Not logged in » Login
Sep 25 2015

Heartbleed Revisited


News about certain security threats may subside, but that doesn't mean the vulnerabilities have gone away. This old saying applies to many bugs, but only few of them were (and are) as irritating and dangerous as last year's Heartbleed, which still could be found on 200,000+ Internet-connected devices by mid-September 2015, security researchers say.

The message was first spread by John Matherly, an Austin-based programmer who in 2009 founded Shodan – a search engine for security threats – via his Twitter account. Shodan helps users find all kinds of machinery, from web servers through routers and security cams to traffic lights and industrial control systems, that is connected to the Net and hence open to outside attacks. Matherly used his own search engine to look for potential Heartbleed victims – and was pretty stunned to find that nearly 18 months after it was first disclosed, more than 209,000 systems were still vulnerable to comparatively simple exploits, despite the industry's concerted efforts to patch the gaping hole in OpenSSL. The detailed results are shown in the map below, divided by country and affected Internet services. Apparently, most of the vulnerable systems were located in the U.S. and Germany and consisted of web servers handling HTTPS traffic.


Fig. 1


Given his background and expertise, Matherly's word carries some weight among security professionals who quickly picked up on his Tweet. One of the first was Graham Cluley, a freelance expert who once started out as a co-developer of Dr Solomon's Antivirus Toolkit and afterwards served in senior roles at Sophos and McAfee. As any good analyst would, Cluley tries to dissect the problem on his blog and draws a couple of pretty unflattering conclusions:

  • On the one hand, he holds responsible IT teams who have "failed to update vulnerable systems" although they not only had ample opportunity to do so, but could also have easily found the required tools, i.e. the above-mentioned patches supplied by numerous software vendors as well as the OpenSSL project itself.
  • On the other hand, Cluley criticizes "manufacturers [that] have dropped the ball," i.e. firms that shunned necessary updates, discontinued affected software and/or support thereof, or simply deliver products that are too complicated to mend (e.g. routers, switches, or small servers and NAS systems intended to serve as "private clouds").

Quite naturally, Cluley's outlook is as dry as it is bleak: In his opinion, "there will always be devices attached to the Internet which are vulnerable to Heartbleed."

So far, so good, one might think. The problem with his piece is that it doesn't offer much in terms of actual analysis, or at least examples for either IT teams or hard- and software makers whose refusal to act caused major disruptions. Instead, he rather elaborates on the virtues of Shodan: although the search engine may help a "malicious hacker to identify a potential target," it also offers IT departments a great opportunity to "check their company's security, testing with various filters to determine if web servers – for instance – are running a particular version of Apache, or if devices which shouldn't be visible to the outside world are revealing their existence online." While this statement is definitely true, it's also somewhat trivial – and prompted this author to search for further articles on the matter. As it turned out, Cluley wasn't the only expert who surrendered to the temptation of delivering a report on Shodan rather than the issue his headline was aimed at: a few choice examples are here, here, and here. A more detailed essay about the implications of Matherly's findings was written by Rene Millman for SC Magazine UK.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now