Absrtact: From Finland to Silicon Valley, a small bug hunter team found the most serious network security vulnerabilities in the history of the Internet and was prepared for it. Recently Heartbleed is a household word, a security loophole that has caused almost every netizen
From Finland to Silicon Valley, there's a small loophole. The team discovered and prepared for the most serious network security vulnerabilities in the history of the Internet.
Recently Heartbleed is a household word, a security loophole that has caused almost every netizen's concern. But in fact, David Chartier a week ago, when everyone was in the dark, knew it existed.
Early in 51, Chartier, CEO of Codenomicon Security, received a call from Finland when he arrived in the Silicon Valley office. In the usual chartier of haze, he picked up the phone as usual, the company's chief network security engineer, and his network security team found a serious flaw in the world's largest open-source cryptographic service, OpenSSL. Most frightening of all, the OpenSSL, which protects the privacy of users, is used by almost all major websites, including Google and Facebook.
Chartier understood that the matter was serious, but in that instant he was not quite sure what would happen next.
Founded in 2001, Codenomicon is an international network security Institute established by a group of Finnish IT specialists, which has its own offices in six countries around the world. This group of experts are all bounty hunters, and Codenomicon's engineers ' daily work, or best of all, is to check for bugs in software and write fixes. Verizon, Microsoft and Adobe are their customers.
Chartier, the CEO of the company, has had more than 20 years of relevant work experience, and has seen the loopholes are counted. But this time it's different. Even the famous computer security researcher Bruce Schneier later regarded the loophole as a "catastrophic" security incident that affected almost all netizens-"If the rating is 1 to 10, this time it reaches 11 levels." "he wrote.
Before hanging up, Chartier asked one of the Finnish engineers to write a string of bug detection code to attack their website. In this way, he can learn how much damage a hacker can do to a website if it does find a loophole.
With past experience, Chartier judged that the next 24 hours would be critical, and the most important thing was to keep a secret--chartier use his own in-house encryption communications equipment to inform his team of Finnish engineers to write a fix patch.
"We regard it as top secret and no one can divulge it, and we even check whether we have been tapped." ”
Chartier, a man in Silicon Valley, guides a team far away in Finland.
"Those reports are not exaggerated, and thousands of Web servers are using OpenSSL, and too many people are implicated," he said. "said David Chartier.
The first thing to do is to escalate the vulnerability to the Finnish National Network Security Center, known as the "CERT (Computer Emergency Response Team)" in the industry. The vulnerability was found in a widely deployed OpenSSL encryption service, so in the morning of Saturday cert assembled a total of 12 volunteer developers from around the world OpenSSL project team. Cert directs them to start updating their systems and to have the patches ready for public release as soon as possible.
Chartier did not know that Neel Mehta, a little-known security expert in Google, also discovered and reported OpenSSL vulnerabilities on the same day. Interestingly, the loophole was in fact as early as March 2012, and the two unrelated teams found and reported at the same time, somewhat odd. (Mehta won't be interviewed for this article)
In any case, Chartier and his team must do their best. He understands that if the OpenSSL team publishes the vulnerability report on its own, the information contained is likely to be small and the user is not quite sure how to respond. So he decided to prepare a publicity campaign for the security breach to get the message out.
"Vulnerability report updates are daily and commonplace," Chartier said, "How can you, as an IT manager, judge what is important and what isn't?" So we've got a name for the report, and we've prepared some q&a to make it clear that this is the most serious loophole in years. ”
It was not until the Friday night that the loophole was identified as "cve-2014-0160". In the morning of Saturday, Ossi Herrala, a Codenomicon system administrator working in the Finnish capital Helsinki Office, thought of the name: Heartbleed.
"There is an extension on the OpenSSL called Hearbeat," Chatier explains: "Ossi think Heartbleed is very apt, because the important information of the user in the memory flows out like blood." ”
Marko Laaso, also a Codenomicon employee, registered heartbleed.com This domain name early in the week of Children's Day. In 2008, Heartbleed.com was a website that shared lyrics and links for children with depression.
The whole team is very efficient. The designer began to design logo--a bleeding heart. When the website registration is successful and the logo is confirmed, the marketing department begins to prepare the Q&a content on the website.
In Sunday, Codenomicon employees used encrypted communication tools to communicate, while Chartier continued to monitor the network to ensure that the leaks were not leaked. In the evening, all the marketing materials ready, the whole team is also nervous waiting, waiting for the OpenSSL release patch of the first time online heartbleed.com.
"Before the patch is released, it is not possible to release the message first, which can only cause panic, because before the patch comes out, users simply don't understand how to protect themselves." It's against our intention to do that. "Chartier said.
Finally, in the afternoon of Monday, Heartbleed.com finally on the line, people suddenly flooded in, the media have followed up reports. Basically all the mainstream media, from CNN to the Washington Post to New Yorkers, have covered the OpenSSL loophole. By the afternoon of Wednesday, the site would have 1.4 million different independent visits, and it would now be close to 2 million, even if it was 48 hours away. Heartbleed.com can play such a big role, chartier prepared to feel gratified.
"It's our mission to secure cybersecurity," Chartier said. "The IT Security community has done its best to win the battle, which belongs to the entire IT security community." ”