Heartbleed attacks started within 24 hours of disclosure

Heartbleed affects servers across the world

Attacks attempting to exploit the Heartbleed security flaw that was uncovered in April started within 24 hours of it being made public. However, there is no evidence attacks occured before the vulnerability was unearthed. 

Researchers from the University of Michigan, the University of Illinois, the University of California at Berkeley, Purdue University and the International Computer Science Institute reported the findings in a new paper, The Matter of Heartbleed.

“We find no evidence of exploitation prior to the vulnerability’s public disclosure, but we detect subsequent exploit attempts from almost 700 sources, beginning less than 24 hours after disclosure,” the report notes.

“The first activity we observed originated from a host at the University of Latvia on April 8, starting at 3.18pm UTC (21 hours 29 minutes after public disclosure), targeting 13 hosts at LBNL [Lawrence Berkeley National Laboratory].”

The speed of the attacks monitored is particularly alarming as the researchers also revealed that although many websites were quick to patch their systems, many more were not.

“We found that the vulnerability was widespread, and estimated that between 24–55 percent of HTTPS-enabled servers in the Alexa Top 1 Million were initially vulnerable, including 44 of the Alexa Top 100.”

“Sites patched heavily in the first two weeks after disclosure, but patching subsequently plateaued, and 3% of the HTTPS Alexa Top One Million sites remained vulnerable after two months.”

In an effort to help improve this situation the researchers actively contacted numerous operators of sites that remained at risk to inform them of the problems.

They said this effort resulted in a huge improvement in patching: “When we notified network operators of the unpatched systems in their address space, the rate of patching increased by 47 percent. Many operators reported that they had intended to patch, but that they had missed the systems we detected.”

The researchers added that this should make the security community rethink the possibility of direct notification about system security risks, as it appears to undermine the concensus such notification is too difficult.

“Although internet-wide measurement techniques have enabled the mass detection of vulnerable systems, many researchers (including us) had assumed that performing mass-vulnerability notifications for an incident like Heartbleed would be either too difficult or ineffective. Our findings challenge this view.”

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

10 September 2014 | 3:38 pm – Source: v3.co.uk

Leave a Reply

Your email address will not be published.