Following Up with Heartbleed
Three weeks ago (give or take) the Heartbleed defect exploded onto the computer security scene. In the past few weeks the bug has been the subject of both debate and research. Given those discussions and discoveries, now is a good time to take a look at the scope of the problem.
Sadly, most of the discoveries are bad. There was some debate about whether or not the bug actually allowed an attacker to acquire the secret SSL key itself from the server, a maneuver that would completely compromise a site’s security and enable the decryption of previously captured encrypted data. This was considered to be the “worst case scenario.” The claim was challenged and put to a test by a web security company named CloudFlare, who actually made a contest out of it. Unfortunately for all of us, a Cambridge University security researcher named Rubin Xu proved that this worst case scenario is in fact quite doable.
On top of that, other researchers have found that the defect is included in a host of embedded devices. Printers, firewalls, routers, even video cameras are susceptible to attack. This opens up whole new avenues whereby a network may be compromised.
And we now have confirmation that people are actively attempting to exploit the defect. Honeypots, servers constructed to be deliberately vulnerable so as to encourage an attack, have been deployed to collect data on potential attackers. Researchers from the University of Michigan detected 41 unique attacks by April 15th, 59% of them originating from China. So it has been proven that there are people actively seeking to exploit the vulnerability. The researchers also list many of the top domains still vulnerable to attack.
Taken all together these issues add up to a true mess. In all likelihood this defect will be keeping security professionals busy for years to come.
By Dave Kuhl, Lead Senior Consultant – Olenick & Associates, Chicago