's agencies have all already be caught out repeatedly lying about everything they do, the only things they don't lie about are the ones the keep secret. Now if one were to take those lies into court and count each and every individual criminal action and each and every individual affected and then lied about, you are talking about hundreds of millions even billions of fully automated computerised lies. The NSA is definitely well within the boy who cried wolf stage, with not a word to be believed about anything until such time as their is a legal and public cleansing and that will never happen.

      So whom to believe the NSA or http://www.bloomberg.com/news/... or http://rt.com/usa/google-nsa-h.... So likely the proof is in the pudding, how many NSA secured sites were affected by heartbleed, hmmm?

      --
      Chaos - everything, everywhere, everywhen
    5. Re:NSA: Massively irresponsible/incompetent by Forever+Wondering · · Score: 1

      I don't expect all code to be bug free. I'm a programmer with 40+ years experience. I looked at the patch diffs, direct from the upstream repo. The bug was missing a simple bounds check on the length of a payload. Sorry to say, but, the original code, stylistically, was newbie quality. If I had been the reviewer, I would have required that it be cleaned up [not even looking for a vuln]. Doing so might have made the bug easier to see [and may have prevented the bloodshed].

      Anybody [like the NSA] that looks for zero-days would/should have found it with a simple code inspection. Compared to a flaw in one of the math algorithms in SSL, this was low hanging fruit indeed.

      And ... When the new feature was added, where was the unit test program for it? Consider that on CPAN, the average perl module has some 20-30 acceptance tests that run each time the module gets rebuilt. I add such tests to my code all the time.

      --
      Like a good neighbor, fsck is there ...
    6. Re:NSA: Massively irresponsible/incompetent by Forever+Wondering · · Score: 1

      If you look at NSA's TAO division [or some others], they specialize in looking for such zero days. They have used many zero days that are a lot harder to find/utilize than this one. They have 30,000 people working for them. Even if only 1,000 are looking for zero days full time, this is a lot of manpower to throw at the problem

      Odds are pretty high that the NSA had, indeed, found the bug. But, they decided they had a shiny new toy for their arsenal. They didn't see the bigger picture that this vulnerability would become so widespread (e.g. not just servers, PC's, etc. but also routers, DSL modems, home routers, ...) that it would compromise systems we depend upon (e.g. secure banking, confidential medical records systems, to name but a few). Even if a few spies/terrorists got tripped up by this, the collateral damage count for this makes the "do not disclose" decision to be the wrong choice. With friends like the NSA, who needs saboteurs ...

      Some of the FOSS is high quality indeed [I've even written some ;-)]. But, it's either Linux/BSD kernel, or where the code is contributed by paid employees of a given company (e.g. the Linux USB 3.0 driver is first rate, because it was written by a woman at Intel who is their point person for USB 3.0). Other FOSS is written by fresh grads who need/want street cred in order to get their first programming job. And some FOSS gets taken over by a small group with a "vision" [cult] that refuses to take suggestions/criticism, like Gnome 3, and gets train wrecked in the process.

      YMMV ...

      --
      Like a good neighbor, fsck is there ...
    7. Re:NSA: Massively irresponsible/incompetent by Zeromous · · Score: 1

      If I were the NSA, I would have specifically targeted regular code review at things like OpenSSL. It's the best vector around. All of these denials just tell me high level government are idiots and don't understand the issue. I don't think its vaulting the NSA to mythical status to suggest they have known about the issue since shortly after the code was committed- and they didn't tell anyone. Furthermore, I don't believe it's far fetched to believe foreign governments were aware of the issue as well- therefore no real security reason to stop the party.

      --
      ---Up Up Down Down Left Right Left Right B A START
    8. Re:NSA: Massively irresponsible/incompetent by Vitriol+Angst · · Score: 1

      I agree; the psychopathy evident here is a group that is more interested in gaining more power, rather than following their anecdotally proclaimed motivation in protecting America.

