Sunday 20 April 2014

Heartbleed Will Linger "For Many Months to Come"


It’s been nearly two weeks since the Heartbleed bug was made public -- two weeks of massive coverage from news outlets across the globe as the security of online services used my much of the world was called into question.
Now things are beginning to settle down. Most of the major players have announced that they’ve shored up the vulnerability that left them open to leaking sensitive data. The first arrest has been made in connection with Heartbleed, a 19-year-old London, Ont. man accused of the theft of 900 social insurance numbers from the Canada Revenue Agency’s Website, and users across the world have received a slew of “please reset your password” emails.
Heartbleed
But there’s a long way to go, and it may be awhile before one of the biggest bugs in recent memory is truly “fixed.”
“I think things are going to be lingering for many months to come, just because that’s the nature of the way patches get implemented and holes get fixed,” said Marc Gaffan, co-founder of Incapsula. “I would imagine if we did a survey three or six months from today we’d find astonishing results in terms of how many organizations have not patched [the Heartbleed OpenSSL vulnerability].”
The big players have patched things up by now, but OpenSSL is widely used, the figure most often being quoted a massive two-thirds of web servers.
“As you start moving away from that nucleus, you get more and more organizations that are less up to date, less able, less willing to patch their systems,” Gaffan said, describing the way a typical vulnerability is addressed. Heartbleed is certainly major, but that isn’t going to change the nature of the way people react.
And we haven’t even touched on the billions of users, many who may not follow through on their end due to ignorance or laziness or simply because they just don’t care. That’s exactly what Justin Balthrop argued on Medium when discussing a huge problem that’s at the core of this Heartbleed mess -- passwords:
I have 268 passwords on 268 different websites. At least that’s what my password manager says. I actually stopped saving new passwords a while back, so the real number of passwords I should change now that Heartbleed has been revealed is even higher than that. How many of those passwords do you think I’m going to change? It took me 10 minutes just to find the change password form for my bank! What about the average computer user who uses the same password for every website and doesn’t understand the details of the exploit? How many passwords will they change?

Not very many.

A Look at Heartbleed's Popularity

We thought it would be interesting to use our HackSurfer data to conduct a little sociological experiment. Which of the two major cybersecurity moments of the past five months is garnering more discussion: the Heartbleed bug or the Target breach?

Target v Heartbleed.png
As you can see, they both took up a massive chunk of the discussion, but Heartbleed is even more “popular” than Target over it’s respective period. This may reflect how far reaching the vulnerability is, which is hardly surprising given the amount of posts and articles we’ve seen here at HackSurfer regarding the bug.
“I don’t think that this has been overplayed [in the media],” Gaffan said. “Given the ubiquitousness of OpenSSL plus the potential damage that this vulnerability can create, it does create a pretty big hole out there.”

Who Left the Curtains Open?

So what is Heartbleed?
It’s a small bug that’s been in existence for the past two years and affects many websites that collect personal and financial information. That little padlock icon you see along with “https” on most browsers is meant to assure users that everything is safe. Heartbleed discovered that’s not necessarily been the case.
Michael Hamlin, an X-Force security architect with IBM, explained the problem with Heartbleed using the typical household analogy on a recent IBM podcast.
Imagine all of your usernames, passwords and other data is written on a big stack of paper sitting on your desk.
“They’re in your house. They’re locked up. They’re secure,” Hamlin said. “We think about SSL that way. We trust the servers' encrypting our sessions, and we provide our usernames and passwords. They’re encrypted. But if a burglar walks up and looks through the window and there's a stack of papers on the desk now, it can read the first page, whatever is exposed on the top page, and that's kind of how this vulnerability works. It was like not drawing the curtains shut. It left that chunk of memory open to anybody that requested it.”
Perhaps most importantly, they discovered that private encryption keys could be stolen through the vulnerability.
As Codenomicon, the security firm that discovered the flaw (Google engineer Neel Mehta discovered it independently as well), described, “These are the crown jewels, the encryption keys themselves. Leaked secret keys allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will.”

