Schneier on Security

tom • April 14, 2014 1:21 PM

New details added today. Stuff in [brackets] I added for clarity.

Trove of Software Flaws Used by U.S. Spies at Risk
By Michael Riley April 14, 2014
http://www.businessweek.com/news/2014-04-14/president-s-security-flaw-guidance-seen-as-hard-to-implement#p2

“Two people familiar with the matter said that [NSA] was aware of the flaw and had used it as part of the intelligence gathering toolkit, as reported by Bloomberg News last week…

The NSA has more than one way to circumvent the security of SSL and OpenSSL, a free version of the protocol, according to new information [!!!] provided by the two people, who asked not to be identified because they were not authorized to speak about it.

One work-around involves not defeating the SSL software itself but breaking into a different system on the targeted computer on which [SSL] software depends, according to one of the people. While disclosing that method might increase computer security generally, the NSA might consider that a hacking technique instead of an SSL vulnerability.

NSA spokeswoman Vines declined to comment [further] on NSA’s intelligence-gathering methods [after being exposed like Caitlin Hayden for last week’s lies — they are not briefed on these matters to begin with, only handed a statement to read].

The matter is further complicated because a bug like Heartbleed has to be turned into a specific exploit, a process that can branch out quickly, creating a class of vulnerabilities rather than just a single one. Small differences in the way a platform like OpenSSL is exploited could lead to differing conclusions about whether the exploits are the same.

“Maybe it’s not Heartbleed, maybe it’s what they call alpha green [more likelyALPHAGREEN], and alpha green is something that sends a packet to OpenSSL and creates an information leak,” said Syversen [Jason twitter JSyversen]. “It’s going to be challenging to conclude whether it’s the exact same technique or not.”

Implementing the new guidelines — described by the White House as reinvigorating an existing process for determining when zero days should be disclosed — will require institutional barriers to be swept away, said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council in Washington.

TAO, for example, is not required to share all the exploits it uses, even with other units in the NSA, according to two people familiar with the procedures…. That includes the NSA Threat Operations Center, which is responsible for protecting government and military computers….

The White House discussion about the government’s policy for its arsenal of zero days represents a major step forward despite shortcomings in the policy itself, said Christopher Soghoian, principal technologist with the American Civil Liberties Union… “The policy has a loophole so big that you could drive a truck through it,” Soghoian said.

Additionally, it’s unclear whether the agency will apply the new guidance only to newly discovered vulnerabilities or whether it will also include the existing stockpile, which represents millions [billions] of dollars of research and development, the Atlantic Council’s Healey said. “I could see them grandfathering all of that in,” he said.

If those vulnerabilities are disclosed, it will be discreetly, through direct contacts with software and hardware vendors, Healey said.

The only way to detect that may be through a sudden uptick in software patches from major vendors who are suddenly fixing flaws only known previously by the NSA, he said.”

tom • April 14, 2014 3:05 PM

Snowden’s job at Dell’s site at the US Air Force command in Japan was to poke around characterizing systems facing the Asian internet, both theirs and ours.

The Asian vulnerability db entries went to TAO which subsequently went on to pwn some 131,000 Chinese computers (as of Apr 13 press reports), while US military and diplomatic (but not US public) were quietly queued for patching.

Snowden loved vulns and found lots on his own time starting with one in Acrobat at his CIA post in Geneva.

Despite its great prestige within NSA, Snowden was later to decline a position with TAO at Ft Meade. It’s been wrongly stated that he had already started his document stash and feared detection.

A half-truth: he had indeed copied stuff over at Dell but had just passed a full poly to get on with Booz, per Gen. Alexander public statements.

While Snowden would know which version numbers of SSL had vulns, he would not necessarily know what this meant specifically in terms of breach mechanism. He might however know the lesser-classified codewords for individual breaches as their applicability could require complicated combinatorics of routers, networks, operating system, anti-virus and security layers.

However a lot of stuff at TAO would be classified TS//SCI//ECI — we have seen only 2-3 ECI mentions in 1500-odd pages of releases. So not much was accessible. It is possible that none of the docs copied over mention ALPHAGREEN or whatever they call their variants of this OpenSSl one.

Even if Snowden knows what it is called and how it works, if it can’t be run thru mainstream journalism that describes NSA internal documentation, he’s not going to leak it because of the increased legal exposure.

