Slashdot Mirror
Research Finds No Large-Scale Exploits of Heartbleed Before Disclosure
Trailrunner7 writes: In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations – perhaps the NSA – that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no large-scale exploit attempts in the months leading up to the public disclosure.
"For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods." That result also doesn't rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure.
"For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods." That result also doesn't rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure.
"... our detector" = "strong evidence of a negative we're trying to prove..."
It's interesting how one detector can be "strong evidence" that the NSA didn't do something in secret, I think.
The research had nothing to do with the NSA (the article about the research decided to bring them up). To me, the main objective of the study was to see if the widespread revocation of certificates in a short period of time was really warranted. IMO, it was not, and my opinion seems to be validated by this study.
It *is* possible to prove this sort of negative (I'm not saying they did). For example, if you wanted to prove that heartbleed was not used on a particular system, you could set up logging in advance. You could then extend that to multiple systems, and so on. My point is that you can't use the "you can't prove a negative" argument for things like this (and also that the NSA had nothing to do with this study).
Right in the summary: "This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. "
So you are correct about what it doesn't prove, but, its also not really claimed to prove that either. Not even a little bit. What this does, is suggest strongly (not prove) that no criminal gangs (yes, yes, the NSA) were aware of it, or if they were, were not aware of it long enough to exploit it meaningfully.
If the vulnerability were available, if even one person bought it, they would have to use it. What I mean is, if you know this vulnerability can be bought (because you bought it) you know that its out there and its only a matter of time before it gets noticed and fixed.
The only person who has any reason to not use it or use it in a discriminating fashion, is someone who discovered it independently and wants to get maximum use out of it. Someone like the NSA.
This, in no way, proves that nobody knew about it. What I think it does prove is, whoever may have known about it, wasn't selling it and wasn't a memeber of one of the for-profit gangs. That is all.
"I opened my eyes, and everything went dark again"
It is potentially useful data; but the trouble is that detecting 'NSA-like' activity is just plain hard.
A large-scale exploit attempt (while it is something that an intelligence agency might try, under certain circumstances) is really what you'd expect from someone with purely commercial interests: Find a nice bug, try to hit a lot of targets as fast as possible and cash out before the guys playing defense (or your competitors) catch on to the new toy and either the targets start to harden or your competitors start cleaning them out before you can get them.
An intelligence agency, on the other hand, has less use for large numbers of low-value compromises; but likely has a much shorter list of very high value targets that would receive attacks targeted with considerable care and precision and tailored to be minimally intrusive(if the purpose is observation) or maximally damaging(if it's a Stuxnet-style sabotage operation). Such uses would be unlikely to show up in a broad survey of mostly-low-value targets; particularly if the survey requires any cooperation on the part of the site operator, which is more likely in the case of random commercial outfits who depend on security vendors, less likely in the case of paranoid high profile targets.
It proves that the NSA didn't use Heartbleed for widescale private-key-harvesting attacks.
The worry (and article) is about attacks that happened BEFORE public disclosure. After, it's the admin's fault straight-up. Before, nobody (basically) had any hope of detecting or stopping it.