What Should I Do? What Will Hackers Do?

There are three main things a website owner should do, whether they’re tiny or a huge SAAS platform, said Gaffan:
  1. Patch your infrastructure; make sure that you’ve implemented the fix to the Heartbleed vulnerability.
  2. Reissue certificates with a new private key, just in case it was stolen when the vulnerability existed.
  3. Websites that run with persistent cookies (if you’re constantly logged in to social media for example) leave users vulnerable if that cookie information is stolen; log out of all them and log back in; “Given that the vulnerability is now fixed with most of the bigger providers, that means that those credentials will be no longer snatchable.”
One problem: many smaller businesses still operate with the mentality that they’re a small target and therefore can operate without being on cybercriminals’ radar.
“What people don’t actually realize is that in this era of automation, smaller and smaller websites are being hacked today just because they’re out there on the internet,” Gaffan said. “There are scanners that are available already today that can tell you if a website is vulnerable to Heartbleed or not. If I’m a bad guy, what I would do is start scanning a couple of million websites each day and compiling a list of who I need to go after. Once I’d compiled that list, I’d build another automated tool that all it does is hit Heartbleed vulnerable servers and try to pull out usernames and passwords. That’s something that is going on all the time with other vulnerabilities.”
If you’re a user, how do you know the websites you’re visiting are safe? There’s several options. Use a tool just like criminals are: scanners. Many companies are offering the ability to check for Heartbleed (like Norton, for example). There are dozens of apps springing up, and there’s even browser extensions that can make confirming a site is safe simple and easy.
Except, there’s one big problem with all of that. As The Guardian reported last week, researchers are claiming that most popular Heartbleed detection tools are flawed:
A deluge of tools then hit the internet promising to help people determine whether the web services they were using or hosting were affected. But 95% of the most popular ones are not reliable, according to London-based security consultancy and penetration testing firm Hut3.

“A lot of companies out there will be saying they've run the free web tool and they're fine, when they're not,” Hut3’s Edd Hardy told the Guardian. “There's absolute panic. We're getting calls late at night going 'can you test everything'.”
Unfortunately, that means you may have to make sure the tool you’re using to stay safe is providing safe and accurate results.

Maryland State Agencies Threatened by Cyberattacks

Maryland government entities have suffered at least six cyberattacks since the beginning of 2013, according to incident reports from the Department of Information Technology.
The heavily-redacted reports, obtained by Capital News Service through a Maryland Public Information Act request, reveal that data-hungry hackers and scammers aren’t only going after retailers like Target and Neiman Marcus—they’re targeting state agencies.
“Our government doesn’t move as quickly as the private sector ... and the private sector isn’t moving as quickly as it should be,” Sen. Catherine Pugh, D-Baltimore, said in an interview.
The report said a phishing scam that hit the Department of Labor, Licensing and Regulation affected “more than 100 users,” and two other incidents affected an estimated “more than 10 users.”
Elliot Schlanger, the state director of cybersecurity, said specific numbers of affected users are often difficult to pin down, particularly with phishing attacks. Phishing involves sending a large number of emails asking for sensitive information, like passwords, under the guise of a legitimate sender.
One listed incident involved the Maryland State Police in September. Last year, the police were bombarded with thousands of gun applications ahead of incoming stricter firearm laws. To reduce the massive backlog, volunteers from the departments of Health and Mental Hygiene, Transportation, Public Safety and Correctional Services, Human Resources and Juvenile Services offered to help out with data entry, according to a police press release.

