Heartbleed Saga Continues: Highlights of Vulnerability's First 30 Days

 
 
By Sean Michael Kerner  |  Posted 2014-05-07 Email Print this article Print
 
 
 
 
 
 
 
 

On April 7, the Heartbleed vulnerability, one of the most impactful security incidents of the last decade, was first publicly disclosed. Technically, the Heartbleed flaw is identified as CVE-2014-0160 and called "TLS heartbeat read overrun." It is found within the open-source OpenSSL cryptographic library, which provides Secure Sockets Layer (SSL) encryption capabilities for data in transit. OpenSSL is widely deployed on servers and embedded devices, which is one of the many reasons why Heartbleed has been able to wreak so much havoc. Heartbleed could potentially enable an attacker to read the memory from a vulnerable server, which could lead to data theft. Only Google and CloudFlare were made aware of the flaw before it was first publicly disclosed, while other vendors were left scrambling to rapidly issue patches to users. While patches were made available on most platforms within days of the initial advisory, users of some mobile apps have been left at risk. The flaw also triggered a shutdown of the Canada Revenue Agency (CRA) Website, which delayed the tax filing deadline for millions of Canadians. Security firm FireEye reported that one of its clients had been attacked with the Heartbleed vulnerability by way of a virtual private network (VPN) connection. In this slide show, eWEEK takes a look back at some of the key developments in the first 30 days of the Heartbleed vulnerability.

 
 
 
  • Heartbleed Saga Continues: Highlights of Vulnerability's First 30 Days

    By Sean Michael Kerner
    Heartbleed Saga Continues: Highlights of Vulnerability's First 30 Days
  • Heartbeat Function Is the Root Cause of the Flaw

    The OpenSSL Project first disclosed CVE-2014-0160 on April 7, noting that "a missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server."
    Heartbeat Function Is the Root Cause of the Flaw
  • Codenomicon Coined the Name 'Heartbleed'

    Security vendor Codenomicon branded the CVE-2014-0160 vulnerability as "Heartbleed" and created the Heartbleed.com Website to provide information about the issue. Codenomicon is also credited alongside Google for discovering the flaw.
    Codenomicon Coined the Name 'Heartbleed'
  • CloudFlare Had Early Access

    While most of the world was completely unaware of Heartbleed until April 7, cloud security vendor CloudFlare was given advance notice and was able to patch early.
    CloudFlare Had Early Access
  • Heartbleed Disclosure Was Disjointed

    The branding and disclosure of Heartbleed was the cause of some angst. "From my perspective, it really feels like this Finnish security firm [Codenomicon] played Heartbleed as a marketing and PR play in the name of security," John Edgar, chief technology evangelist at DigitalOcean, told eWEEK. "That's a shame and will likely encourage other people to do the same."
    Heartbleed Disclosure Was Disjointed
  • Canada Revenue Agency Hacked by Heartbleed

    The Canada Revenue Agency (CRA), which is the Canadian equivalent of the U.S Internal Revenue Service (IRS), was attacked with Heartbleed. The CRA delayed the tax filing for millions of Canadian as a result of Heartbleed from April 30 to May 5.
    Canada Revenue Agency Hacked by Heartbleed
  • Canadian Student Charged With Heartbleed Attack

    In connection with the Heartbleed attack against the CRA, the Royal Canadian Mounted Police arrested a 19-year-old student.
    Canadian Student Charged With Heartbleed Attack
  • VPNs Also at Risk

    In addition to Web servers, VPNs are also at risk from Heartbleed. Security vendor FireEye's Mandiant division disclosed that one of its clients had been attacked with Heartbleed to circumvent a VPN connection.
    VPNs Also at Risk
  • 150 Million App Downloads at Risk From Heartbleed

    The Heartbleed flaw also impacts Android and has led to multiple firms releasing scanners to detect the issue. According to security firm FireEye, many of those scanners don't work and up to 150 million Android app downloads are potentially at risk from Heartbleed.
    150 Million App Downloads at Risk From Heartbleed
  • Core Infrastructure Initiative Raises Millions to Prevent Next Heartbleed

    On April 24, the Linux Foundation announced the Core Infrastructure Initiative, backed by VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco. The goal of the effort is to help fund developers working on OpenSSL and other critical Internet infrastructure projects.
    Core Infrastructure Initiative Raises Millions to Prevent Next Heartbleed
  • OpenSSL Forked Into LibreSSL

    One of the responses to Heartbleed came from the OpenBSD open-source operating system project, which decided to fork OpenSSL into the new LibreSSL project.
    OpenSSL Forked Into LibreSSL
  • Most Users Didn't Update Passwords After Heartbleed

    Although there was widespread media coverage of the Heartbleed vulnerability, a study from the Pew Research Center found that less than half of Internet users have actually taken steps to protect themselves.
    Most Users Didn't Update Passwords After Heartbleed
 
 
 
 
 
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
Rocket Fuel