Exclusive: ‘we did not see evidence…does not mean there wasn’t attacks’.
A researcher behind a recent paper on the Heartbleed Open SSL bug has played down media reports that the flaw was unknown before it was publicly disclosed.
Michael Bailey, an associate professor at the University of Illinois, told CBR that people should be cautious when interpreting the results from the study, conducted by several American universities.
"While we say we did not see evidence, we mean precisely that and only that. We did not see any," he said. "That does not mean that there wasn’t any use by attackers."
The bug allowed hackers to listen in on "heartbeat" used to validate a communication between a website and a user, and was thought to affect half a million websites when it was disclosed in April.
Since then the US firm Community Health Systems has been the only major site compromised, but Bailey warned that attackers may have used the flaw in less noticeable ways.
"For example, if I was an attacker and I had access to this vulnerability prior to public release, I certainly wouldn’t use it to do something as noisy and easy to detect as scanning large amounts of the public Internet, exploiting whatever I found," he said.
"Rather I would target very specific, high value targets only – something we would not have detected with our infrastructure, and something very hard to detect in general."
He added that some companies had "rushed to disclose" the bug, which meant the community had less time to patch before the news broke.
The paper estimated between a quarter and a half of HTTPS secured servers in the Alexa Top 1 Million traffic listings were initially vulnerable to the bug, including 44 of the top 100.
While a tenth of vulnerable sites ended up replacing their security certificates, three quarters patched, though 14% of patchers used the same private key, leaving their sites unsecured.