April 12, 2014

Heartbleeding credit cards

Heartbleed Vulnerability
The Heartbleed vulnerability and exploit published few days ago in the wild. I suppose that most of you already understand the implications of communicating with servers that run a vulnerable version of OpenSSL, e.g. session hijacking, credentials stealing etc.

Known Threat Vectors
  1. Although OpenSSL in an open source software that can run on all standard operating systems, it runs mostly on Linux/Unix-based operating systems.
  2. Most (maybe all) appliances that protect organisations' gateways based on Linux/Unix-based operating systems. Thus, remote access such as SSL/VPN is highly attractive for hackers. From the other hand, organisations' IT operations are responsible to communicate the risks and even stop the SSL/VPN service if needed (depends on risk management).
What About Windows?
According to Microsoft's publication, Windows is not vulnerable to this attack due to the usage of SChannel security package for SSL communications.
However, most of the large-scale websites that rely on Windows have a front-end network load balancers (NLB) that perform the SSL termination. These NLBs mostly based on Linux/Unix operating systems that vulnerable to this attack.
Since the sessions stored in the RAM of the NLB (even for a minimal time), the exploitability of the systems that based on Microsoft's technology remains applicable. However, the exploit is still not affecting the memory space of the processes on Windows OS.   

Ecommerce Scenario
As explained in many sources, the Heartbleed can access to the memory of the operating systems and steal sensitive data that stored in the memory.
Specifically, since credit cards stealing became a frequent attack, regular expressions of credit cards can be seek in the memory. This scenario is similar to regular memory scraping, but this time, no malware should be installed on the vulnerable OpenSSL implementation.