View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 10, 2014

Heartbleed researcher disputes attacks timeline reports

Exclusive: 'we did not see evidence...does not mean there wasn't attacks'.

By Jimmy Nicholls

A researcher behind a recent paper on the Heartbleed Open SSL bug has played down media reports that the flaw was unknown before it was publicly disclosed.

Michael Bailey, an associate professor at the University of Illinois, told CBR that people should be cautious when interpreting the results from the study, conducted by several American universities.

"While we say we did not see evidence, we mean precisely that and only that. We did not see any," he said. "That does not mean that there wasn’t any use by attackers."

The bug allowed hackers to listen in on "heartbeat" used to validate a communication between a website and a user, and was thought to affect half a million websites when it was disclosed in April.

Since then the US firm Community Health Systems has been the only major site compromised, but Bailey warned that attackers may have used the flaw in less noticeable ways.

"For example, if I was an attacker and I had access to this vulnerability prior to public release, I certainly wouldn’t use it to do something as noisy and easy to detect as scanning large amounts of the public Internet, exploiting whatever I found," he said.

"Rather I would target very specific, high value targets only – something we would not have detected with our infrastructure, and something very hard to detect in general."

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

He added that some companies had "rushed to disclose" the bug, which meant the community had less time to patch before the news broke.

The paper estimated between a quarter and a half of HTTPS secured servers in the Alexa Top 1 Million traffic listings were initially vulnerable to the bug, including 44 of the top 100.

While a tenth of vulnerable sites ended up replacing their security certificates, three quarters patched, though 14% of patchers used the same private key, leaving their sites unsecured.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.