Research Finds No Large-Scale Exploits of Heartbleed Before Disclosure 20
Trailrunner7 writes: In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations – perhaps the NSA – that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no large-scale exploit attempts in the months leading up to the public disclosure.
"For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods." That result also doesn't rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure.
"For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods." That result also doesn't rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure.
Re:Hmm, strong evidence of null-activity by NSA? N (Score:4, Insightful)
"... our detector" = "strong evidence of a negative we're trying to prove..."
It's interesting how one detector can be "strong evidence" that the NSA didn't do something in secret, I think.
The research had nothing to do with the NSA (the article about the research decided to bring them up). To me, the main objective of the study was to see if the widespread revocation of certificates in a short period of time was really warranted. IMO, it was not, and my opinion seems to be validated by this study.
It *is* possible to prove this sort of negative (I'm not saying they did). For example, if you wanted to prove that heartbleed was not used on a particular system, you could set up logging in advance. You could then extend that to multiple systems, and so on. My point is that you can't use the "you can't prove a negative" argument for things like this (and also that the NSA had nothing to do with this study).
Re: (Score:3)
Right in the summary: "This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. "
So you are correct about what it doesn't prove, but, its also not really claimed to prove that either. Not even a little bit. What this does, is suggest strongly (not prove) that no criminal gangs (yes, yes, the NSA) were aware of it, or if they were, were not aware of it long enough to exploit it meaningfully
Re: (Score:3)
It proves that the NSA didn't use Heartbleed for widescale private-key-harvesting attacks.
Re: (Score:2)
Very true but I don't see that implication here. I agree that its possible someone could misinterpret it that way but it doesn't appear that there is any attempt to mislead people here, either by the authors or the summarizers. It all reads pretty clearly to me, and pretty clearly doesn't address small scale/targeted use that would be neigh impossible to detect.
Now if I was a betting man, and you asked me, do I think the NSA might refer to this result in attempts to deflect criticism, I would bet that they
Re: (Score:2)
Cash is not an issues, skills is not an issue, informants hide methods or orders, telcos and OS providers are "happy" to help or their h
Re: (Score:3)
A large-scale exploit attempt (while it is something that an intelligence agency might try, under certain circumstances) is really what you'd expect from someone with purely commercial interests: Find a nice bug, try to hit a lot of targets as fast as possible and cash out before the guys playing defense (or your competitors) catch on to the new toy and either the targets start to harden or your compet
Re: (Score:2)
> So my question is, without having man in the middled all the sessions, or had the decryption keys.
> How are these researchers making this statement?
How do you know they didn't? Notice the keywords "large-scale". Their detector is likely some sort of honeypot in fact, from the article:
Re: (Score:3)
The worry (and article) is about attacks that happened BEFORE public disclosure. After, it's the admin's fault straight-up. Before, nobody (basically) had any hope of detecting or stopping it.