From Finland to Silicon Valley, a small team of vulnerability hunters found the most serious network security vulnerability in the history of the Internet and actively prepared for it.
Recently, Heartbleed is a widely used word. This security vulnerability has aroused the worries of almost every Internet user. But as early as a week ago, David Chartier knew that it existed when everyone was still in the dark.
Early in the morning on Friday, Chartier, CEO of Codenomicon security, received a call from Finland before he arrived in the Silicon Valley office. In that ordinary haze day, Chartier picked up the phone as usual, and the other was the company's chief network security engineer, his network security team found a serious vulnerability in OpenSSL, the world's largest open-source encryption service. The most terrible thing is that OpenSSL, which is used to protect users' privacy, is adopted by almost all mainstream websites, including Google and Facebook.
Chartier understands that things are tricky, but at that moment, he was not quite clear about what would happen next.
Codenomicon, founded in 2001, is an international network security institute established by a group of Finnish IT experts. IT has its own offices in six countries around the world. In fact, this group of experts are all bounty vulnerability hunters, and Codenomicon engineers are best at checking vulnerabilities for software and then writing repair patches. Verizon, Microsoft, and Adobe are both their customers.
As CEO of the company, Chartier has more than 20 years of relevant work experience, and many vulnerabilities have been discovered. But this time is different. Even the famous computer security Researcher Bruce Schneier later considered this vulnerability a "catastrophic" security accident, affecting almost all Internet users-"If the rating is 1 to 10, this time it reached 11 levels." He wrote.
Before calling, Chartier asked one Finnish engineer to immediately write a string of vulnerability detection code to attack his website. In this way, he can understand how much damage the website will be incurred if hackers discover the vulnerability.
Based on past experience, Chartier determines that the next 24 hours will be critical, and the most important thing is to keep it confidential-Chartier uses its own internal encrypted communication equipment, inform his Finnish engineer team to write the repair patch.
"We regard it as the highest secret, and no one can disclose it. We even checked whether we were listened ."
Chartier directs his team in Finland alone in Silicon Valley.
"The reports are no exaggeration at all. Thousands of network servers are using OpenSSL, and too many people are implicated ." Said David Chartier.
The first thing to do is to report the vulnerability to the Finnish National Security Cyber Center (CERT) of Finland )". The vulnerability was found in the widely deployed OpenSSL encryption service, so on Saturday morning, CERT gathered a total of 12 volunteer developers from around the world to form an OpenSSL Project Team. CERT directs them to start updating their systems and prepare patches as soon as possible for public release.
Heartbleed teams found (from right to left): Ossi Salmi, Ville Alatalo, Tuomo Untinen, Antti Karjalainen and Ossi Herrala
Chartier doesn't know. Neel Mehta, a little-known security expert in Google, also found and reported OpenSSL vulnerabilities on the same day. Interestingly, this vulnerability was discovered as early as March 2012, and the two irrelevant teams found and reported it at the same time. (Mehta does not want to interview this article)
In any case, Chartier and his team must do their best. He understands that if the OpenSSL team publishes this vulnerability report on its own, it may not contain much information, and users are not quite clear about how to deal with it. As a result, he decided to prepare a publicity activity for the security vulnerability and pass the information fully.
"Vulnerability reports are updated every day and are common," Chartier said. "As an IT manager, how can you determine what is important and what is not? So we named the report and prepared some Q & A to let people know clearly that this is the most serious vulnerability for so many years ."
The vulnerability has been identified as "CVE-2014-0160" until Friday night. Ossi Herrala, A Codenomicon system administrator working in Helsinki, Finland, came up with the name Heartbleed on saturmorning.
"There is an extension on OpenSSL called Hearbeat," Chatier explains. "Ossi thinks Heartbleed is very relevant because important information of users in the memory is flowing out like blood ."
Marko Laaso is also an employee of Codenomicon. He registered the Heartbleed.com domain name early on Saturday. In 2008, Heartbleed.com was a website that shared lyrics and links to children with depression.
The entire team is very efficient. The designer began designing the Logo-a bleeding heart. After the website is successfully registered and the Logo is confirmed, the marketing department starts to prepare the Q & A content on the website.
On Sunday, Codenomicon employees used encrypted communication tools to communicate with each other, while Chartier continued to monitor the network. He wanted to ensure that the vulnerability was not leaked. By that evening, all the marketing materials were ready, and the entire team was waiting for the release of the OpenSSL patch to launch Heartbleed.com immediately.
"Before the patch is released, it is impossible for us to publish the message first. This will only cause panic, because before the patch is released, users do not understand how to protect themselves. Doing that violates our intention ." Said Chartier.
Finally, on Monday afternoon, Heartbleed.com was launched, and people suddenly rushed in and the media followed up with reports. Basically all mainstream media, from CNN to The Washington Post to New York, have reported the OpenSSL vulnerability. As of Wednesday afternoon, even less than 48 hours, the website has 1.4 million different independent accesses, and now it is close to 2 million. Heartbleed.com can play such a big role, and Chartier is pleased.
"Ensuring network security is our mission," Chartier said. "The IT security community has also made every effort to win a battle. This credit belongs to the entire IT security community ."
For more information about Heartbleed, click here.
Heartbleed: click here
OpenSSL TLS heartbeat read remote information leakage (CVE-2014-0160)
Severe OpenSSL bug allows attackers to read 64 KB of memory, fixed in half an hour in Debian
OpenSSL "heartbleed" Security Vulnerability
Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.