Breach, Data Security, Vulnerability Management

The Heartbleed bug works, and could be a scapegoat for older breaches

After issuing a community challenge on Friday, website performance and defense firm CloudFlare learned within 11 hours that private keys can be stolen using the Heartbleed bug – a critical vulnerability in widely used versions of the OpenSSL library that ultimately puts SSL/TLS encrypted communications at risk.

Following a roughly weeklong analysis of the vulnerability, the experts with CloudFlare wanted to see just how susceptible vulnerable servers were to Heartbleed, so they set up an nginx server with one of the vulnerable versions of SSL and told the community to start hacking.

“We studied the risk internally and concluded it was low, but we weren't sure,” Matthew Prince, CEO of CloudFlare, told SCMagazine.com on Tuesday. “We launched the challenge to crowd source the analysis. Within 11 hours of launching the challenge a researcher out of Russia proved our conclusion wrong.”

The bug works by sending requests to a server and the researcher, a software engineer named Fedor Indutny, sent as few as 2.5 million of them throughout the day, according to a Friday CloudFlare post, which also acknowledges three other researchers that fairly quickly confirmed Heartbleed is exploitable.

The sheer number of attacks that came from thousands of people participating in the challenge was surprising, Prince said, explaining that there were 11 million attack attempts in the first six hours that peaked at more than 100 megabits per second of data being downloaded.

Tests such as the CloudFlare challenge, which prove the Heartbleed bug is the real deal, have coincidentally been wrapping up just as some companies are announcing data breaches tied to the critical vulnerability.

Over the weekend, UK parenting website Mumsnet announced that credentials and other information may have been stolen from as many as all 1.5 million of its users, and the Canada Revenue Agency, a federal agency that handles taxing, announced that about 900 social insurance numbers were removed from its systems.

Both groups claimed its systems were vulnerable to the Heartbleed bug and that the sensitive information was compromised by an attacker exploiting the flaw, but some have questioned how an organization can confirm this considering there typically is not much to indicate that a server was attacked using the vulnerability.

“Heartbleed could be seen as a convenient scapegoat for data loss that occurred a different way,” Paul Martini, CEO of iboss Network Security, said in a Tuesday statement emailed to SCMagazine.com. “Its prevalence could make it an attractive finger pointing exercise to potentially reduce data loss liability compared to say some other negligence.”

In a Tuesday email correspondence, Yan Zhu, a staff technologist with the Electronic Frontier Foundation (EFF), told SCMagazine.com that keeping packet logs is the only way to know if an attacker is exploiting the Heartbleed bug, which she added is not done very often.

However, Zhu does believe that companies may begin experiencing more data breaches now that the Heartbleed flaw has been disclosed.

“It's very likely that if a company saw a spike in breaches last week, it was due to Heartbleed,” Zhu said. “It would be more likely that they're using it as a cover-up if they claim to have been attacked before last week, when the Heartbleed bug became public.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.