Study Finds No Evidence of Heartbleed Attacks Before the Bug Was Exposed

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://bits.blogs.nytimes.com/2014/04/16/study-finds-no-evidence-of-heartbleed-attacks-before-the-bug-was-exposed/?_php=true&_type=blogs&_r=0

Ever since the Heartbleed bug was exposed last week, the question everyone
has been asking is: Did anyone exploit it before a Google researcher first
discovered it?

The worry is that in the two years since the bug was accidentally
incorporated into OpenSSL — a crucial piece of free security software used
by governments and companies like the F.B.I. and Google — attackers could
have exploited Heartbleed to take sensitive information like passwords and
the virtual keys used to decipher any scrambled information stored on a web
server.

What’s more, they could have done so without leaving evidence detectable by
the normal methods used to track who has gained access to a server.

But security researchers at the Energy Department’s Lawrence Berkeley
National Laboratory, which conducts unclassified scientific research, say
that it is still possible to look for past Heartbleed exploitations by
measuring the size of any messages sent to the vulnerable part of the
OpenSSL code, called the Heartbeat, and the size of the information request
that hits a server.

In an attack, the size of the response would be larger than the size of the
request. And because the Heartbleed flaw can expose only a small amount of
information at one time — 64 kilobytes — an attacker would probably have to
use it repeatedly to collect valuable data, producing even longer responses.

For the last week, researchers at the Berkeley National Laboratory and the
National Energy Research Scientific Computing Center, a separate
supercomputer facility, have been examining Internet traffic they recorded
going in and out of their networks since the end of January, looking for
responses that would indicate a possible Heartbleed attack.

They found none, said Vern Paxson, a network researcher at Berkeley Lab and
associate professor of electrical engineering and computer science at the
University of California, Berkeley.

The research does not rule out the possibility that Heartbleed was
exploited before January. Because the Heartbleed bug was first introduced
in March 2012, would-be attackers would still have had 18 months to exploit
the flaw. It also does not rule out the possibility that the bug was used
in an attack beyond what Berkeley Lab and the National Energy scientific
computing center monitor.

The network traffic for both Berkeley Lab and the scientific computing
center touch thousands of Internet systems and both facilities had
maintained comprehensive logs going back a few months. Mr. Paxson said that
if there were widespread scanning for the Heartbleed vulnerability, that
would have been picked up by those important Internet hubs.

Finding out if people have been taking advantage of the security flaw took
on more urgency last Friday after Bloomberg News, citing two unnamed
sources, reported that the National Security Agency knew about and had been
exploiting the Heartbleed bug for the last two years. The N.S.A., the White
House and the Office of the Director of National Intelligence have all said
the Bloomberg report is inaccurate and have denied knowing about the
Heartbleed bug before its disclosure this month.

“Reports that N.S.A. or any other part of the government were aware of the
so-called Heartbleed vulnerability before April 2014 are wrong,” a
spokeswoman for the National Security Council, Caitlin Hayden, said in a
statement.

But security researchers and law enforcement are growing concerned that
hackers are trying to exploit the flaw now that it has been public for more
than a week. On Tuesday, a 19-year-old man was arrested in Canada on
charges that he had used the Heartbleed flaw to steal taxpayer data from
the Canada Revenue Agency. The agency reported on Monday that some 900
Canadian Social Security numbers had been compromised.

Meanwhile, four computer scientists at the University of Michigan, Zakir
Durumeric, David Adrian, Michael Bailey and J. Alex Halderman, have been
monitoring stashes of fake data on the Internet — called honeypots — to see
if hackers would try to retrieve them using the Heartbleed bug. It worked.

To date, they’ve witnessed 41 unique groups scanning for and trying to
exploit the Heartbleed bug on three honeypots they are maintaining. Of the
41, the majority of those groups — 59 percent — were in China.

But the attacks began only after the Heartbleed bug was discovered on April
8. The computer scientists have also found no evidence of any attacks
before the disclosure, and they say it’s impossible to tell if the scans
came from real hackers or other security researchers trying to look at the
problem.

And last week, CloudFlare, the Internet management company based in San
Francisco, challenged programmers all over the world to steal the
encryption keys off a vulnerable server using the Heartbleed bug. If an
attacker was able to grab those keys, he or she could potentially decipher
the encrypted contents stored on a server and unscramble future
communications.

It took 11 hours, but two researchers — one in Russia, the other in Finland
— were able to do it.

At last count, Monday afternoon, the computer scientists at the University
of Michigan found that 1.4 million web servers remain vulnerable to a
Heartbleed attack. They are posting lists of vulnerable web and mail
servers on their website.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!