Oh, my achin' heart … well, maybe not
Study Finds No Evidence of Heartbleed Attacks Before the Bug Was Exposed
By NICOLE PERLROTH, NYT
April 16, 2014, 6:49 pm
SAN FRANCISCO — Ever since the Heartbleed bug was exposed last week, the question everyone has been asking is: Did anyone exploit it before a Google researcher first discovered it?
The worry is that in the two years since the bug was accidentally incorporated into OpenSSL — a crucial piece of free security software used by governments and companies like the F.B.I. and Google — attackers could have exploited Heartbleed to take sensitive information like passwords and the virtual keys used to decipher any scrambled information stored on a web server.
What’s more, they could have done so without leaving evidence detectable by the normal methods used to track who has gained access to a server.
But security researchers at the Energy Department’s Lawrence Berkeley National Laboratory, which conducts unclassified scientific research, say that it is still possible to look for past Heartbleed exploitations by measuring the size of any messages sent to the vulnerable part of the OpenSSL code, called the Heartbeat, and the size of the information request that hits a server.
(More here.)
By NICOLE PERLROTH, NYT
April 16, 2014, 6:49 pm
SAN FRANCISCO — Ever since the Heartbleed bug was exposed last week, the question everyone has been asking is: Did anyone exploit it before a Google researcher first discovered it?
The worry is that in the two years since the bug was accidentally incorporated into OpenSSL — a crucial piece of free security software used by governments and companies like the F.B.I. and Google — attackers could have exploited Heartbleed to take sensitive information like passwords and the virtual keys used to decipher any scrambled information stored on a web server.
What’s more, they could have done so without leaving evidence detectable by the normal methods used to track who has gained access to a server.
But security researchers at the Energy Department’s Lawrence Berkeley National Laboratory, which conducts unclassified scientific research, say that it is still possible to look for past Heartbleed exploitations by measuring the size of any messages sent to the vulnerable part of the OpenSSL code, called the Heartbeat, and the size of the information request that hits a server.
(More here.)
Powered by Blogger
0 Comments:
Post a Comment
<< Home