Slashdot Mirror
Research Finds No Large-Scale Exploits of Heartbleed Before Disclosure
Trailrunner7 writes: In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations – perhaps the NSA – that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no large-scale exploit attempts in the months leading up to the public disclosure.
"For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods." That result also doesn't rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure.
"For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods." That result also doesn't rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure.
"... our detector" = "strong evidence of a negative we're trying to prove..."
It's interesting how one detector can be "strong evidence" that the NSA didn't do something in secret, I think.
no, everybody is not
"... our detector" = "strong evidence of a negative we're trying to prove..."
It's interesting how one detector can be "strong evidence" that the NSA didn't do something in secret, I think.
The research had nothing to do with the NSA (the article about the research decided to bring them up). To me, the main objective of the study was to see if the widespread revocation of certificates in a short period of time was really warranted. IMO, it was not, and my opinion seems to be validated by this study.
It *is* possible to prove this sort of negative (I'm not saying they did). For example, if you wanted to prove that heartbleed was not used on a particular system, you could set up logging in advance. You could then extend that to multiple systems, and so on. My point is that you can't use the "you can't prove a negative" argument for things like this (and also that the NSA had nothing to do with this study).
One of the main principals of a crypto message is that it can't be reversed, and no part of the enciphered message should be able to be able to be guessed without the secret key. As shown in this (https://appliance.cloudshark.org/blog/packet-capture-of-heartbleed-in-action/) post about heartbleed, we can tell what heartbeat message type was chosen, but we can't identify how many bytes the payload was unless we decrypt the data. So my question is, without having man in the middled all the sessions, or had the decryption keys. How are these researchers making this statement? The issue line was: buffer = OPENSSL_malloc(1 + 2 + payload + padding); How can they differentiate between payload/padding after it's been sent across the wire?
I speak for everyone in the office when I say "I don't want your fucking mixtape." Stop bringing it to work.
Right in the summary: "This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. "
So you are correct about what it doesn't prove, but, its also not really claimed to prove that either. Not even a little bit. What this does, is suggest strongly (not prove) that no criminal gangs (yes, yes, the NSA) were aware of it, or if they were, were not aware of it long enough to exploit it meaningfully.
If the vulnerability were available, if even one person bought it, they would have to use it. What I mean is, if you know this vulnerability can be bought (because you bought it) you know that its out there and its only a matter of time before it gets noticed and fixed.
The only person who has any reason to not use it or use it in a discriminating fashion, is someone who discovered it independently and wants to get maximum use out of it. Someone like the NSA.
This, in no way, proves that nobody knew about it. What I think it does prove is, whoever may have known about it, wasn't selling it and wasn't a memeber of one of the for-profit gangs. That is all.
"I opened my eyes, and everything went dark again"
Even if you set it up in advance you're still assuming 100% detection rates for pre-zero-day exploits by state-level intel agencies.
You think you can reliably detect that with one, or even a massive array "detectors" with any reliability, I think that's wishful in the extreme.
It then goes on to say "because we didn't see anything huge and widespread like a forest fire, there is strong evidence of no hot spots"
It doesn't take tinfoil to see how this is assumptive in the extreme.
It is potentially useful data; but the trouble is that detecting 'NSA-like' activity is just plain hard.
A large-scale exploit attempt (while it is something that an intelligence agency might try, under certain circumstances) is really what you'd expect from someone with purely commercial interests: Find a nice bug, try to hit a lot of targets as fast as possible and cash out before the guys playing defense (or your competitors) catch on to the new toy and either the targets start to harden or your competitors start cleaning them out before you can get them.
An intelligence agency, on the other hand, has less use for large numbers of low-value compromises; but likely has a much shorter list of very high value targets that would receive attacks targeted with considerable care and precision and tailored to be minimally intrusive(if the purpose is observation) or maximally damaging(if it's a Stuxnet-style sabotage operation). Such uses would be unlikely to show up in a broad survey of mostly-low-value targets; particularly if the survey requires any cooperation on the part of the site operator, which is more likely in the case of random commercial outfits who depend on security vendors, less likely in the case of paranoid high profile targets.
"What I think it does prove is, whoever may have known about it, wasn't selling it and wasn't a memeber of one of the for-profit gangs. That is all."
Exactly my point, it seems to imply the NSA didn't use heartbleed because "we didn't detect that" when in actuality there was no hope of detecting that, ever.
year 2000 i was given a list of 65 million FBI honey pot ips..... you figure it all out what they are for. Ebven the russians didn't know about most of them...
August 20 there was a large heartbleed attack reported where it attacked a hospital. For example this link http://www.cnet.com/news/heartbleed-may-be-culprit-in-hospital-chain-hack/
Really Slashdot? You make the dubious claim there have been no large or high profile Heartbleed attacks?
It proves that the NSA didn't use Heartbleed for widescale private-key-harvesting attacks.
Very true but I don't see that implication here. I agree that its possible someone could misinterpret it that way but it doesn't appear that there is any attempt to mislead people here, either by the authors or the summarizers. It all reads pretty clearly to me, and pretty clearly doesn't address small scale/targeted use that would be neigh impossible to detect.
Now if I was a betting man, and you asked me, do I think the NSA might refer to this result in attempts to deflect criticism, I would bet that they will. So far they have shown to be decently expert at deflection and misdirection when it comes to making public statements; and very fond of making ever so slightly overqualified statements about what they are NOT doing.
"I opened my eyes, and everything went dark again"
No one is implying that.
They still knew about it.
I can't say anything about attacks before the disclosure. I have heard about attacks after the disclosure, but in some cases months after the disclosure. Both the patch and a new version of the software with the patch included came out about 5 minutes *before* the disclosure. There are a bunch who will still complain, but ...hey... get the new software. Its right there. Can't install it? Call/hire someone who can. Don't want to do that either? Then go ahead, take your chances. Security isn't a passive 'get it and forget it' sort of thing; its active. If you see/get a threat, you respond, or sit on your hands at your own peril.
Yes why would a fully funded gov or mil need to spread any *new* issue around? Just use existing methods by tame turned informants as cover or get to watch the server or provider by legal methods for all logs with parallel construction or just watch the servers of interest. Get to their hardware, software, friend the staff or break the crypto with no real outside traces.
Cash is not an issues, skills is not an issue, informants hide methods or orders, telcos and OS providers are "happy" to help or their hardware and software is fully understood.
If something was done with this kind of tech, what would be left to find or leak out? Nothing: Staff turned or site left running with data leaking. No other sites, people, staff, tracking, logging would have to know or need to know.
Any random very skilled admin speaking out could be called in for a chat about ongoing legal police work and had an offer made after they exposed an ongoing court approved operation... the methods targeted at a few sites, crypto go under reported, un noticed and are then cleaned up.
A fully funded gov or mil and their contractors get the material, the wider happy admin community just keeps patching.
Domestic spying is now "Benign Information Gathering"
"and also that the NSA had nothing to do with this study"
Prove THAT too.