Heartbleed used to uncover data from cyber-criminals Skip to main content

Heartbleed used to uncover data from cyber-criminals

By Mark Ward Technology correspondent, BBC News
Radiator and thermostat 
 Heartbleed has put many smart home heating systems and other devices at risk.

Related Stories

The Heartbleed bug has turned cyber criminals from attackers into victims as researchers use it to grab material from chatrooms where they trade data. 

Discovered in early April, Heartbleed lets attackers steal data from computers using vulnerable versions of some widely used security programs.

Now it has given anti-malware researchers access to forums that would otherwise be very hard to penetrate.

The news comes as others warn that the bug will be a threat for many years.
French anti-malware researcher Steven K told the BBC: "The potential of this vulnerability affecting black-hat services (where hackers use their skills for criminal ends) is just enormous."

Heartbleed had put many such forums in a "critical" position, he said, leaving them vulnerable to attack using tools that exploit the bug.

The Heartbleed vulnerability was found in software, called Open SSL, which is supposed to make it much harder to steal data. Instead, exploiting the bug makes a server hand over small chunks of the data it has just handled - in many cases login details or other sensitive information.

Mr K said he was using specially written tools to target some closed forums called Darkode and Damagelab.

"Darkode was vulnerable, and this forum is a really hard target," he said. "Not many people have the ability to monitor this forum, but Heartbleed exposed everything."

Charlie Svensson, a computer security researcher at Sentor, which tests company's security systems, said: "This work just goes to show how serious Heartbleed is. You can get the keys to the kingdom, all thanks to a nice little heartbeat query."

Individuals who repeat the work of security researchers such as Mr K could leave themselves open to criminal charges for malicious hacking.

Threat 'growing' The widespread publicity about Heartbleed had led operators of many websites to update vulnerable software and urge users to change passwords.

Paul Mutton, a security researcher at net monitoring firm Netcraft, explained that while that meant there was no "significant risk of further direct exploitation of the bug", it did not mean all danger had passed.

He said the problem had been compounded by the fact that a large number of sites had not cleaned up all their security credentials put at risk by Heartbleed.

In particular, he said, many sites had yet to invalidate or revoke the security certificates used as a guarantee of their identity.

"If a compromised certificate has not been revoked, an attacker can still use it to impersonate that website," said Mr Mutton.
Heartbleed logo 
 The dangers posed by Heartbleed will persist for years, warn security experts
In addition, he said, web browsers did a poor job of checking whether security certificates had been revoked.

"Consequently, the dangers posed by the Heartbleed bug could persist for a few more years."

His comments were echoed by James Lyne, global head of security research at security software developer Sophos.

"There is a very long tail of sites that are going to be vulnerable for a very long time," said Mr Lyne, who pointed out that the list of devices that Heartbleed put at risk was growing.
Many so-called smart devices, such as home routers, CCTV cameras, baby monitors and home-management gadgets that control heating and power, were now known to be vulnerable to Heartbleed-based attacks, he said.

A survey by tech news site Wired found that smart thermostats, cloud-based data services, printers, firewalls and video-conferencing systems were all vulnerable.

Other reports suggest the makers of some industrial control systems are also now producing patches for their software to limit the potential for attack.

How tempting this was for malicious attackers was difficult to gauge, said Mr Lyne.
"We do not really know how much Heartbleed is being used offensively because it's an attack that is hard to track and log."

http://www.bbc.com/news/technology-27203766
Labels:

Comments

Post a Comment

Popular posts from this blog

Thai penis whitening trend raises eyebrows

Image copyright LELUXHOSPITAL Image caption Authorities warn the procedure could be quite painful A supposed trend of penis whitening has captivated Thailand in recent days and left it asking if the country's beauty industry is taking things too far. Skin whitening is nothing new in many Asian countries, where darker skin is often associated with outdoor labour, therefore, being poorer. But even so, when a clip of a clinic's latest intriguing procedure was posted online, it quickly went viral. Thailand's health ministry has since issued a warning over the procedure. The BBC Thai service spoke to one patient who had undergone the treatment, who told them: "I wanted to feel more confident in my swimming briefs". The 30-year-old said his first session of several was two months ago, and he had since seen a definite change in the shade. 'What for?' The original Facebook post from the clinic offering the treatment, which uses lasers to break do...
1 comment
Read more

Ancient Rakhine City of Mrauk-U Proposed for UNESCO World Heritage Site

The Irrawaddy YANGON—Myanmar’s Ministry of Religious Affairs and Culture submitted the final draft of its nomination for Mrauk-U to become a World Heritage Site to UNESCO on Monday, four months after the ministry submitted the first draft of its nomination in September 2019. If the application succeeds, Mrauk-U will be the third place in Myanmar to be inscribed as a UNESCO World Heritage Site, after the ancient cities of Bagan and Pyu. Mrauk-U is located in northern Rakhine State, around 60 km from the state capital of Sittwe. The ancient city was the seat of Arakanese kings from the 1400s until the late 1700s. At the height of their power, they controlled an area covering large parts of eastern Bengal, modern-day Rakhine State and the western part of central Myanmar. Much of the city’s remains are well-preserved and some 380 historic temples are scattered between the lush hills of northern Rakhine. Mrauk-U Heritage Trust chairwoman Daw Khin Than told The Irrawaddy on Tue...
1 comment
Read more

Sri Bhaddanta Chandramani Mahathera

The Life Story of A Distinguished And Outstanding Bhikkhu The Most Venerable Saradawpharagree Sri Bhaddanta Chandramani Mahathera The Buddhist missionary Saradaw Ashin U Chandramani was endowed with great gifts and led a famous and long life. He was a very well known, distinguished and outstanding Bhikkhu Mahathera. While living in the Kushinagar Monastery, a place close to where the Lord Buddha had passed away to Nirvana, the Government of India had offered, and he had accepted, the highest, most honourable and respected title "Guru Guru MahaGuru". He became the first ever President of all Buddhists in India.A World Buddhist Conference took place in Kathmandu during the reign of King Mahindra of Nepal. The Conference was very well attended by over one hundred thousand Buddhists from various parts of the world and it was opened by King Mahindra himself. As requested by the King, Saradawpharagree blessed all the participants with the power of Triple Gems...
Post a Comment
Read more