Heartbleeds Intranet & VPN Connection

How the game-changing crypto bug affects internal servers, clients, and VPN networks -- and what to do about it.

Its been one week since the massive Heartbleed flaw was
disclosed publicly
and websites began frantically patching, but the potential danger of the bug being used to hack into businesses internal networks and steal their data could last for years to come.
The attention initially
focused on patching public-facing websites and protecting user credentials
from Heartbleed, as well as sites digital certificates. But the
long-term ramifications of the Heartbleed encryption flaw
in the widely deployed open-source OpenSSL library are slowly coming into focus: how cyberspies and sophisticated cybercrime gangs can or already have used the bug to infiltrate an organizations intranet servers, network devices, client machines, and VPN servers in order to steal valuable data.
The immediate focus should have been on the perimeter and external websites. But the long-term devastation and real cost is from the internal [network] perspective, says Rob Seger, distinguished engineer at Palo Alto Networks. Being able to steal all the data
carte blanche
is, in my opinion, a more lasting and negative outcome of Heartbleed.
The list of potentially vulnerable internal assets is massive -- everything from internal web servers for mission-critical internal applications to SSL-enabled services such as FTP over SSL, VOIP phones, printers, VPN servers, and VPN clients. The reality is that its going to take 4-5 years minimum for the larger enterprises to clean this up, assuming they know where all their vulnerable SSL-based services and products reside in the network, Seger says.
Identifying and patching those internal Heartbleed-vulnerable systems will take time, and in many cases, not everything will get patched. Some lower-profile devices may not ever receive vendor patches, security experts say, and legacy systems could get lost in the patch shuffle.
A VOIP phone, for example, could be exploited to listen in on calls, and data within documents coming off a printer would be at risk of interception. Client machines, meanwhile, are vulnerable via a Heartbleed exploit service they connect to, which could collect data from those machines, experts say.
This made it so a script kiddie can leverage APT-level attacks... by stealing a Python script off the web, he can do things only APTs can do, Palo Altos Seger says.
Heartbleed is an implementation flaw in OpenSSL Versions 1.0.1 and 1.0.2 beta that leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords, other sensitive data -- and the SSL servers private key. OpenSSL developers inadvertently introduced the flaw in those versions of the open-source code at their release two years ago, but it was only recently that researchers at Google and Codenomicon discovered and reported it.
OpenSSL released a patch a week ago for the bug in the Transport Layer Security protocols heartbeat extension, an extension to the protocol that checks on the site to which it is connecting to ensure its connected and can respond. An exploit using the bug would allow an attacker to siphon up to 64 kilobits of server memory at a time.
The discovery of Heartbleed comes at a time when the security and privacy communities have been lobbying heavily for wider SSL adoption, reacting to revelations of widespread surveillance by the National Security Agency.
We still dont have definite consensus on how bad this [Heartbleed] is yet, says Damon Rouse, director of IT for the defense and government contractor Epsilon Systems.
Rouse, who says his organization is mostly a Windows environment and so is not as widely affected by Heartbleed as some larger organizations, has spotted some false positives in his network pointing to Heartbleed attack activity. Weve seen a couple of false positives with some IPS rules we have put in place on the network. One alert turned out to be a backup vendors OpenSSL implementation that required a patch, which came the next day, he says.
Businesses and other organizations are beginning to take a close look at their internal web server interfaces, VPN concentrators, and other internal systems using SSL for encrypted sessions. I have a red team group, and our collective feel is that this is something within organizations that has got a long-tail effect thats going to linger for years to never for some products that may have versions that may never receive a vendor patch, says George Baker, director of professional services at the managed security services firm Foreground Security. This is a great vector for an advanced attack -- for a phish or a beachhead.
So how can organizations protect their internal networks from the potential bloodletting of Heartbleed?
Segment your internal network with virtualization. A flat architecture makes it too easy for attackers to move around laterally and get to targeted information, experts say. Create logical barriers, especially around data centers, says Raj Shah, director of cybersecurity for Palo Alto Networks.
If you can segment those networks internally, even if a patch is not available for a phone, or an embedded device, for example, you can move it to a place where laptops and systems that dont need to connect to it are segmented and segregated. Segregating internal network space is a huge risk reduction for an advanced attack, Foregrounds Baker says.
Those VLANs can be set up via router access control lists or stateful firewalls, he says.
IPSes and data leakage protection systems should be updated to detect Heartbleed-type attacks, as well, and web application firewalls can help. Usually, in these cases, it takes a while to understand youve been compromised, says Motty Alon, director of security solutions at Radware.
Heartbleed is a game-changing security event, Alon says. Its something like what happened to airport security after 9/11. It will change all of the things we know, and there will be multiple stages to the response.
Meanwhile, at least one anti-DDoS service provider says its service thwarts Heartbleed. Barrett Lyon, founder and CTO of Defense.Net, says his DDoS mitigation service automatically inspects traffic flows and validates protocols, and checks for oddities -- if you connect in a strange way to an SSL server and the connection is not actually coming with it as if its a web browser, for example.
Lyon says some companies may have to toss out equipment that cant be patched for Heartbleed. Were going to hear from vendors we havent heard from in a long time. Its going to have a ripple effect.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Heartbleeds Intranet & VPN Connection