By now, most high ranked websites have fixed themselves if they were vulnerable to the Heartbleed bug. In fact, all of the top 1,000 websites worldwide have already patched the issue. Based on Alexa rankings, only about 20,000 in the top million visited websites are still vulnerable to Heartbleed. So it’s safe to say that most websites are no longer at risk of being exploited through this bug.
That’s great, and it has made many feel comfortable about their browsing habits going onward. However, it does not actually mean that they’re in the clear. It was recently reported that Cisco and Juniper routers are vulnerable. It’s not just routers though, many Android users are still waiting on a patch.
VPNs Reportedly Affected By Heartbleed Bug
See, the problem is that the Heartbleed exploit doesn’t stop at snatching private SSL keys, it can compromise VPN session tokens as well.
Mandiant, a security group recently acquired by FireEye for $1 billion, announced the discovery of a VPN-focused attack that started on April 8th. Mandiant claims that this attack was a success and the attacker managed to take over user’s active sessions with believed authentication to the server.
The specific VPN that had been attacked was not specified by Mandiant.
A Problem That’s Just Getting Started
This is truly a situation that everyone on the Internet has feared for a long time. The damage has been done and now all the patchwork comes to play. Everyone has focused on securing websites, but forgot to realize that VPNs are at risk too. The example above shows that a VPN has already been compromised with the Heartbleed bug. What it doesn’t show is that it’s the only vulnerable VPN, because it’s not.
All an attacker has to do is take advantage of the Heartbleed exploit and obtain authentic VPN session tokens to use in a malicious way. By accomplishing this, the attacker will now have access to all active sessions. This can go on for as long as the VPN is not protected.
How Can You Keep Safe From VPN-Based Heartbleed Attacks?
Most of what can be done is in the hands of the VPN owner. They will be responsible for updating their VPN to ensure that it is no longer vulnerable to the Heartbleed exploit.
Mandiant does suggest that VPN owners take advantage of the IDS signature service. This is used to easily identify Heartbleed-based exploitations by outside parties. This service helps to spot the more obvious attempts of attacking a VPN through the Heartbleed bug. It is not guaranteed to catch everything, but it definitely helps.
Of course, you can protect yourself by only using safe VPNs. What makes a VPN safe though? In this particular circumstance, the VPN would have to not be based on OpenSSL.
While OpenSSL-based VPNs are not incredibly common, there are still some that exist. For example, OpenVPN uses OpenSSL and most of its older versions are at risk of Heartbleed exploitation. However, they made a press release detailing that the fix has been made and that a new version can be downloaded to protect yourself as a user.
Barracuda is another VPN that utilizes OpenSSL. They also listed the vulnerable versions so their users knew how to keep themselves protected. In this case, it’s interesting to note that they have many different individual services that were vulnerable to the Heartbleed bug. This includes services for backing up emails, archiving messages, and even a firewall service. This just further points out that there are endless products and services that are possibly affected by the Heartbleed exploit. It will definitely be hard to identify all the vulnerabilities and it’s likely something that will continue to pan out for a few years.
So to keep safe, all you have to do is make sure that your VPN is not based on OpenSSL or make sure that they have provided an update that will protect you from this exploit. It’s pretty simple, you just have to take a quick look on the home page, news, or blog of your VPN provider and find out the latest news.
Staying Secure in the Future
An interesting concept that not many have discussed so far is the idea behind malicious attackers building fake websites as a way to trap users – or even real online shops – so that they can take advantage of the Heartbleed bug. This is something that will likely be seen more in the future once all the other exploitable approaches with the Heartbleed bug dry up.
What does this mean? Essentially, it means that the Internet of illicit actors just got a little worse. The worst part is that criminals now have one of the easiest means of accesses imaginable. There is no telling what innovative ways they will find to use this to their advantage in the future.
So all you can do is be diligent. Change your old passwords and be cautious as to what SSL version is being used by any websites, servers, or devices that you access. Over time it will seem to blow over, but security exploits are still there. As a side note, now may be a good time to start rethinking how much you use your credit card online too.