      They let America's infrastructure be the bait. Just like in their pervasive spying they likely came across a lot of banking irregularities, and crimes -- which they did nothing about. For instance if they noticed a lot of this "metadata" connecting banks with Drug Cartels and Terrorists Cells -- it appears no banks have been harmed in the process of protecting America from some existential threat.

      What is a worse threat to America than the rot and decay of the current status quo?

      --
      >>"ad space available -- low rates!!!"
  9. True.... by PortHaven · · Score: 1

    The "government" (by and for the people) did NOT know about "Heartbleed"....

    But the Shadow (government) knows....

  10. Yep. by Anonymous Coward · · Score: 0

    3. People have websites they don't even remember they own.
    4. Some people don't care that much.

    1. Re:Yep. by Em+Adespoton · · Score: 3, Insightful

      5. Site is hosted on a compromised server in the first place -- fixing this by recompiling the server would alert the host admin.

    2. Re:Yep. by quantaman · · Score: 4, Funny

      5. Site is hosted on a compromised server in the first place -- fixing this by recompiling the server would alert the host admin.

      This is my favourite explanation. I can just envision some incompetent sysadmin sleeping at his desk while hackers are frantically securing his system.

      --
      I stole this Sig
  11. other perspective by StripedCow · · Score: 0

    This is just as bad as the NSA hacking into your computer.

    --
    If Pandora's box is destined to be opened, *I* want to be the one to open it.
  12. Against the law by Anonymous Coward · · Score: 0, Troll

    Blackhat or whitehat. It does not matter. Hacking is hacking regardless of the target. This 'researcher' belongs in jail.

  13. Defending copyright more valuable than security? by aNonnyMouseCowered · · Score: 1

    "Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nationâ(TM)s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks."

    I'm troubled by the mention of "intellectual property" in Daniel's post. I'd understand it if he restricted his description to theft of military or intelligence secrets, but does this vague term mean the US intelligence agencies are now in the service of the entertainment industry?

  14. haha FROM thw UHA with love by Anonymous Coward · · Score: 0

    they are lying of course...only idiots they got access to are ones that copy and put links up and files that already existed.

    the united hackers association was not operational the whole time this bug existed for example....now you know one reason why....

    of there are more issues they aren't telling you...notice when i say this they start yammering about IE again
    they need you all on chrome....

  15. Nelson by Anonymous Coward · · Score: 0

    [Nelson]
    Haw-haw
    [/Nelson]

  16. 3 types: Lies, Damn Lies, and State Secret Truths by VortexCortex · · Score: 3, Insightful

    For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.'

    Go blow that smoke up someone else's ass. If that was true then the NSA would "usually" publish the black-market zero day exploits they purchase as ammo for their Ferret Cannon exploit launching system. But they don't, ever. They just use them till someone else finds and fixes it.

    Those fuckers don't need our shit to be secure at all. They don't want it to be so either. They don't even use the same networks we do for secure coms. Hell, that's what the Number Stations are all about. Every once in a while my scanner will catch one of my favorite broadcasts: Old school, just a monotonous series of digits. I'll fall asleep listening to them droning on and on -- no doubt only decipherable by one-time pads. You know, because public key crypto just moves the key-sharing problem of authentication around -- The endpoints still have to exchange the public keys, just like they'd have to exchange one-time pads (hundreds of Gigs of pad can fit in a micro SD card now). The CA system just moves the authentication problem from "which is their public key" to "which CA are they using" and adds: "Which CA can be trusted?" (none).

    Look, if it was so damn important that the SSL systems were secure then the VERY BROKEN CA system would have been fixed a long time ago. As it stands now it's just a collection of single points of failure and any one compromised CA brings the whole thing down (see: Diginotar Debacle). SSL has NEVER provided security, ever. At least with pre-arranged / pre-shared keys if you do manage to transmit the key out of band (in person, at your bank, etc) no one can ever MITM the connection. All TLS / PKI did was ensure that all SSL connections had a potential MITM via the CA. No competent security researcher would design a system like that. You have American, Iranian, Turkish, Chinese, Russian, and etc. root certs trusted in your browser. If they compromise any router between you and your destination they can MITM the connection, you'll see a big green bar too. Even if you did examine the cert chain, you'd have no way to know if the endpoint switched to a new CA, since any CA can create any cert for any domain, you have to trust ALL of them.