According to a National Rifle Association press release, some state agencies’ computers were not adequately secured to handle gun applications, which include sensitive information.
Elena Russo, director of the police’s communications department, said the incident on the Department of Information Technology report was merely a notification of a potential security risk.
“It was not a security breach, it was not a cyberbreach, there were no hacks and no data brought forward by the Maryland State Police,” she said.
Similarly, Maureen O’Connor, director of media relations for the Department of Labor Licensing and Regulation, said that no personnel data was stolen in a phishing attack on her department. However, a malicious program known as a “ransomware” encrypted department information, demanding that money be sent to a specific account to unlock the data.
The attack began when an employee ignored a department-wide warning not to open a suspicious email. O’Connor said the malware was eliminated and the data restored within five days.
The document also said that three Department of Human Resources servers were attacked on Oct. 22. Brian Schleter, director of communications for the agency, said the attack was launched on a department website used to post press releases. No data was compromised.
The proposed budget for fiscal year 2014 notes that no “substantial disruptions” of state network services have occurred since 2011, when records of disruptions began.
The state has taken steps to teach its employees about best practices in cybersecurity. In February, Isabel FitzGerald, secretary of the Department of Information Technology, told the House of Delegates that the department had begun monthly cybersecurity training courses for more than 40,000 state employees and contractors.
“They endeavor to make sure all the employees of all the agencies are aware of the possibilities of attacks,” said O’Connor, who has taken the course.
The state’s vulnerabilities aren’t new. The Office of Legislative Audits has outlined weaknesses in several agencies’ cybersecurity plans over several years. An audit of the state police from February 2009 to December 2011 found that some servers that guarded personal information,  including about 176,000 Social Security numbers, were insufficiently secured. In a March 2013 response to the audit, the police insisted the auditors misunderstood a security measure, and personal information was secure.
The audit also found that police networks lacked systems designed to detect intrusions. The response said that those systems were added after the audit.
Similar audits found more cyber vulnerabilities in the departments of Labor, Transportation and Education as well as the State Archives.
Pugh aimed to promote state cybersecurity even further during the recently-ended 2014 legislative session. She authored a bill to adopt an overarching cybersecurity plan based on a similar document published by the National Institute of Standards and Technology. The Senate passed the bill unanimously, but it died in the House of Delegates in committee.
Pugh said the bill arose out of concerns for the state’s long-term condition, citing the growing amount of information that state entities and contractors transfer online. A 2012 hack into South Carolina records that exposed 3.6 million tax returns, according to the South Carolina Department of Revenue, encouraged her to make sure Maryland didn’t suffer a similar fate.
“If this can occur in other states, it can occur here,” Pugh said.
While the Department of Information Technology’s information security policy currently encourages following National Institute of Standards and Technology recommendations, Pugh said that her bill would have given state departments incentive to ensure they were actually following best practices.
Costis Toregas, a computer science professor at The George Washington University, warned that the government reports may not tell the full story. He said that there are “probably hundreds of thousands” of attempted attacks on Maryland agencies every day that don’t get public attention.
“We penalize people for coming forward and saying something bad happened ... there’s no sharing of information happening,” he said.
According to state information technology policy, agencies do not need to report viruses or malware that have been automatically thwarted by anti-virus software.
The Heartbleed security bug, first discovered on April 7, also may have a serious impact on government operations. The bug is a vulnerability in OpenSSL, a security protocol used to protect information on about two-thirds of all web servers, according to the technology website Ars Technica. Hackers can exploit the bug to steal passwords and other sensitive information.
Toregas said even if they aren’t vulnerable to Heartbleed on their own, state agencies could still be seriously affected by it if they interact with vulnerable businesses.
“We live in an interconnected world. At some point the government will come into contact with a commercial entity on the web,” Toregas said. “We've become too interconnected to draw a rigid line between commercial [and government entities].”
Schlanger said after the Heartbleed outbreak, the Department of Information Technology shared strategies to deal with the bug with state information officers, some of which may have affected users. He added that the department would continue to keep tabs on potential fallout from the bug.
“Continuous monitoring of the cyber threatscape is one of the fundamental tenets of our cybersecurity program,” Schlanger wrote in an email.
The Department of Information Technology report also included four incidents that were not cyberattacks, in addition to the police’s risk warning. These included a stolen computer, a former employee sending an email from another’s account, and an employee’s home computer being infected with malware.
What the phishers and would-be hackers were looking for in state agency computers remains a mystery. Mark Cather, director of communications and security at the University of Maryland, Baltimore County, said they were likely seeking employees’ personal information “because they can turn identities into cash.”
Hackers might also have tried to use government computers as a resource, utilizing their processing power to crunch numbers or launch further attacks, Cather said. He added that some may have sought trade secrets or other information worth selling, but it was unlikely because few state agencies make anything with patents or trademarks that would be worth selling.
Regardless of their objectives, hackers aren’t going to leave state agencies alone anytime soon. Pugh hopes that legislators will take a more active role in promoting cybersecurity.
“I look at the government from the perspective of a business,” Pugh said. “... What do want the state to look like three years from now? I don’t think we do enough of that kind of thinking and planning.”

