Skip to main content

Heartbleed triggers panic among cyber criminals

Heartbleed is helping cyber security researchers to turn the tide on cyber criminals by allowing them to take material from forums and chat rooms that were once impenetrable.

Related: “Could trying to fix Heartbleed slow down the Internet?” experts worry

The BBC reports that security specialists have found it easier to access forums used by criminals since the vulnerability was first discovered and the bug could be used for those ends for years to come.

"The potential of this vulnerability affecting black-hat services [where hackers use their skills for criminal ends] is just enormous,” French anti-malware research Steven K told the BBC, adding that various forums have been placed in a “critical” position as a result of the bug.

Mr K has already had a level of success using special tools to access closed forums such as Darkode and Damagelab, the researcher adding, "not many people have the ability to monitor this forum [Darkode], but Heartbleed exposed everything."

Problems being experienced by cyber criminals using such forums are mirrored in the world at large with there still a significant level of danger present that is being exaggerated by the fact that many sites have still yet to remove security credentials that are at risk from the bug. This includes various security certificates that haven’t been invalidated or revoked and web browsers haven’t made it any easier by doing a lacklustre job at checking whether the certificates have in fact been revoked.

"If a compromised certificate has not been revoked, an attacker can still use it to impersonate that website," said Paul Mutton, security researcher at Netcraft. "Consequently, the dangers posed by the Heartbleed bug could persist for a few more years."

James Lyne, global head of security research at Sophos, added that there would be a “very long tail of sites that are going to be vulnerable for a very long time.”

"This work just goes to show how serious Heartbleed is. You can get the keys to the kingdom, all thanks to a nice little heartbeat query,” Charlie Svensson, computer security researcher at Sentor, concluded.

Heartbleed was first discovered earlier on this month as an OpenSSL vulnerability that leaves anyone using the Internet open to an attack and everyone has been urged to change all passwords as a result of the bug.

Related: How worried should you really be about the Heartbleed bug?

Individuals that choose to take a similar route to Mr K and attack forums could be liable to criminal charges themselves in relation to malicious hacking and this news will mean the instances of forums being targeted are likely to rise.