The security industry is in deep trouble right now. Billion dollar enterprises investing hundreds of millions of dollars in security infrastructure are losing the game. The security companies developing the latest and greatest products are falling behind. Even the security experts are losing the PR game, when it comes to communicating the pitfalls of certain vulnerabilities to the public. Below, I have listed seven quotes from the security experts commenting on the probability of a breach due to the heartbleed flaw. Due to the respect that I have for the experts, I have left out names. I will summarize their quotes in one paragraph.
Summary of Quotes from Security Experts
“In order to decrypt data exchanged between a user and a website, the attacker must have access to network devices along the communication path.” “This attack could most easily be launched by state actors, intelligence agencies, or criminal enterprises operating with collusion from network operators,” “Here’s the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data.” “While we believe that the likelihood of compromise is vanishingly small, and the number of exposed certificates tiny, we cannot rule out that it could have happened.”
After reading all of these quotes from the experts, I felt comfortable that compromise was almost nil. Then you read today’s news.
“Canadian police have arrested a 19-year-old man for allegedly using the Heartbleed bug to steal data about taxpayers.”
First thing that comes to mind is “what”. I thought the experts said this wasn’t possible. I thought only a nation-state, or national security agency of some kind could expose the flaw. To make matters worse, the kid is probably a script kiddie. So if a 19 year script kiddie can expose a flaw that experts thought was unlikely, we are in a world of hurt. Am I taking this out of context, probably, but sometimes you have to do that to get the message across.
Quotes by Security Experts
“Carrying out an attack using this flaw (heartbleed) is not for script kiddies, experts say. It would take a nation-state or organized crime organization. “There are not enough skilled attackers with non-attributable networks to safely carry out large-scale collection efforts using this vulnerability,”
“SSL private keys, enabling the decryption of traffic if it’s intercepted; however experts have said that an attacker successfully compromising private keys is unlikely.”
“Here’s the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard.”
“However, finding a vulnerable site is much easier than exploiting the flaw, experts say. But while it may be fairly difficult now, hackers share information and toolkits, which may make the task easier in the future.”
“Certainly, nation-states will have the best capability to quickly weaponize this vulnerability for large-scale exploitation,”
“While we believe that the likelihood of compromise is vanishingly small, and the number of exposed certificates tiny, we cannot rule out that it could have happened.” Security Industry Losing the PR War