U.S. Agent Lures Romanian Hackers in Subway Data Heist

U.S. Secret Service Agent Matt O’Neill was growing nervous. For three months, he’d been surreptitiously monitoring hackers’ communications and watching as they siphoned thousands of credit card numbers from scores of U.S. retailers.
Most every day O’Neill was alerting a credit card company or retailer to an online heist. The result was predictable: the companies canceled hijacked credit and debit cards and the aggravated hackers’ customers began complaining that the stolen card numbers weren’t working as promised.
It was only a matter of time before the cyber thieves realized they were being watched.
“We were hoping they wouldn’t figure it out until we could catch them,” O’Neill said.
The Secret Service and FBI are investigating an increasing number of attacks on U.S. retailers’ data, including the massive breach of Target Corp. last year that affected more than 40 million debit and credit card accounts. Investigators won’t talk about the Target probe. Instead, the Secret Service pointed to O’Neill’s investigation that began in 2010 as an example of how they go about solving such crimes.
The chase for the hackers took three years. It uncovered what federal prosecutors described in court records as a “massive, international computer hacking and credit card data theft scheme.”
Photographer: Jim Watson/AFP via Getty Images
Analyists at the National Cybersecurity and Communications Integration Center in... Read More

800 Stores

The conspirators hit more than 800 U.S. stores from 2009 to 2011, stealing data from in excess of 150,000 credit card accounts and inflicting losses to financial institutions conservatively tallied at $12.5 million, according to interviews with the agent, his supervisors and U.S. Justice Department prosecutors, as well as a review of court filings.
O’Neill’s green eyes and sly grin mask an intensity for the hunt that relied on a mix of high-tech sleuthing and traditional police work, with some creativity sprinkled in: the agent even went undercover online as an “attractive, independently wealthy waitress.”
“These hackers are sophisticated,” said U.S. Secret Service Agent Ed Lowery, who is in charge of the agency’s criminal division. “The type of individual we are talking about -- the highest-level cyber criminal -- they don’t leave bread crumbs.”
The son of a former Secret Service agent who investigated counterfeiting rings in Philadelphia, O’Neill joined the service in 1998 after a post-college stint at ESPN. He specialized in cyber crimes, except for four years on Vice President Dick Cheney’s security detail.

‘Subway Case’

In the agency’s four-agent Manchester, New Hampshire, office, he juggled five or six cases at a time. None were as big as what became known as the “Subway case.”
It began on a February afternoon in 2010 with calls from banks. American Express and Citibank reported fraudulent activity on accounts that had one thing in common -- purchases made at a Subway sandwich shop in Plaistow, New Hampshire, a town of 7,609 people about 25 miles southeast of Manchester. American Express reported that 36 compromised credit cards had been used at the Plaistow Subway; Citibank said it had suffered $80,000 in losses tied to cards swiped at the store.
Within days, O’Neill and a New Hampshire state trooper were inspecting the store’s computer. It was clear it had been hacked through the Internet, and the attacker had planted a “key logger” program onto its hard drive. Acting like a vacuum cleaner, the program sucked up the data from credit and debit cards swiped through the store’s magnetic reader.
The investigators determined the stolen data was only stored briefly on the computer before being uploaded to a website, ftp.tushtime.info.

