The Heartbleed vulnerability in OpenSSL has been shaking up the internet since its disclosure a few weeks ago, but the nature of the flaw means we may never find out who used it to steal what information in the two years before it was noticed.
One of the first cases of data theft through Heartbleed was acknowledged by Canada's national tax office. An attacker managed to remove Canadian social insurance numbers of around 900 taxpayers from the agency before the flaw was patched.
Within days however, the Mounties had arrested Stephen Solis-Reyes from his London, Ontario home for exploiting the bug and stealing information.
However, that arrest -- which has received worldwide press attention -- appears to live on its own. Was Solis-Reyes the only one who used Heartbleed to steal information? Or was he the only one to get caught?
Verizon yesterday released its annual Data Breach Investigations Report (DBIR), which highlighted how difficult it is to figure out exactly how much damage flaws like Heartbleed actually cause.
“Heartbleed is interesting for two reasons,” Aaron Sharpe, senior solutions consultant at Verizon, told SC Magazine.
“Firstly, because it’s so widespread - the OpenSSL footprint is massive. Secondly, the window of opportunity has been huge - something like two years."
When asked how Heartbleed might reveal itself in the same report next year, Sharpe admitted it probably wouldn’t.
“The reality is that the nature of the exploit - because it is based on reading from memory - leaves next to no trace. So even if somebody has been exploiting this, it would be very difficult to detect,” Sharpe said.
The one group widely expected to have been using the vulnerability, the US government and NSA, officially denied any prior knowledge of Heartbleed.
"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet," a National Security Council spokeswoman said.
So why did Heartbleed happen and will it happen again?
The problem, according to to Peter Gutmann, a ‘professional paranoid’ from the University of Auckland, is that encryption is extremely difficult to implement properly.
Gutmann told SC Magazine that while experts had the ability to create mathematical formulae that describe a perfectly secure encryption system, it was almost impossible to recreate that system in the real world.
“It’s the same as anything -- like economics, finance or even designing a system in a car -- you have got mathematical formulas that can perfectly describe something very cleverly and clearly but when you move it into the real world, it breaks down because you have forgotten some little bit somewhere," he said.
“The crypto we are using on the internet is full of little bits that people have forgotten or didn’t even know about and therefore never protected against."
He said Heartbleed was “just one of a million bugs in software” and points out there were a large number of critical vulnerabilities being exposed every week.
So back to Stephen Solis-Reyes, the only person so far to be arrested for exploiting Heartbleed.
Will he be the last? Possibly. Was he the first? Very, very, very unlikely.
Have you changed your passwords yet?