Analytics
4/14/2014
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Heartbleed's Intranet & VPN Connection

How the game-changing crypto bug affects internal servers, clients, and VPN networks -- and what to do about it.

It's been one week since the massive Heartbleed flaw was disclosed publicly and websites began frantically patching, but the potential danger of the bug being used to hack into businesses' internal networks and steal their data could last for years to come.

The attention initially focused on patching public-facing websites and protecting user credentials from Heartbleed, as well as sites' digital certificates. But the long-term ramifications of the Heartbleed encryption flaw in the widely deployed open-source OpenSSL library are slowly coming into focus: how cyberspies and sophisticated cybercrime gangs can or already have used the bug to infiltrate an organization's intranet servers, network devices, client machines, and VPN servers in order to steal valuable data.

"The immediate focus should have been on the perimeter and external websites. But the long-term devastation and real cost is from the internal [network] perspective," says Rob Seger, distinguished engineer at Palo Alto Networks. "Being able to steal all the data carte blanche is, in my opinion, a more lasting and negative" outcome of Heartbleed.

The list of potentially vulnerable internal assets is massive -- everything from internal web servers for mission-critical internal applications to SSL-enabled services such as FTP over SSL, VOIP phones, printers, VPN servers, and VPN clients. "The reality is that it's going to take 4-5 years minimum for the larger enterprises to clean this up," assuming they know where all their vulnerable SSL-based services and products reside in the network, Seger says.

Identifying and patching those internal Heartbleed-vulnerable systems will take time, and in many cases, not everything will get patched. Some lower-profile devices may not ever receive vendor patches, security experts say, and legacy systems could get lost in the patch shuffle.

A VOIP phone, for example, could be exploited to listen in on calls, and data within documents coming off a printer would be at risk of interception. Client machines, meanwhile, are vulnerable via a Heartbleed exploit service they connect to, which could collect data from those machines, experts say.

"This made it so a script kiddie can leverage APT-level attacks... by stealing a Python script off the web, he can do things only APTs can do," Palo Alto's Seger says.

Heartbleed is an implementation flaw in OpenSSL Versions 1.0.1 and 1.0.2 beta that leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords, other sensitive data -- and the SSL server's private key. OpenSSL developers inadvertently introduced the flaw in those versions of the open-source code at their release two years ago, but it was only recently that researchers at Google and Codenomicon discovered and reported it.

OpenSSL released a patch a week ago for the bug in the Transport Layer Security protocol's "heartbeat" extension, an extension to the protocol that checks on the site to which it is connecting to ensure it's connected and can respond. An exploit using the bug would allow an attacker to siphon up to 64 kilobits of server memory at a time.

The discovery of Heartbleed comes at a time when the security and privacy communities have been lobbying heavily for wider SSL adoption, reacting to revelations of widespread surveillance by the National Security Agency.

"We still don't have definite consensus on how bad this [Heartbleed] is yet," says Damon Rouse, director of IT for the defense and government contractor Epsilon Systems.

Rouse, who says his organization is mostly a Windows environment and so is not as widely affected by Heartbleed as some larger organizations, has spotted some false positives in his network pointing to Heartbleed attack activity. "We've seen a couple of false positives with some IPS rules we have put in place" on the network. One alert turned out to be a backup vendor's OpenSSL implementation that required a patch, which came the next day, he says.

Businesses and other organizations are beginning to take a close look at their internal web server interfaces, VPN concentrators, and other internal systems using SSL for encrypted sessions. "I have a red team group, and our collective feel is that this is something within organizations that has got a long-tail effect that's going to linger for years to never for some products that may have versions that may never receive a vendor patch," says George Baker, director of professional services at the managed security services firm Foreground Security. "This is a great vector for an advanced attack -- for a phish or a beachhead."

So how can organizations protect their internal networks from the potential bloodletting of Heartbleed?

Segment your internal network with virtualization. A flat architecture makes it too easy for attackers to move around laterally and get to targeted information, experts say. "Create logical barriers, especially around data centers," says Raj Shah, director of cybersecurity for Palo Alto Networks.

"If you can segment those networks internally, even if a patch is not available for a phone, or an embedded device, for example, you can move it to a place where laptops and systems that don't need to connect to it are segmented and segregated. Segregating internal network space is a huge risk reduction for an advanced attack," Foreground's Baker says.

Those VLANs can be set up via router access control lists or stateful firewalls, he says.

IPSes and data leakage protection systems should be updated to detect Heartbleed-type attacks, as well, and web application firewalls can help. "Usually, in these cases, it takes a while to understand you've been compromised," says Motty Alon, director of security solutions at Radware.

Heartbleed is a game-changing security event, Alon says. "It's something like what happened to airport security after 9/11. It will change all of the things we know, and there will be" multiple stages to the response.

Meanwhile, at least one anti-DDoS service provider says its service thwarts Heartbleed. Barrett Lyon, founder and CTO of Defense.Net, says his DDoS mitigation service automatically inspects traffic flows and validates protocols, and checks for oddities -- "if you connect in a strange way to an SSL server and the connection is not actually coming with it as if it's a web browser," for example.

Lyon says some companies may have to toss out equipment that can't be patched for Heartbleed. "We're going to hear from vendors we haven't heard from in a long time. It's going to have a ripple effect."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alexpth
50%
50%
Alexpth,
User Rank: Apprentice
5/22/2014 | 8:29:19 AM
Re: It's possible to analyze all traffic for heartbeat messages
If I use vpn service from some vpn providers, for example shadeyouvpn, such service protects me from this danger?
Tyson S
50%
50%
Tyson S,
User Rank: Apprentice
4/17/2014 | 12:13:48 PM
It's possible to analyze all traffic for heartbeat messages
ExtraHop analyzes all traffic to parse out transaction-level metrics, including the heartbeat messages used in this exploit. In this way, enterprise IT teams can easily monitor all potential Heartbleed attacks against any device acting as an SSL server. We've described this capability here: http://www.extrahop.com/post/blog/detect-heartbleed-exploits-with-extrahops-free-download/ 
AmmarNaeem
50%
50%
AmmarNaeem,
User Rank: Apprentice
4/17/2014 | 5:36:02 AM
Re: Obama Approved NSA’s use of Heartbleed for ‘National’ Interests
Heartbleed is a platform-independent problem that has exposed what is being called a two year old underlying weakness in the OpenSSL protocol. Major websites like Facebook and Tumblr have applied the necessary patches but mobile devices (smartphones) still remain unsafe. Android and iOS users can secure online privacy and internet freedom (until the patches/upgrades come out) by using VPNs to tunnel and encrypt their data. Heartbleed is Causing Damage & You Need to Protect Yourself. 
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
4/16/2014 | 8:20:55 AM
Re: Obama Approved NSA’s use of Heartbleed for ‘National’ Interests
@micjustin33,we also covered the White House's policy on using 0days here:

http://www.darkreading.com/analytics/white-house-details-zero-day-bug-policy/d/d-id/1204483?
micjustin33
50%
50%
micjustin33,
User Rank: Apprentice
4/16/2014 | 8:13:15 AM
Obama Approved NSA’s use of Heartbleed for ‘National’ Interests
After White house denied .. Obama approved NSA's use of Heartbleed for 'National' Interests.

The problem was lack of oversight/review, not usually a problem unless it's mission-critical like OpenSSL. Code's a mess tho.

Well that is kind of their (NSA) job, to decrypt things and stuff. Can't have the outside world too secure from the alphabet agencies now can we ...
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.