Forgot your password?
typodupeerror
Bug Security The Internet

Heartbleed Turned Against Cyber Criminals 50

Posted by Soulskill
from the bringing-balance-to-the-force dept.
Rambo Tribble writes: "In a case of 'live by the sword, die by the sword,' researchers have used the now-infamous Heartlbeed bug in OpenSSL to gain access to black-hat forums. A French researcher named Steven K. is quoted as saying, 'The potential of this vulnerability affecting black-hat services is just enormous.' Reportedly, the criminal-minded sites Darkode and Damagelab have already been compromised." In related news, U.S. Cybersecurity Coordinator Michael Daniel posted an article at Whitehouse.gov yesterday reaffirming that the U.S. government had no prior knowledge of Heartbleed. He said, 'We rely on the Internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.'
This discussion has been archived. No new comments can be posted.

Heartbleed Turned Against Cyber Criminals

Comments Filter:
  • 'usually' (Score:2, Insightful)

    by Anonymous Coward on Tuesday April 29, 2014 @06:07PM (#46872989)

    Ahhh. There it is. The wiggle room.

  • by John.Banister (1291556) * on Tuesday April 29, 2014 @06:07PM (#46872993) Homepage
    Perhaps Michael Daniel's office would care to contribute. It might benefit their ability to project power abroad.
  • by Pseudonym (62607) on Tuesday April 29, 2014 @07:13PM (#46873523)

    Incompetent if they didn't find heartbleed [they are supposed to protect our infrastructure].

    The open source community didn't find it either. If it's any consolation, the NSA is probably about as competent as we are.

  • Re:Yep. (Score:3, Insightful)

    by Em Adespoton (792954) <slashdotonly.1.adespoton@spamgourmet.com> on Tuesday April 29, 2014 @07:25PM (#46873623) Homepage Journal

    5. Site is hosted on a compromised server in the first place -- fixing this by recompiling the server would alert the host admin.

  • For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.'

    Go blow that smoke up someone else's ass. If that was true then the NSA would "usually" publish the black-market zero day exploits they purchase as ammo for their Ferret Cannon exploit launching system. [theatlantic.com] But they don't, ever. They just use them till someone else finds and fixes it.

    Those fuckers don't need our shit to be secure at all. They don't want it to be so either. They don't even use the same networks we do for secure coms. Hell, that's what the Number Stations are all about. [wikipedia.org] Every once in a while my scanner will catch one of my favorite broadcasts: Old school, just a monotonous series of digits. I'll fall asleep listening to them droning on and on -- no doubt only decipherable by one-time pads. You know, because public key crypto just moves the key-sharing problem of authentication around -- The endpoints still have to exchange the public keys, just like they'd have to exchange one-time pads (hundreds of Gigs of pad can fit in a micro SD card now). The CA system just moves the authentication problem from "which is their public key" to "which CA are they using" and adds: "Which CA can be trusted?" (none).

    Look, if it was so damn important that the SSL systems were secure then the VERY BROKEN CA system would have been fixed a long time ago. As it stands now it's just a collection of single points of failure and any one compromised CA brings the whole thing down (see: Diginotar Debacle). SSL has NEVER provided security, ever. At least with pre-arranged / pre-shared keys if you do manage to transmit the key out of band (in person, at your bank, etc) no one can ever MITM the connection. All TLS / PKI did was ensure that all SSL connections had a potential MITM via the CA. No competent security researcher would design a system like that. You have American, Iranian, Turkish, Chinese, Russian, and etc. root certs trusted in your browser. If they compromise any router between you and your destination they can MITM the connection, you'll see a big green bar too. Even if you did examine the cert chain, you'd have no way to know if the endpoint switched to a new CA, since any CA can create any cert for any domain, you have to trust ALL of them.

    Web security is a laughing stock, and any "black-hat" group that was relying on SSL for any coms is probably just a CIA front, because EVERYONE with any snap has known that shit is not safe since its inception. [youtube.com] Would YOU trust a CA to sign certs if they also sell information interception services to governments? Why did you then? We already have accounts and pre-arranged secrets with all the places we need secure so just take your existing HTTP-Auth proof of knowledge hash [wikipedia.org] and feed it to the damn stream cipher and you're done. Well, and remove the basic auth bullshit, that's not needed, since we have cookies and web forms already. Point being: It's trivial to fix the CA system, but they don't do so, thus it's apparent that no government wants this shit to be secure or we wouldn't have the CA system, and they all wouldn't be able to spy on us. If you ask me that's collusion with the enemy against the citizens: Treason.

Never trust a computer you can't repair yourself.

Working...