

Attackers Exploit Heartbleed to Circumvent Multi-factor Authentication on VPNs - digisth
https://www.mandiant.com/blog/attackers-exploit-heartbleed-openssl-vulnerability-circumvent-multifactor-authentication-vpns/

======
bsimpson
Why would someone modify their logging to detect Heartbleeds but not update
OpenSSL to remove the vulnerability?

~~~
asdffdsajkl
They probably had an "appliance" that if they chose to update manually would
fall out of support terms and then would be stuck with an unsupported instance
of a device they likely paid tens of thousands to the vendor for the
appliance, software, and support; and the vendor probably had not yet released
a supported update to fix the problem.

~~~
userbinator
It's the problem of bureaucracy again... where policies get in the way of
common sense, productivity, and even security. Very little angers me more than
not being able to fix something that I _know_ how to fix, and could probably
do in a few minutes, because some stupid policy says I'm not "allowed to".

~~~
ketralnis
On the other hand, how many overconfident newbies have "fixed" things they
weren't "allowed to" and made them significantly worse or broken them
altogether?

Speaking as someone that has been that guy, it's important to understand why
the policies exist while hating them :)

------
mrsaint
Too bad the SSL VPN concentrator from this article didn't apply a HMAC key
that an attacker would have needed to know before he'd even been able to
initiate a TLS handshake to probe the Heartbleed vulnerability.

You can do this with OpenVPN using the --tls-auth option. See:
[https://community.openvpn.net/openvpn/wiki/Hardening](https://community.openvpn.net/openvpn/wiki/Hardening)

------
fulafel
What's a SSL VPN good for?

