In other news, the total number of honeypot servers used by security researchers has now reached 200,000.
Thought Heartbleed was dead? Nope – hundreds of thousands of things still vulnerable to attack
More than a year after its introduction, the notorious HeartBleed security flaw remains a threat to more than 200,000 internet-connected devices. This according to Shodan, a search tool that (among other things) seeks out internet-of-things (IoT) connected devices. Founder John Matherly posted a map the company built showing …
COMMENTS
-
Tuesday 15th September 2015 20:16 GMT Anonymous Coward
"In other news, the total number of honeypot servers used by security researchers has now reached 200,000."
Good point AC: I have played with those in the past and they can easily be made to look like a home router with an assortment of vulns ready.
To be honest though I usually go for a ssh or rdp daemon to harvest bad username and password lists that I then ban. To be honest the baddies generally try administrator and root the vast majority of the time (70%+). The next favourites are service names (mail, sql etc), test and user (with or without a number) and similar. Then you get to watch a long list of initial+surname efforts. Yawn.
-
Tuesday 15th September 2015 20:53 GMT Charles Manning
Ok,... I'll bite
Heartbleed can be a potential problem in some systems.
That does not mean that in all cases where heartbleed code runs that it can be used to access anything useful.
It does not matter if you can pick a cupboard lock if there's nothing to steal. SImilarly heartbleed will only bleed if the attackable 64kbyte area holds useful data.
Heartbleed only works in certain usage situations and many of those do not apply to embedded systems.
The system I'm currently working on has ssh, but even if it has heartbleed that would not matter due to the way ssh is used.
-
Thursday 17th September 2015 15:12 GMT Michael Wojcik
Re: Ok,... I'll bite
Since Heartbleed is an OpenSSL exploit, not an SSH one, it''s hard to see how "the way ssh is used" is at all relevant.
Because of OpenSSL's memory management, Heartbleed is pretty much all of a problem, unless your threat model doesn't rely on OpenSSL to do anything requiring a secret. Maybe you're only using OpenSSL to validate certificates, for example; in that case Heartbleed wouldn't matter. But if there's any encryption being done with OpenSSL, then Heartbleed is a problem.
heartbleed will only bleed if the attackable 64kbyte area holds useful data
Largely irrelevant, because OpenSSL can be coaxed into putting sensitive data into the vulnerable area with high probability.
IIRC (it's been a while since I looked at the vulnerable code), you can block Heartbleed in various ways even with vulnerable versions, for example by blocking DTLS before it reaches an OpenSSL-based application. So if Shodan's test is "version of OpenSSL with the Heartbleed vulnerability", then it could be returning some false positives.
-
-
-
-
Thursday 17th September 2015 15:17 GMT Michael Wojcik
Re: All of this could be solved..
"solved" how?
They certainly have an impressive array of marketing materials, but I don't see how they're magically going to replace vulnerable software in thousands of embedded systems. And that's assuming you purchase their product, and not simply "listen" to them.
-