Announcement

Collapse
No announcement yet.

Detecting Heartbleed attacks

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Detecting Heartbleed attacks

    My new article appeared in Dark Reading last week: Debugging the Myths of Heartbleed

    Does Heartbleed really wreak its havoc while leaving nary a trace? The media and many technical sites seemed convinced of this, but some of us were skeptical. The Heartbleed attacks surely leave some evidence behind: packets. Packets almost always tell a detailed story of what has really happened, including in the case of Heartbleed. The trick, of course, is to have the packets... Having a nimble awareness of the data in your network, a basic understanding of how secure services should normally operate, and the ability to investigate anomalies can inoculate you from the unavoidable hype. Packets do not lie -- but you have to capture them to reveal their truths.

    #2
    Nice article, Steve. I skimmed through it...my brain isn't functioning enough right now to actually read it word for word.

    I had a sticky up on Android Forums about the Heartbleed bug, but took it down once I thought the threat was gone/minimized/unlikely to affect anyone any more. What's your take on that? I figure that by now any sites using OpenSSL have been patched.
    Xenix/UNIX user since 1985 | Linux user since 1991 | Was registered Linux user #163544

    Comment


      #3
      Thanks.

      Originally posted by DoYouKubuntu View Post
      I figure that by now any sites using OpenSSL have been patched.
      I wouldn't make such an assumption. In the comments to my article, you'll see some discussion about a hospital that failed to patch their systems in a timely fashion and they got attacked. As I wrote:
      I understand that IT departments have processes and change windows. But when a vendor issues an out-of-band patch for a flaw the vendor labels as critical, it's time to throw the change window, well, out the window. Install the patch right away. Emergency but controlled downtime dealing with a patch is much preferable to the disastrous and devastating downtime caused by an attack!

      Comment


        #4
        Hmmmm...interesting. I'm not sure I want to re-sticky it at this point, but you've given me food for thought.
        Xenix/UNIX user since 1985 | Linux user since 1991 | Was registered Linux user #163544

        Comment


          #5
          Great article, Steve!
          What are the odds that the head of IT at Community Health Services is looking for a job?
          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
          – John F. Kennedy, February 26, 1962.

          Comment


            #6
            Originally posted by GreyGeek View Post
            Great article, Steve!
            Thanks!

            Originally posted by GreyGeek View Post
            What are the odds that the head of IT at Community Health Services is looking for a job?
            Difficult to speculate about the chief information officer (the common title these days for "heads of IT"). However, if you consider the role of the chief security officer, three primary outcomes come to mind:
            • Protect the organization's intellectual property
            • Protect the organization's customers' personally identifiable and confidential information
            • Keep the organization's executive officers from going to jail

            Sometimes, security officers may lose sight of these overarching outcomes and instead get mired down in process and the minutae of technology. It's an easy thing to do, really. Distraction leads to inattention, which in turn leads to costly and potentially unrecoverable mistakes.

            Comment


              #7
              Oh, and hello world from Alaska Airlines flight 664, Seattle to Dallas! I'm on the way Oklahoma City, where I have some customer meetings tomorrow. Right now, I'm using the wi-fi on the plane. Ain't technology just fsckin' grand?

              Comment


                #8
                Originally posted by DoYouKubuntu View Post
                I figure that by now any sites using OpenSSL have been patched.
                Thing is, openssl is used in lots of less obvious places too. I updated my server straight away, but it didn't occur to me to update my router until about a week later, which was quite embarrassing considering how much everyone was talking about it.

                There's no WAN-facing SSH port on the router, so for someone to attack it they would have to be physically near (in wireless range), authenticate to get on the LAN, and then attack the SSH port... unless the authentication process itself uses openssl (does it? I don't know), in which case they wouldn't even need to authenticate first.

                I bet there are loads of businesses with unpatched routers. If you were trying to hack a company this would be a great place to start...

                Also, my router's root filesystem is on a USB flash drive that is mounted at boot. If something happened to the drive, the router would fall back to the internal flash, which contains a vulnerable version of openssl (I should update it, but it would be inconvenient so I haven't done it yet... I bet this happens in business too!).

                It'll be around for ages...
                samhobbs.co.uk

                Comment


                  #9
                  Umm... OpenSSL <> OpenSSH. SSH doesn't use SSL/TLS at all.

                  But yeah, products with vulnerable OpenSSL software will be around for, well, ever. We're doomed, the sky is falling, etc. For real.

                  Comment


                    #10
                    Originally posted by SteveRiley View Post
                    SSH doesn't use SSL/TLS at all.
                    Really? Well I'll be damned.
                    samhobbs.co.uk

                    Comment

                    Working...
                    X