Exploiting the Exploit: The Marketing of Heartbleed
No doubt anyone reading this post is already aware of the Heartbleed bug affecting OpenSSL implementations of the TLS Internet security protocol. Heartbleed has received massive press coverage –deservedly so given its potential implications for a significant portion of web sites and Internet-connected devices. We won’t belabor the technical details of the bug, which are summarized nicely at Heartbleed.com. What we will discuss is how Heartbleed has been publicized. To the best of our knowledge, Heartbleed is the first computer systems bug to have both its own website and its own logo, the cute bleeding heart. As such, Heartbleed sets a precedent that will have both positive and negative ramifications for future vulnerabilities and malware.
The Heartbleed website and logo were developed by the Finnish company Codenomicon, which makes fuzz testing software and provides security test services. Although the bug, officially dubbed CVE-2014-0160, was independently discovered by Neel Mehta of Google and several engineers at Codenomicon, the latter company is the one that turned it into a household word. Even among the vast majority of the population who have no idea what OpenSSL is, people everywhere quickly found out that a major bug could compromise their Internet security. For that, Codenomicon deserves thanks.
In addition, the Internet industry commendably jumped into action, with some websites being patched even before the disclosure became public and many other sites within a few days. (Patches to potentially affected embedded devices may take years, but that’s another story, and the process by which certain firms got early notification of Heartbleed is yet another...)
Despite the cooperation of Internet powers in addressing Heartbleed, VDC sees several disconcerting implications in the way the bug CVE-2014-0160 became Heartbleed the logo.
First, Codenomicon undoubtedly got a huge boost in its profile by virtue of its role in publicizing Heartbleed. Therefore, we anticipate that other security firms will seek similar attention when they discover significant vulnerabilities. We wouldn’t be surprised if discoverers prepare websites and logos before they even disclose the bugs, then flip the switch to launch their sites instantly upon disclosure. That may again produce rapid, coordinated reaction to fix the problem, but it raises questions about possibly overstating the risks associated with lesser vulnerabilities in the name of garnering publicity.
The Heartbleed bug was a biggie, deserving of widespread attention, whereas most bugs are rather mundane. Flaunting them won’t quite constitute crying wolf in the absence of threat, but it may be the equivalent of crying wolf when there’s just a loose dog poking around among the sheep.
Second, prankster-level hackers could conceivably set up fake vulnerabilities web pages, causing temporary wastes of much effort and energy before being debunked. That’s the equivalent of yelling “Fire!” in a crowded theater.
Third, and most egregious, would be malicious hackers who publicly announce a vulnerability (either real or fake) for the purpose of exploiting a different vulnerability while everyone is distracted with the first one. That’s yelling “Fire!” (or actually setting a fire) in the theater so they can rob a bank across town while the police and firemen are occupied. Password phishing email campaigns can already come in swift response to disclosure of real vulnerabilities. Now, we anticipate hackers coordinating both the disclosure and the phishing campaigns.
Sad to say, despite all the benefits of renewed examination of security protocols that will come out of the Heartbleed bug, there remain many who will seek to maximize their own gains by learning from the reactions of others.