The news on Heartbleed continues to stream, though the strength of the current has begun to subside. Many larger companies have patched their relevant vulnerabilities, and as a result, the bug is not getting quite as much press as it has been. As mentioned in several articles, the top 1000 sites are now patched but according to various estimates, 2% of the top 1 million sites are still not patched. So, there is still plenty of room for concern and consumers and businesses need to continue to assess the websites they are visiting for this vulnerability.
New Norse Heartbleed Report available tomorrow.
Norse analysts have continued to monitor suspicious activity targeting the Heartbleed vulnerability through the Norse live threat intelligence platform. Monitoring traffic on port 443 for Hypertext Transfer Protocol Secure (HTTPS) communications protocol is the easiest and simplest targeting vector for this sort of activity. Where other communication protocols on other ports would potentially use OpenSSL as the implementation to secure communications, the pervasiveness of other implementations and protocols makes analysis and conclusions impossible.
With Norse's dark intelligence gathering capabilities, we were able to determine additional information regarding the methodology and trends involving the source of the activity. In sharing this information, Norse hopes to shed light into this activity for fellow Information Security and IT professionals to use in mitigating the threat to their networks and systems.
The bulk of the IPs referenced in this report are rated HIGH or EXTREME by Norse's threat intelligence platform. HIGH designates a risk factor of 54-89, and EXTREME designates a risk factor of 89-100. Users integrating Norse dark threat intelligence into their firewall, Intrusion Detection\Prevention Systems, or SIEM can track these high risk IPs and monitor, block, or quarantine according to their security policy and acceptable risk.
As was mentioned above, Heartbleed continues to garner a large share of security news, though the coverage has died done some. Specifically, this last week, it was opined that history suggests the Heartbleed bug will likely "continue to beat," and a new browser extension can flag sites that are vulnerable to the bug. Also, more details on the Michael's/Aaron Brothers data breach were revealed this week, and Facebook's "bug bounty" program had a Wall Street Journal spotlight shined on it. In addition, it was revealed that stolen passwords are utilized in most data breaches.
Here's a sampling of some of this past week's most relevant security stories:
- "Heartbleed Roundup: Hacking Made Easy, First Victims Come To Light And Heartbleed Hacker Arrested"
A nice state of Heartbleed summary piece from Forbes.com.
- "History Suggests Heartbleed Will Continue To Beat"
If history is any guide: at some point in the next week or two, the drumbeat will soften and, eventually, go silent or nearly so. But that hardly means the Heartbleed problem has gone away.
- "Now there's an easy way to flag sites vulnerable to Heartbleed"
Developers at Internet services company Netcraft have released a browser extension that makes it easy for Web surfers to know if the site they're visiting is vulnerable to the catastrophic Heartbleed vulnerability.
- "Facebook Cyber Chief Says Bug Bounty Program is 'Valuable'"
Facebook Inc. says a unique program that pays outsiders to spot security flaws in its internal systems has proved useful for mitigating cybersecurity threats. Unlike typical bug bounty programs, which are meant to help mitigate flaws in public-facing websites, Facebook(FB -2.65%) also pays security researchers $500 or more for revealing bugs that enable access to a system within the company's infrastructure.
- "Stolen Passwords Used In Most Data Breaches"
New Verizon 2014 Data Breach Investigations Report identifies nine types of attack patterns that accounted for 93 percent of security incidents in the past decade.
- "Michaels Data Breach Response: 7 Facts"
Could the retailer have done more to spot the eight-month intrusion in the first place?
Be sure to check back next week for our next Threat Thursday blog update!