Jeffrey Walton shares:
|
https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013
|
| ...
| The second log seems much more troubling. We have spoken to Ars
| Technica's second source, Terrence Koeman, who reports finding some
| inbound packets, immediately following the setup and termination of a
| normal handshake, containing another Client Hello message followed by
| the TCP payload bytes 18 03 02 00 03 01 40 00 in ingress packet logs
| from November 2013. These bytes are a TLS Heartbeat with contradictory
| length fields, and are the same as those in the widely circulated
| proof-of-concept exploit.
| ...
First, one must assume that one is never the first discoverer.
Second, the article continues with
| ...
| To reach a firmer conclusion about Heartbleed's history, it would
| be best for the networking community to try to replicate Koeman's
| findings.
| ...
and one should remember that the installed base of such firms as
NetWitness (bought by, and brought into, EMC after the RSA APT
attack) do exactly what is being asked for above, as do other such
products that have not appeared in commercial offerings. (For
timely reasons, one wonders how all the tax preparation sites plus
irs.gov are waltzing with Heartbleed just now. April 15 is Tuesday...)
.
Combining points one and two inside any entity where competent data
analysis at scale is routine, a novel attack using an extant flaw
may well become available to such entities by *observation* rather
than by synthesis and/or invention. Like organisms that borrow
genes across species barriers, the best on the offense side would
have no qualms about capturing what can be observed. There are
neither patents nor false modesty in that space.
EFF, or someone here, would do well to devise a nomogram whereby
one laid one's straight-edge on the page and read off If this
attack occured against a target of this value, then detection implies
first use was N months ago. For diseases with guessable intervals
between infection and clinical signs, this is how you look for
Patient Zero.
--dan
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography