World and Nation

Study: no evidence of Heartbleed attacks before bug was exposed

SAN FRANCISCO — Ever since the Heartbleed bug was exposed last week, the question everyone has been asking is: Did anyone exploit it before a Google researcher first discovered it?

The worry is that in the two years since the bug was accidentally incorporated into OpenSSL — a crucial piece of free security software used by governments and companies like the FBI and Google — attackers could have exploited Heartbleed to take sensitive information like passwords and the virtual keys used to decipher any scrambled information stored on a web server.

What’s more, they could have done so without leaving evidence detectable by the normal methods used to track who has gained access to a server.

But security researchers at the Energy Department’s Lawrence Berkeley National Laboratory, which conducts unclassified scientific research, say that it is still possible to look for past Heartbleed exploitations by measuring the size of any messages sent to the vulnerable part of the OpenSSL code, called the Heartbeat, and the size of the information request that hits a server.

For the past week, researchers at the Berkeley National Laboratory and the National Energy Research Scientific Computing Center, a separate supercomputer facility, have been examining Internet traffic they recorded going in and out of their networks since the end of January, looking for responses that would indicate a possible Heartbleed attack.

They found none, said Vern Paxson, a network researcher at Berkeley Lab and associate professor of electrical engineering and computer science at the University of California, Berkeley.

The research does not rule out the possibility that Heartbleed was exploited before January. Because the Heartbleed bug was first introduced in March 2012, would-be attackers would still have had 18 months to exploit the flaw. It also does not rule out the possibility that the bug was used in an attack beyond what Berkeley Lab and the National Energy scientific computing center monitor.

The network traffic for both Berkeley Lab and the scientific computing center touch thousands of Internet systems and both facilities had maintained comprehensive logs going back a few months. Paxson said that if there were widespread scanning for the Heartbleed vulnerability, that would have been picked up by those important Internet hubs.

On Tuesday, a 19-year-old man was arrested in Canada on charges that he had used the Heartbleed flaw to steal taxpayer data from the Canada Revenue Agency.