The Heartbleed bug works, and could be a scapegoat for older breaches

Share this article:
The Heartbleed bug works, and could be a scapegoat for older breaches
The Heartbleed bug works, and could be a scapegoat for older breaches

After issuing a community challenge on Friday, website performance and defense firm CloudFlare learned within 11 hours that private keys can be stolen using the Heartbleed bug – a critical vulnerability in widely used versions of the OpenSSL library that ultimately puts SSL/TLS encrypted communications at risk.

Following a roughly weeklong analysis of the vulnerability, the experts with CloudFlare wanted to see just how susceptible vulnerable servers were to Heartbleed, so they set up an nginx server with one of the vulnerable versions of SSL and told the community to start hacking.

“We studied the risk internally and concluded it was low, but we weren't sure,” Matthew Prince, CEO of CloudFlare, told SCMagazine.com on Tuesday. “We launched the challenge to crowd source the analysis. Within 11 hours of launching the challenge a researcher out of Russia proved our conclusion wrong.”

The bug works by sending requests to a server and the researcher, a software engineer named Fedor Indutny, sent as few as 2.5 million of them throughout the day, according to a Friday CloudFlare post, which also acknowledges three other researchers that fairly quickly confirmed Heartbleed is exploitable.

The sheer number of attacks that came from thousands of people participating in the challenge was surprising, Prince said, explaining that there were 11 million attack attempts in the first six hours that peaked at more than 100 megabits per second of data being downloaded.

Tests such as the CloudFlare challenge, which prove the Heartbleed bug is the real deal, have coincidentally been wrapping up just as some companies are announcing data breaches tied to the critical vulnerability.

Over the weekend, UK parenting website Mumsnet announced that credentials and other information may have been stolen from as many as all 1.5 million of its users, and the Canada Revenue Agency, a federal agency that handles taxing, announced that about 900 social insurance numbers were removed from its systems.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

FBI to open Malware Investigator portal to security researchers

The portal is a virus analysis tool that examines suspicious files and shares information about them.

Android bug allowing SOP bypass farther reaching than initially thought

Researchers found that 42 out of the top 100 apps in the Google Play store with 'browser' in their names were vulnerable.

SUPERVALU and AB Acquisition LLC report being breached again

SUPERVALU and AB Acquisition LLC report being breached ...

The breaches involved different malware and both companies are investigating whether payment card information was stolen.