The Heartbleed bug has been the subject of much hand-wringing and has been called one of the most serious computer security breaches of all time. But some people aren’t convinced — after all, who has Heartbleed actually harmed? Well, there have been several reported attacks of Heartbleed being used to do real harm. If you think Heartbleed is all hype, think again.
900 SINs Stolen From the Canadian Revenue Agency
In Canada, an attacker used the Heartbleed bug against the Canadian Revenue Agency, capturing about 900 social insurance numbers (SINs) belonging to people filing their income taxes. This is basically the Canadian equivalent to an attacker capturing social security numbers (SSNs) from the IRS in the USA. Some data related to Canadian businesses was also stolen.
The attacker was arrested for capturing these numbers, but we don’t know if the attacker sold the SINs or passed them along to someone else. Like social security numbers in the USA, these numbers are generally not changeable — they can only be changed if you prove you’ve been a victim of fraud. Affected taxpayers will have to subscribe to a credit monitoring service and keep track of people attempting to open bank accounts and credit cards in their name. Identity theft is a serious concern here.
Mumsnet and Other Password Thefts
Mumsnet recently announced it is forcing all users to change their passwords. This wasn’t just a preventative measure — Mumsnet had reason to believe that attackers had gained access to the passwords and private messages belonging to up to 1.5 million users.
This is probably not the only website that’s had sensitive passwords stolen from it. If people are making the big mistake of reusing the same password on multiple websites, an attacker can get into other accounts. For example, if someone is using the same password for both their Mumsnet account and the email account tied to their Mumsnet account, the attacker can get into that email account. From there, the attacker can reset other passwords and get into other accounts
If you received an email from a service advising you to change your password and ensure you’re not using the same password elsewhere, it’s possible that service had its passwords stolen — or may have had its passwords stolen and isn’t sure.
VPN Hijacking and Private Key Thefts
Security company Mandiant announced that attackers used Heartbleed to breach an internal corporate VPN, or virtual private network, belonging to one of their clients. The VPN was using multifactor authentication, but that didn’t matter – – the attacker was able to steal private encryption keys from a VPN appliance with the Heartbleed attack and was then able to hijack activate VPN sessions.
We don’t know what corporation was attacked here — Mandiant just announced that it was a “major corporation.” Attacks like this one could be used to steal sensitive corporate data or infect internal corporate networks. If corporations don’t ensure their networks aren’t vulnerable to Heartbleed, their security can easily be bypassed.
The only reason we’re hearing about this is because Mandiant wants to encourage people to secure their VPN servers. We don’t know what corporation was attacked here because corporations don’t want to announce they’ve been compromised.
This isn’t the only confirmed case of Heartbleed being used to steal a private encryption key from a running server’s memory. CloudFlare doubted that Heartbleed could be used to steal private encryption keys and issued a challenge — try to get the private encryption key from our server if you can. Several people obtained the private key within a single day.
State Surveillance Agencies
Controversially, the Heartbleed bug could have been discovered and exploited by state surveillance and intelligence agencies before it became public knowledge. Bloomberg reported that the NSA has exploited Heartbleed for at least two years. The NSA and White House denied this, but director of national intelligence James Clapper did famously say the NSA did not collect any data on millions of Americans before the NSA’s surveillance activities became known, something we now know is not true. We also know that the NSA stockpiles security vulnerabilities for use against surveillance targets rather than reporting them so they can be fixed.
The NSA aside, there are other state surveillance agencies in the world. It’s possible that another country’s state surveillance agency discovered this bug and was using it against surveillance targets, possibly even US-based corporations and government agencies. We can’t know anything for sure here, but it’s very possible that Heartbleed has been used for espionage activities before it was publicly disclosed — it certainly will be used for these purposes now that it’s public knowledge!
We Just Don’t Know
We just don’t know how much damage Heartbleed has done yet. Businesses that end up with breaches thanks to Heartbleed will often want to avoid making any embarrassing announcements that could hurt their business or damage their stock prices. It’s generally easier to deal with the problem internally rather than letting the world know.
In many other cases, services won’t know they’ve been bitten by Heartbleed. Thanks to the type of request the Heartbleed vulnerability uses, Heartbleed attacks won’t show up in many server logs. It will still appear in network traffic logs if you know what to look for, but not every organization knows what to look for.
It’s also possible that the Heartbleed bug has been exploited in the past, before it became public knowledge. It’s possible that cybercriminals or — more likely — state surveillance agencies discovered the bug and have been using it. The examples here are just a snapshot of the few things we know.
The hype is justified — it’s important we get services and devices up-to-date as quickly as possible to help reduce the damage and avoid worse attacks in the future.