Study Finds No Evidence of Heartbleed Attacks Before the Bug Was Exposed
SAN FRANCISCO — Ever since the Heartbleed bug was exposed last week, the question everyone has been asking is: Did anyone exploit it before a Google researcher first discovered it?
The worry is that in the two years since the bug was accidentally incorporated into OpenSSL — a crucial piece of free security software used by governments and companies like the F.B.I. and Google — attackers could have exploited Heartbleed to take sensitive information like passwords and the virtual keys used to decipher any scrambled information stored on a web server.
What’s more, they could have done so without leaving evidence detectable by the normal methods used to track who has gained access to a server.
But security researchers at the Energy Department’s Lawrence Berkeley National Laboratory, which conducts unclassified scientific research, say that it is still possible to look for past Heartbleed exploitations by measuring the size of any messages sent to the vulnerable part of the OpenSSL code, called the Heartbeat, and the size of the information request that hits a server.
In an attack, the size of the response would be larger than the size of the request. And because the Heartbleed flaw can expose only a small amount of information at one time…
There are at least 900 Canadians who would disagree with this article.