Another Heartbleed attack

Forbes mentions the Canadian incident in which the Heartbleed online security flaw was employed to loot taxpayer data from the Canadian Revenue Agency, which I wrote about earlier this week, but then adds another confirmed attack on UK parenting website Mumsnet… and this one’s even more alarming, because it involved the worst-case Heartbleed scenario, in which a hacker stole the passwords needed to gain administrative access to the entire site:

Another victim of Heartbleed also announced to it’s users that it had been attacked, Mumsnet. The e-mail to users stated “On Thursday 10 April we at Mumsnet HQ became aware of the bug and immediately ran tests to see if the Mumsnet servers were vulnerable. As soon as it became apparent that we were, we applied the fix to close the OpenSSL security hole… However, it seems that users’ data was accessed prior to our applying this fix”. Mumsnet posted an article outlining how the attacker was able to log in as the founder of Mumsnet, Justine Roberts after using Heartbleed to steal her username and password. This demonstrates practically how Heartbleed could cause damage after many of the debates between experts last week.

James Lyne at Forbes salutes both the CRA and Mumsnet for speedily informing users that the attack had occurred, and taking all possible precautions to restore the integrity of their systems immediately.  However, he worries that other Heartbleed targets may be reluctant to disclose that such attacks have taken place, for fear of scaring away users and investors.  Also, as I mentioned in my first post on Heartbleed, if a system has been compromised, there’s literally nothing users can do until the necessary software patches have been installed; changing your passwords just gives the hackers a shot at stealing your new login credentials.

Most disturbingly of all, it’s quite possible that large systems have been raided through the Heartbleed vulnerability without their administrators having any idea that an attack has occurred.  Passwords could be stolen without the online thieves leaving any trace of their presence.  The Mumsnet incident highlights this danger – they didn’t know they had a problem until they made extensive efforts to find it.

Since one of the first Heartbleed targets was a Canadian government server, thoughts turn naturally to one of the most badly-constructed, potentially insecure giant websites in the history of the Internet: HealthCare.gov, the hideous web portal constructed to handle the federal ObamaCare exchange.  Security experts have been warning about the vulnerabilities of HealthCare.gov since before it launched.

On the bright side, HealthCare.gov was so incompetently designed that it was almost completely non-functional for the first few months of its existence, limiting the accumulation of data that hackers might be interested in stealing.  These issues were largely corrected over time, so now there is plenty of sensitive data tucked away in the system.  I’ve seen surprisingly little discussion over whether HealthCare.gov could be vulnerable to Heartbleed, save for a Nextgov post from last week, in which the Department of Homeland Security asserted that none of the major U.S. government websites use the SSL software version that included the buggy code.

DHS officials on Friday morning posted a blog entry saying the bug does not jeopardize personal information on key federal websites. The “government’s core citizen-facing websites are not exposed to risks from this cybersecurity threat,” wrote Larry Zelvin, director of the DHS National Cybersecurity and Communications Integration Center. “We are continuing to coordinate across agencies to ensure that all federal government websites are protected from this threat.”

DHS and White House officials would not provide further details after the blog post. The Centers for Medicare and Medicaid Services on Thursday said HealthCare.gov and MyMedicare.gov consumer accounts were not affected by the vulnerability. CMS directed further questions about Heartbleed to the White House.

Conspiracy theorists may cite this as evidence for the assertion – made predominantly by Bloomberg News, and hotly disputed by the U.S. intelligence community – that the National Security Agency discovered Heartbleed shortly after it came into existence two years ago, but kept the knowledge to itself.  Perhaps a quiet heads-up was issued to other government agencies to avoid using the code that included this immense security flaw…?  

It’s more likely that the government simply never got around to installing the Secure Socket Layer code that included Heartbleed; government agencies tend to take their time with non-critical software updates, and agencies make some effort to act in unison when they do.  

But Nextgov quotes some security analysts who think the government might be wrong, or deliberately lying, about its exposure to Heartbleed:

Analysts said the potential for HealthCare.gov problems depends on the type of information [Akamai Technologies servers were] handling.

“If they were transferring personal information, then that data would be at risk,” regardless of government security protections, said Jerry Irvine, a member of the National Cyber Security Partnership, a public-private organization.

“If they were using Akamai for services other than direct data input,” such as for hosting photos and other multimedia, “then personal information would not have been at risk,” added Irvine, who consults with state and local governments on information security. 

Many other federal websites are in the same position, according to the researchers. The Heartbleed vulnerability originates in code for OpenSSL, a popular encryption tool. Apache, one of the most common Web servers running federal websites, uses OpenSSL by default, said Johannes Ullrich, dean of research at the SANS Technology Institute.

Reminder: the Obama Administration has made it clear that it feels no obligation to disclose hacker attacks on HealthCare.gov, and in fact you can be absolutely, metaphysically certain they would never do so, because they would regard such disclosure as political ammunition for ObamaCare’s critics, not to mention scaring people away from the already under-performing health care reform.

COMMENTS

Please let us know if you're having issues with commenting.