Cybersecurity experts discover lapses in Heartbleed bug fix

November 07, 2014

A detailed analysis by cybersecurity experts from the University of Maryland found that website administrators nationwide tasked with patching security holes exploited by the Heartbleed bug may not have done enough.

First disclosed in April 2014, Heartbleed presents a serious vulnerability to the popular OpenSSL (Secure Sockets Layer) software, allowing anyone on the Internet to read the memory of systems that are compromised by the malicious bug.

Assistant Research Scientist Dave Levin and Assistant Professor of Electrical and Computer Engineering Tudor Dumitras were part of a team that analyzed the most popular websites in the United States--more than one million sites were examined--to better understand the extent to which systems administrators followed specific protocols to fix the problem.

Levin and Dumitras both have appointments in the Maryland Cybersecurity Center, one of 16 centers and labs in the University of Maryland Institute for Advanced Computer Studies.

Their team, which included researchers from Northeastern University and Stanford University, discovered that while approximately 93 percent of the websites analyzed had patched their software correctly within three weeks of Heartbleed being announced, only 13 percent followed up with other security measures needed to make the systems completely secure.

Once Heartbleed was made public, Levin says, website administrators everywhere should have immediately taken three steps to regain better control and security over their systems.

"They needed to patch their OpenSSL software, they needed to revoke their current certificates, and they needed to reissue new ones," he says.

Patching, revoking and reissuing are elements of the PKI, or Public Key Infrastructure, which allows for browsers and operating systems to verify that they are communicating with an authentic website, rather than an attacker who is masquerading as a website in order to gain sensitive user information.

But without following through with both revocation and reissue, attackers who already had a website's private key could still pose as that website, even if the administrator had correctly patched their software.

"Many people seem to think that if they reissue a certificate, it fixes the problem, but, actually, the attack remains possible just as it did before. So, you need to both reissue and revoke the certificates," says Dumitras.

The team's data analysis also highlighted an interesting trend that points to the role that humans play in these complex security systems, Dumitras says. In a graph displaying how many certifications were revoked over the course of the three weeks, their data shows a significant drop in revocation rates during weekends.

"Basically, that means that security was taking the weekends off," he says.

Dumitras and Levin hope that the team's findings--presented this week at the 2014 Internet Measurement Conference in Vancouver, B.C.--will spur conversations regarding the multiple factors that influence overall computer security, and how those factors can work together to better strengthen systems.

"Security isn't something to be taken for granted," Levin says. "I see some of these results and I'm shocked and I'm surprised and I'm a little bit scared. But at the same time, I see it as opportunity for improvement."
-end-
Paper link: http://www.umiacs.umd.edu/~tdumitra/papers/IMC-2014.pdf

Team research page: http://www.securepki.org

Written by Andrew Snadecki '14

University of Maryland
College of Computer, Mathematical, and Natural Sciences
2300 Symons Hall, College Park, Md. 20742
http://www.cmns.umd.edu
@UMDscience

About the College of Computer, Mathematical, and Natural Sciences

The College of Computer, Mathematical, and Natural Sciences at the University of Maryland educates more than 7,000 future scientific leaders in its undergraduate and graduate programs each year. The college's 10 departments and more than a dozen interdisciplinary research centers foster scientific discovery with annual sponsored research funding exceeding $150 million.

University of Maryland

Related Cybersecurity Articles from Brightsurf:

Computer scientists' new tool fools hackers into sharing keys for better cybersecurity
Instead of blocking hackers, a new cybersecurity defense approach developed by University of Texas at Dallas computer scientists actually welcomes them.

Cultural differences account for global gap in online regulation -- study
Differences in cultural values have led some countries to tackle the specter of cyber-attacks with increased internet regulation, whilst others have taken a 'hands-off' approach to online security -- a new study shows.

Study finds companies may be wise to share cybersecurity efforts
Research finds that when one company experiences a cybersecurity breach, other companies in the same field also become less attractive to investors.

$4.6 million award creates program to train cybersecurity professionals
A five-year, $4.63 million award from the National Science Foundation will enable a multi-disciplinary team of researchers at the University of Arkansas to create a program to recruit, educate and train the next generation of cybersecurity professionals.

First cyber agility framework to train officials developed to out-maneuver cyber attacks
To help train government and industry organizations on how to prevent cyberattacks, as part of a research project for the US Army, scientists at The University of Texas at San Antonio, developed the first framework to score the agility of cyber attackers and defenders.

Cyber of the fittest: Researchers develop first cyber agility framework to measure attacks
The framework proposed by the researchers will help government and industry organizations visualize how well they out-maneuver attacks over time.

Army researchers identify new way to improve cybersecurity
Researchers at the US Army Combat Capabilities Development Command's Army Research Laboratory, the Army's corporate research laboratory also known as ARL, and Towson University may have identified a new way to improve network security.

How susceptible are hospital employees to phishing attacks?
A multicenter study finds high click rate for simulated phishing emails, potential benefit in phishing awareness training.

A Georgia State cybersecurity study of the dark web exposes vulnerability to machine identities
A thriving marketplace for SSL and TLS certificates -- small data files used to facilitate confidential communication between organizations' servers and their clients' computers -- exists on a hidden part of the Internet, according to new research by Georgia State University's Evidence-Based Cybersecurity Research Group (EBCS) and the University of Surrey.

Army scientists revolutionize cybersecurity through quantum research
Army scientists have found a novel way to safeguard quantum information during transmission.

Read More: Cybersecurity News and Cybersecurity Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.