Slashdot Mirror
Research Finds No Large-Scale Exploits of Heartbleed Before Disclosure
Trailrunner7 writes: In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations – perhaps the NSA – that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no large-scale exploit attempts in the months leading up to the public disclosure.
"For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods." That result also doesn't rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure.
"For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods." That result also doesn't rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure.
"... our detector" = "strong evidence of a negative we're trying to prove..."
It's interesting how one detector can be "strong evidence" that the NSA didn't do something in secret, I think.
The research had nothing to do with the NSA (the article about the research decided to bring them up). To me, the main objective of the study was to see if the widespread revocation of certificates in a short period of time was really warranted. IMO, it was not, and my opinion seems to be validated by this study.
It *is* possible to prove this sort of negative (I'm not saying they did). For example, if you wanted to prove that heartbleed was not used on a particular system, you could set up logging in advance. You could then extend that to multiple systems, and so on. My point is that you can't use the "you can't prove a negative" argument for things like this (and also that the NSA had nothing to do with this study).