On April 12, 2014 1:00:37 AM EDT, John M Andersen <jsamyth@gmail.com> wrote:
On 4/11/2014 7:15 PM, Greg Freemyer wrote:
Lew From: http://arstechnica.com/security/2014/04/heartbleed-vulnerability-may-have-be...
"Terrence Koeman of MediaMonks told Ars he found signs of attempts to use the exploit dating back to November 2013. He used the packet content of a successful exploit of the Heartbleed vulnerability to check inbound packets logged by his servers and found a number of incoming packets from a network suspected of harboring a number of “bot” servers that were apparently scans for the vulnerability—sending Heartbleed-style requests to two different development servers in requests that were about five minutes apart."
So this was either cyber criminals or the NSA. I'll assume it was cyber criminals, but who knows.
Regardless, someone was scanning for the vulnerability 5 months ago. And this is not a complex vulnerability to leverage, once you find a vulnerable server, just keep sending authentication requests with invalid credentials. Using a spread out botnet defeats fail2ban style defenses.
My personal opinion is the world's governments should treat this as a global catastrophe and pay to have every credit card on the planet reissued at a minimum.
Greg
Your assertion that this is not a complex vulnerability to leverage may
need some proof. People who have tried to leverage it have not been very successful. See http://blog.cloudflare.com/answering-the-critical-question-can-you-get-priva...
You might get something, but deliberate attempts to do so are harder than you seem to think.
Did you see the note at the top of the article. They retract the whole thing because 2 independent testers got the ssl private key from their test site within 9 hours of the test starting. They now recommend everyone (on the planet?) revoke their private keys and get new ones re-issued. They say the heartbleed attack is like panning for gold. Most times you reach down a get some dirt, you get dirt, other times there is a nugget in there. In this case the logins/passwords/credit cards would be little bits of gold nugget, and a ssl private key would be decent size diamond. In the above test, one guy found the diamond (the ssl private key) after only 100,000 pans of dirt. The other took 2.5 million. With a 1,000 node botnet, that is only 2,500 pans of dirt each. For a cyber criminal, that is an almost trivial amount of work. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org