Insights Blog This Week in Bug/Virus/Breach History 4/3/2018


This Week in Bug/Virus/Breach History 4/3/2018

Welcome to our second edition of our newest column here at Qualitest, the anniversaries of things that were preventable.  Because that which has gone wrong might go wrong again.

In 2012, RFC 6520 (Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension) proposed a new protocol to allow keep-alive functionality without continually renegotiating the connection.  The RFC was fine, but a bug existed in the OpenSSL version 1.0.1 code released on March 14, 2012 which implemented it.

On April 1, 2014, Neel Mehta of Google’s security team reported this bug which they called Heartbleed (a logical name for a heartbeat flaw).  At the time of disclosure, an estimated 17.5% (about half a million) of the Internet’s certified secure web servers were thought to be vulnerable to this form of attack, allowing theft of the servers’ private keys and users’ session cookies and passwords.  Affected sites included Twitter, GitHub, Yahoo, Tumblr, and Dropbox.

Bitcoin seems to be in the news a lot, but not always for happy reasons.  Some days, Bitcoin hits new heights, new lows, or experiences a theft (possibly suggesting that the whole system is flawed).  How would you feel if your bank suddenly announced “Our bank is suspended indefinitely until we are able to develop an alternative architecture.  Our database was fraudulently accessed, due to the very nature of our bank it is impossible to reopen the service as-is”?  Substitute the word “Instawallet” for “”our bank” and you’ll have the message that Instawallet users received.

The size of the theft was not even specified in the announcement, but was later estimated to be 35K bitcoins ($4.6M).  The security was broken in such a way that, according to several newspapers, a new architecture needed to be re-engineered.  This happened on April 3, 2013, but was one of many Bitcoin thefts.

This column will return in 2 weeks, when we will re-experience EternalBlue and the Bloomberg news outage of 2015, which will be followed the following week by memories of a problem that yielded free coffee for many.