Tag: #HeartBleed

Pacemaker – a #HeartBleed probing utility

Here’s a really cool quick & dirty utility that Chokepoint has made:
pacemaker

Pacemaker is a utility that scans the Alexa Top 1 million websites [1] and attempts to connect to their port 443. If this succeeds, Pacemaker tries to inject the HeartBleed [2] vulnerability (http://heartbleed.com/) in order to retrieve data from the servers’ memory. An initial scan was performed on April 11th, where approximately 30 000 vulnerable websites were uncovered. Since then, Chokepoint Project have been re-scanning those URLs to see whether they have been patched, and that number has shrunk by about 10 000.

By now we all know how serious an issue heartbleed is, affecting nearly all aspects of our use of networks. We were very interested to know more about the rate of adoption of patch implementation. Despite the very good adoption in the Alexa top 1 Million, given the severity of this particular bug it is a little depressing to see that at the time of writing (2014-04-15 20:24:08.) there are still 19721 sites unpatched. This might seem like a small number, but given that there are more than 246 million domains in the world and we have scanned only the top 1 Million according to Alexa, and have only scanned for webservers not for anything else, it is not unlikely that there might still be more than 5 million unpatched systems out there” said Chokepoint Project´s Ruben Bloemgarten.

 

What Pacemaker does not do :

The URL probing tool has a 5 second timeout to complete the request. If said request does not return within that time frame, it is marked as unresponsive, and therefore not considered vulnerable anymore. These timed out urls are not rechecked afterwards. In the same vein, it would be interesting to keep scanning the total of 1 million urls in case servers have been patched temporarily but are now again vulnerable, or some site owners took the website down (timing out the request, or failing) but failed to patch properly. URLs that do not have SSL are also marked as non-vulnerable and currently not re-checked. For full details, see https://github.com/l-r/heartbleed-masstest.

 

[1] About Alexa

Alexa Internet, Inc. is a subsidiary company of Amazon.com which provides commercial web traffic data. Its toolbar collects data on browsing behavior and transmits it to the Alexa website, where it is stored and analyzed, forming the basis for the company’s web traffic reporting. As of 2014, Alexa provides traffic data, global rankings and other information on 30 million websites, and its website is visited by over 8.8 million people monthly. https://en.wikipedia.org/wiki/Alexa_Internet

[2] About Heartbleed

Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. http://en.wikipedia.org/wiki/Heartbleed