Heartbleed Saga Continues: Highlights of Vulnerability's First 30 Days

Heartbleed Saga Continues: Highlights of Vulnerability's First 30 Days
Heartbeat Function Is the Root Cause of the Flaw
Codenomicon Coined the Name 'Heartbleed'
CloudFlare Had Early Access
Heartbleed Disclosure Was Disjointed
Canada Revenue Agency Hacked by Heartbleed
Canadian Student Charged With Heartbleed Attack
VPNs Also at Risk
150 Million App Downloads at Risk From Heartbleed
Core Infrastructure Initiative Raises Millions to Prevent Next Heartbleed
OpenSSL Forked Into LibreSSL
Most Users Didn't Update Passwords After Heartbleed
1 of 12

Heartbleed Saga Continues: Highlights of Vulnerability's First 30 Days

By Sean Michael Kerner

2 of 12

Heartbeat Function Is the Root Cause of the Flaw

The OpenSSL Project first disclosed CVE-2014-0160 on April 7, noting that "a missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server."

3 of 12

Codenomicon Coined the Name 'Heartbleed'

Security vendor Codenomicon branded the CVE-2014-0160 vulnerability as "Heartbleed" and created the Heartbleed.com Website to provide information about the issue. Codenomicon is also credited alongside Google for discovering the flaw.

4 of 12

CloudFlare Had Early Access

While most of the world was completely unaware of Heartbleed until April 7, cloud security vendor CloudFlare was given advance notice and was able to patch early.

5 of 12

Heartbleed Disclosure Was Disjointed

The branding and disclosure of Heartbleed was the cause of some angst. "From my perspective, it really feels like this Finnish security firm [Codenomicon] played Heartbleed as a marketing and PR play in the name of security," John Edgar, chief technology evangelist at DigitalOcean, told eWEEK. "That's a shame and will likely encourage other people to do the same."

6 of 12

Canada Revenue Agency Hacked by Heartbleed

The Canada Revenue Agency (CRA), which is the Canadian equivalent of the U.S Internal Revenue Service (IRS), was attacked with Heartbleed. The CRA delayed the tax filing for millions of Canadian as a result of Heartbleed from April 30 to May 5.

7 of 12

Canadian Student Charged With Heartbleed Attack

In connection with the Heartbleed attack against the CRA, the Royal Canadian Mounted Police arrested a 19-year-old student.

8 of 12

VPNs Also at Risk

In addition to Web servers, VPNs are also at risk from Heartbleed. Security vendor FireEye's Mandiant division disclosed that one of its clients had been attacked with Heartbleed to circumvent a VPN connection.

9 of 12

150 Million App Downloads at Risk From Heartbleed

The Heartbleed flaw also impacts Android and has led to multiple firms releasing scanners to detect the issue. According to security firm FireEye, many of those scanners don't work and up to 150 million Android app downloads are potentially at risk from Heartbleed.

10 of 12

Core Infrastructure Initiative Raises Millions to Prevent Next Heartbleed

On April 24, the Linux Foundation announced the Core Infrastructure Initiative, backed by VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco. The goal of the effort is to help fund developers working on OpenSSL and other critical Internet infrastructure projects.

11 of 12

OpenSSL Forked Into LibreSSL

One of the responses to Heartbleed came from the OpenBSD open-source operating system project, which decided to fork OpenSSL into the new LibreSSL project.

12 of 12

Most Users Didn't Update Passwords After Heartbleed

Although there was widespread media coverage of the Heartbleed vulnerability, a study from the Pew Research Center found that less than half of Internet users have actually taken steps to protect themselves.

Top White Papers and Webcasts