About vulnerabilities
48 hours ago in Silicon Valley, the famous science and technology gossip News Distributing Center "Y combinator Hacker News" To see the statement about the loophole. After delving into and studying the details, found that it did not have been unearthed before, as in another article mentioned: Before the house collapsed is because the building itself is tofu slag project, now not only refers to their own project is not good, but also should think of external factors may also be a tofu slag project. The reason why people in the security sector often use exaggerated rhetoric to describe this loophole has the following considerations:
1 Impact Range – only the affected Nginx and Apache occupy more than 70% of the Web server market.
2 Easy to exploit – random access to user information is the first and almost final step of the attack. As long as there is an attack tool, no expertise can be done.
3 Difficult to detect – the heartbeat pack used for the attack is not a full HTTP session and does not leave a log on the Web server.
The only good luck is that this vulnerability will make it difficult for an attacker to pinpoint a specific user unless the exact time of the target visit is known in advance. The effect of the attack is like shooting at a crowd.
From the micro-blog learned that the Green Alliance and know that the security companies such as Chong Yu last night are sleepless, behind the scenes there are more anonymous hackers in a year without a few times the opportunity to brush the point of the library. As with every big leak, security personnel are tired of loving, small hackers like to rush.
The opening day of a loophole is the beginning of the countdown to death. As with all previous vulnerabilities, hackers and security personnel are scrambling for the last time to race before it is slowly filling out and out of sight.
Beijing time the night before yesterday, a big fish appeared, Yahoo Mailbox server was confirmed to have a loophole, early in the morning found has been repaired, during which I do not know how many mailboxes lying gun. And there is a more terrifying possibility: from leaked memory data, it is possible to restore the private key of the SSL certificate (although no one has yet been able to do so), which means that SSL encryption on the Yahoo site will be meaningless until they pay a significant price for the newly issued certificate. In layman's parlance, you will never know whether the password submitted to Yahoo has been intercepted in the transmission, and can not even tell if the website being visited is Yahoo's true person.
I also think that this time even if the SSL service is better than put on the attack, Yahoo this tree is too big, drag a minute more dangerous.
Perhaps, this worry is superfluous. A general loophole will have a period of underground circulation before it is open, and some loopholes have been used for a year even before the public. How long has this leak been used? How many accounts, even the certificate private key leaked?
About the attack code
Heartbleed simple use of the method determines that it can be written to automate the feet, Beijing time yesterday morning, Mustafa on the GitHub issued a batch scanning tool, as the goal of the 1000 major sites, Yahoo,sogou and other strokes.
Then is a larger scan, as of yesterday morning, Alexa top 10000 of the site, more than 1300 in the recruit. Domestic security companies such as 360 are also starting to launch their own testing tools.
Some people in the group began to ask for tools, then found that the attack code (also known as exploit) has been published in the famous exploit publishing site Exploit-db:
Another 24 hours later, for FTP, the SMTP and POP3 Protocol's attack code also appears (OpenSSL is a low-level schema, not just for HTTP). The release of the attack code means that the "Scripting Boys" are starting to join the party, the scale of the attack will rapidly expand, no site should be lucky.
This loophole has a certain threshold from the principle of knowledge to the writing of the attack code. Only a few people understand the use of the principle of loopholes may be difficult to cause great damage, but a fool of the use of a large number of tools can be done. Like "Command and Conquest: The General" in the game of the famous cry: "Ak-47s, for everyone!"
The integrity behind the loophole
It's a rare "bloody event" on the Internet. The main victims, not in the past the vulnerability of the third party vulnerable to small and medium-sized sites, but catches's big site.
Heartbleed was first discovered and published by Google's security personnel, and this should be a "responsible disclosure": Notify the manufacturer first, waiting for the vendor to release the patch before public. And we can't help asking: Why are so many big websites still victims?
Here first popular Science a concept: 1 day attack.
A loophole is the date of the patch, that is, when it is open. The patch itself is the best basis for analyzing vulnerabilities, hackers will be the first time through the patch before and after the code analysis of the principle of vulnerability, and open the attack code. At this time, perhaps the vast majority of users have not been able to patch, reduced to slaughter lamb. This is known as the "1 day Attack", and the events mentioned above belong to this category.
And this loophole, just notice as the developer OpenSSL is not enough, the latter release patch, 1 day attack will start, the loophole of the discovery has no reason not to know this. He knows the dangers of vulnerabilities and can even easily scan to see which sites are impacted. As the biggest security responsibility, he made a fine introduction website, and even designed a loophole logo, and we do not know whether he also used the same energy to inform those large sites to take temporary measures to avoid attacks.
Again, domestic.
The term "white hat" is given to the most moral hackers: for research purposes, the discovery of vulnerabilities will inform the manufacturer to repair the damage to avoid being exploited by the attackers.
The Black Cloud (wooyun.org), China's largest white-hat vulnerability reporting platform, has brought a bright glow to the country's security industry, which was once flooded by dark industries. In this case, it became a place for hackers to show their victories.
The name of the website, the loophole is in the state of the loophole, many still "wait for the manufacturer to deal with", so be disclosed in the dark clouds quite "Bans" feeling. I tried to scan one, the loophole is still there. This means that countless people browsing the cloud can follow their lead, and the so-called vulnerability report makes the site a prey in the spotlight.
As the following picture, needless to say, you know which website is being screwed. (Up to the press, has been repaired)
What about the moral integrity?
Finally, a conspiracy theory.
Programmers have a famous saying: It's not a bug. It ' s a feature. -This is not a bug, it is a feature.
And the hacker version of this sentence is: it ' s not a vulnerability. It ' s a backdoor. -it's not a loophole, it's a backdoor.