Romanian Beetle

A password embedded in the software code -- Carabus05 -- provided a clue to its source. When O’Neill Googled the word, he discovered it was Romanian for beetle. Russia, Romania and other Eastern European countries are hotbeds for hackers.
“The important thing in these cases isn’t so much: How did they get in?” O’Neill said. “It’s: Where did the data go? It’s the destination that matters.”
Representatives of Subway Restaurants reported multiple hacks of other stores and the stolen data was flowing to several “dump sites” such as ftp.tushtime.info.
Armed with search warrants, O’Neill saw the stolen data was flowing from the dump sites to computer servers scattered across the U.S. Agents tracked down those servers -- one belonged to a law office, another a dentist -- but none were still being used by the hackers. Then, in July of 2010, O’Neill got lucky.
One of those computer servers belonged to New Harrisburg Truck and Body in Mechanicsburg, Pennsylvania. With permission from the shop’s innocent owner, agents in August 2010 placed a “sniffer” on his computer.

Truck Shop

The sniffer revealed that the hackers were using the truck shop’s computer to store and use their “tools” -- malicious software that scanned the Internet for vulnerable computers, allowed them to break into those computers, steal the data, upload it to a dump site, download it to the truck shop’s computer and then zap it around the globe.
The hackers were careful. They masked their identities by using anonymous e-mail and chat accounts. They hid their location by routing through other servers in Europe.
Even so, O’Neill suspected they were in Romania. They chatted in e-mails in the language, and the agent managed to track some of their computer activity back to the country.
It was now late 2010 and O’Neill was getting concerned that the hackers would figure out he was monitoring them. The Secret Service was caught in a Catch-22: agents wanted to keep watching in secret to find out the hackers’ identities yet had an obligation to alert customers, retailers and financial institutions that the accounts had been hacked.
“Their clients were emailing them and saying, ’Why are you cheating me? These are bum cards,’” O’Neill said, of the messages he secretly read.

Solid Lead

Finally, in late October, agents picked up a solid lead: in an online chat, a hacker mentioned that his computer had been seized and his house raided by Romanian police investigating his cyber activities.
O’Neill called his Romanian counterparts and provided them with the information. In less than a day, they gave O’Neill the hacker’s identity: Adrian Tiberiu Oprea, a 26-year-old who had studied computer science and lived in the Black Sea port city of Constanta. Romanian authorities told O’Neill they were investigating Oprea for hacking retailers in Eastern Europe.
From the hackers’ e-mails and social media postings, O’Neill found the identity of one Oprea’s customers: a Romanian living in France named Cezar Butu, 27.
A third member of the conspiracy was harder to identify. In January 2011, O’Neill was examining more than 15,000 e-mails from an anonymous account when he found two that stood apart. They were from a personal e-mail and had attachments that were core to the scam: a program that masked the hackers’ activities in their victims’ computers, and a trove of stolen credit card numbers.

E-Mail Mistake

The hacker had mistakenly used his personal account to forward himself the information. The misstep was enough for O’Neill to finger Iulian Dolan, 25, a third Romanian.
O’Neill and the federal prosecutors still weren’t optimistic that they could put the Romanians on trial. Though the U.S. has an extradition treaty with Romania, getting the country to hand over suspects was far from guaranteed.
“I thought our best case scenario would be that we would approach Romanian law enforcement and hope we could convince them to prosecute these people, assuming we could ever able to identify them,” said Mona Sedky, a prosecutor in the U.S. Justice Department’s computer crimes division. “I never in a million years thought they would see the inside of a U.S. courtroom.”
O’Neill and his Romanian counterparts discussed his options, which amounted to taking the risk of trying to extradite the men, or finding a less official way to arrest them. “They basically said, ’Do whatever you can do legally to get them to the United States,’” O’Neill recalled.

