Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Debugging The Myths Of Heartbleed
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/26/2014 | 10:55:57 PM
This is a very good rundown of Heartbleed with great information about how to uncover possible breaches. Was surprised to heaer it was used against CHS given the amount of publicity and the fact that they are not some small business.

User Rank: Apprentice
8/23/2014 | 12:33:23 AM
Re: Heartbleed and CHS breach
Good points Steve!

Reading a related article about Heartbleed and Community Heath Systems by Sara Peters, "Heartbleed Not Only Reason For Health Systems Breach", also on Dark Reading,  I see many things that added to what was taken through Heartbleed.  According to the detailed anaylysis of the attack one user's credentials were taken through Heartbleed and the patient data was taken using those credentials.

The expanded attack was aided by weaknesses on their security posture, namely;
  • They only watched what came in, and ignored outgoing traffic;
  • Stange behaviour by a user logging in from a new remote location should have raised flag, but did not for the duration of the attack;
  • VPN logins that only use user names and passwords when there are many ways to add security to VPN (like trusted devices information added to user credentials);
  • Monolithic data structure, with the same level of security applied to the entire structure.

To me it appears that they threw a firewall up, installed spyware and virus scanning, and called it secure.  The problem is that once a way is found through the firewall almost all the data is there for the taking.  While no health or payment data was taken this time, I have seen nothing that indicates it was more secure... and personal experience tells me it most likely was not.

I am not the biggest fan of encryption, but it helps secure data at rest and on the fly, especilay when coupled with two-factor authentication - such as user credetnials coupled with trusted device information.  While it is not impossible to emulate a trusted machine, if basic security processes are followed where the machine info is double hashed before it is sent, it becomes much harder.

CHS is not a non-profit, so it seems like they should be abble to afford better security.
Steve Riley
Steve Riley,
User Rank: Author
8/21/2014 | 1:25:11 PM
Re: Heartbleed and CHS breach
Sloppiness? Inattention? Lack of awareness or concern for risk? It perplexes me that people don't take this stuff seriously. Heartbleed was discovered on April 7. Juniper issed security advisory JSA10623 and knowlegebase article KB29004. We don't know when these were first issued -- all we can see are "last updated" dates of April 30 and May 6, respectively. Some reports indicate Juniper issued patches only three days after April 7. But regardless, it's now late August. The hospital didn't update their stuff after more than three (or four) months? That's inexcusable, especially for something like a VPN server, a device intended to deposit users on the inside of a corporate network.

I understand that IT departments have processes and change windows. But when a vendor issues an out-of-band patch for a flaw the vendor labels as critical, it's time to throw the change window, well, out the window. Install the patch right away. Emergency but controlled downtime dealing with a patch is much preferable to the disastrous and devastating downtime caused by an attack!
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
8/21/2014 | 9:08:47 AM
Heartbleed and CHS breach
Thanks for a fascinating perpsective on Heartbleed. What's your reaction to the latest Heartbleed-related breach at Community Health Services? Are there are any takeaways from what happened? 
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
8/20/2014 | 5:03:06 PM
A sober assessment
This is a good, sober assessment of Heartbleed's impact by a veteran security architect. Riley was previously one of the security brains behind Amazon operations.

7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/ action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.