    Web security is a laughing stock, and any "black-hat" group that was relying on SSL for any coms is probably just a CIA front, because EVERYONE with any snap has known that shit is not safe since its inception. Would YOU trust a CA to sign certs if they also sell information interception services to governments? Why did you then? We already have accounts and pre-arranged secrets with all the places we need secure so just take your existing HTTP-Auth proof of knowledge hash and feed it to the damn stream cipher and you're done. Well, and remove the basic auth bullshit, that's not needed, since we have cookies and web forms already. Point being: It's trivial to fix the CA system, but they don't do so, thus it's apparent that no government wants this shit to be secure or we wouldn't have the CA system, and they all wouldn't be able to spy on us. If you ask me that's collusion with the enemy against the citizens: Treason.

  17. less funny than it may sound by dutchwhizzman · · Score: 1

    Often, this is the case for hosts that the intruders want to keep around longer than a few days. Once they've taken good hold of a host, they tend to close off holes that they know about, so others can't get in the same way they did. You often find not just root kits, but also patches rolled out and workarounds to mitigate problems the hackers can't fix without alerting the admin of the box. This doesn't always happen, but most forensics reports I've read and cases I've witnessed myself, hackers tried to close gaps in security of the machines they controlled.

    --
    I was promised a flying car. Where is my flying car?
  18. "The U.S. government had no prior knowledge..." by Anonymous Coward · · Score: 0

    Well, can you spell "plausable deniability"? Makes me question whether the government voluntarily keeps the NSA do what they want, completely or almost completely unsupervised, just to wash its hands if things actually blow up in their face.

  19. Re:3 types: Lies, Damn Lies, and State Secret Trut by dkf · · Score: 2

    "Which CA can be trusted?" (none)

    So speaks the man who has never run his own CA. It's not that hard provided you don't want to sign absolutely anyone's certificate (but just ones you know) and provided you're not trying to be trusted by major browsers by default. Not using the PKI to drive commerce and only supporting a few specific clients? You can go entirely private.

    --
    "Little does he know, but there is no 'I' in 'Idiot'!"
  20. NSA by Anonymous Coward · · Score: 0

    How about turning it against the NSA?

  21. Re:3 types: Lies, Damn Lies, and State Secret Trut by Anonymous Coward · · Score: 0

    re: CA changes. Doesn't the EFF have a project with just this purpose in mind?

  22. Oh, the horror by ThatsNotPudding · · Score: 1

    Our ability to project power abroad would be crippled if we could not depend on them.

    Perish the very thought. #AmericanExceptionalism

  23. Propaganda Brought To You By by Anonymous Coward · · Score: 0

    N.S.A.

  24. Image to go with this thread by davidwr · · Score: 1

    Spy vs. Spy.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  25. The Whole Point of SSL/TLS by Anonymous Coward · · Score: 0

    ...is to make crypto such a CLUSTERFUCK that nobody can build a bug-free implementation.

    A Blockcipher iN CBC mode (plus a defined last security block, plus a primitive session key exchange) can provide all that SSL/TLS can provide, minus the Public-Key stuff. Which is nice, as it seems more a risk than a benefit.

    The same applies to PGP/GPG. I seriously doubt anyone will be able to build a proven secure implementation of this standard. And I bet NSA can get all your keys by simply sending you a GPG message with some nasty exploit inside the data structures.

  26. he haw by Anonymous Coward · · Score: 0

    then i had image of the he haw show
    rinse repeat and the word FUCK THEM comes to mind

  27. ... and by "researcher", we mean... by Anonymous Coward · · Score: 0

    Criminal vigilante with delusions of grandeur.

    This "Steven K." guy ought to get exactly the same sentence as somebody who did that to, say, a bank.