Ladies Man

Research showed the thieves had obvious weaknesses: Dolan was an online gambler, and Butu was a ladies’ man. To capture Dolan, O’Neill became “Sarah,” a marketing specialist for a Connecticut casino who invited the Romanian to a poker tournament.
For eight months, O’Neill e-mailed Dolan, sometimes late at night from his home where he was on paternity leave with a baby boy. His wife was understanding: she’s an agent with the U.S. Federal Bureau of Investigation.
“Dolan seemed kind of like a lonely guy,” O’Neill said. “And, yes, there was some gentle flirting.” When Dolan finally walked off the plane in Boston on Aug. 13, 2011, he was carrying a gold necklace for “Sarah” and six boxes of grape-flavored condoms.
“He was being optimistic,” O’Neill said.
Meanwhile, O’Neill was also masquerading as “Chrissy,” a wealthy waitress for a restaurant chain known for its scantily-clad servers, who had met Butu during a recent sojourn through Europe.

Wealthy Waitress

O’Neill’s gambit this time was that “Chrissy” had enjoyed meeting Butu and hoped to re-establish contact. Eventually, “Chrissy” invited Butu to visit her in the U.S. Butu took the bait, arriving in Boston the day after Dolan.
“You tell them what they want to hear, within reason,” O’Neill said.
He took the traditional route with Oprea. The U.S. government sought the Romanian’s extradition. It worked: Oprea was arrested in December 2011 and sent to New Hampshire in May of last year.
All three pleaded guilty to hacking-related charges, admitting they hit more than 800 U.S. stores, about 250 of which were Subways. In interviewing Dolan and Oprea, O’Neill determined that they didn’t target Subway. It was just luck that so many got hacked. There are about 25,000 Subways in the U.S. and many had poor online security, O’Neill said.
As for the hackers, they didn’t make much profit -- Oprea, the ring leader, made only $40,000. He paid a steep price for the estimated $12.5 million in losses inflicted on financial institutions and the $5 million Subway spent upgrading its cyber security systems. Oprea was sentenced in September to 15 years in federal prison. Butu got 21 months behind bars, and Dolan received a 7-year sentence.
“They weren’t stealing from Romanians,” O’Neill said, “so they never expected to get caught.”

Websites Fixing Heartbleed Bug, VPNs Still Vulnerable

 Heartbleed
After the initial panic over the Heartbleed bug, which some researchers earlier this month guessed had infected two-thirds of all Web servers, researchers at Sucuri reported Friday that just 2 percent of the top 1 million websites on the Internet remain infected and all of the top 1,000 sites have been patched against the OpenSSL vulnerability.
But also on Friday, Mandiant researchers reported an attack they tracked beginning on April 8 in which an attacker "leveraged the Heartbleed vulnerability in a SSL VPN concentrator to remotely access our client's environment," culminating in the hijacking of "multiple active user sessions."
So in short, the good news is that the vast majority of websites, and all of the most heavily trafficked sites on the Web, have fixed this vulnerability, which is an exploit of a bug in Open SSL code responsible for sending "Heartbeat" notifications between servers and clients, including PCs and mobile devices.
The not-so-good news is that there may have been more folks out there using the Heartbleed exploit to steal private data and take over user sessions than we previously thought. There's been one notable arrest of a Heartbleed attacker to date, a Canadian teen alleged to have exploited the bug to pilfer taxpayer data from the Canada Revenue Agency.
Since we haven't heard much about any other specific attacks using Heartbleed and with the pretty rapid movement by prominent websites to fix the problem as documented Sucuri, there's a feeling we all may have dodged a bullet here.
Not so fast, say Mandiant researchers Christopher Glyer and Chris DiGiamo. Their research has led them to believe that too much Heartbleed discussion on the Internet "has focused on an attacker using the vulnerability to steal private keys from a Web server, and less on the potential for session hijacking" like the attack Mandiant tracked.
The researchers offered evidence for their belief that the attacker they tracked had "stolen legitimate user session tokens":
  • A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization's SSL VPN.
  • The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, "flip flopping", between the malicious IP address and the user's original IP address. In several cases the "flip flopping" activity lasted for multiple hours.
  • The timestamps associated with the IP address changes were often within one to two seconds of each other.
  • The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.
  • The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.
The Mandiant researchers recommended that all organizations running remote access software and appliances determined to be vulnerable to the Heartbleed exploit both upgrade with available patches immediately and review their VPN logs to see if an attack had occurred in the past.