That’s heartening that a couple of new sources have stepped forward to speak with Business Week. I wouldn’t necessarily assume rogue actors or grumpily retired here — TOC is ticked off. They have the defense mandate but haven’t been allowed to fulfill it.

In summary, these new sources are spokespeople for TOC, not wildcard leakers. They’re not risk-takers, TOC has their back from knowing where so many TAO bodies are buried. And the reporter has assurances too.

The Threat Operations Center honchos see from the latest round of lies that nothing is going to change on the consumer, govt contractor, general govt, or corporate defense side. Despite massive and ongoing theft of all and sundry. So bureaucratic turf war, they stick the knife in and give it a couple of preliminary twists.

tom • April 14, 2014 10:30 PM

Hmmm, two google engineers posted code fix to Heartbleed at bugzilla on March 21. It had already been named Heartbleed establishing google collab with Codenomicon by that date. See code snippet at bottom.

Apologies for the long internet scrapes below but one key related link has gone dead already without a cache or wayback hit so I’m archiving it here …

=/=/ the gospel according to St. Google =/=/

http://www.nationaljournal.com/tech/google-knew-about-heartbleed-and-didn-t-tell-the-government-20140414

Google knew about a critical flaw in Internet security, but it didn’t alert anyone in the government.

Neel Mehta, a Google engineer, first discovered “Heartbleed”—a bug that undermines the widely used encryption technology OpenSSL—some time in March. A team at the Finnish security firm Codenomicon discovered the flaw around the same time. Google was able to patch most of its services—such as email, search, and YouTube—before the companies publicized the bug on April 7.

The researchers also notified a handful of other companies about the bug before going public. The security firm CloudFlare, for example, said it fixed the flaw on March 31.

But the White House said Friday that no one in the federal government knew about the problem until April. The administration made the statement to deny an earlier Bloomberg report that the National Security Agency had been exploiting Heartbleed for years.

“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report,” Caitlin Hayden, a White House spokeswoman, said in a statement.

“If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”

Hayden emailed to clarify that the “private sector cybersecurity report” refers to the April 7 announcement.

Asked whether Google discussed Heartbleed with the government, a company spokeswoman said only that the “security of our users’ information is a top priority” and that Google users do not need to change their passwords.

Companies often wait to publicize a security flaw so they can have time to patch their own services. But keeping the bug secret from the U.S. government may have left federal systems vulnerable to hackers. The IRS said it’s not aware of any vulnerabilities in its system, but other agencies that use OpenSSL could have been leaking private information to hackers.

The government encourages companies to report cybersecurity issues to the U.S. Computer Emergency Readiness Team, which is housed in the Homeland Security Department. US-CERT has a 24-hour operations center that responds to security threats and vulnerabilities.

Christopher Soghoian, the principal technologist for the American Civil Liberties Union, said the U.S. government only has itself to blame if tech companies don’t trust it to handle sensitive security information.

He said that because government agencies often share information with each other, there’s no way for a company to be sure the NSA won’t get information shared with another agency and use it to hack into private communications.

“I suspect that over the past eight months, many companies have taken a real hard look at their existing policies about tipping off the U.S. government,” he said. “That’s the price you pay when you’re acting like an out-of-control offensive adversary.”

/=/=/=/ the gospel according to St.Codenomicon =/=/=/=/=

http://readwrite.com/2014/04/13/heartbleed-security-codenomicon-discovery#awesm=~oBsWzMJB7dRSKm

I spoke with Codenomicon CEO David Chartier, who led the Finnish team that named and outed Heartbleed, to find out more about how his team discovered it, and how deep those vulnerabilities could go.

(I’ve requested an interview with Mehta via Google. Update: The company declined my request.)

Codenomicon first discovered Heartbleed—originally known by the infinitely less catchy name “CVE-2014-0160”—during a routine test of its software. In effect, the researchers pretended to be outside hackers and attacked the firm itself to test it.

“We developed a product called Safeguard, which automatically tests things like encryption and authentication,” Chartier said. “We started testing the product on our own infrastructure, which uses Open SSL. And that’s how we found the bug.”

The engineers found they could burrow in despite the cryptographic security layer, and were shocked at how much was up for grabs. They could access memory and encryption certificates, and pull user data and other records. “This is when we understood that this is a super significant bug,” Chartier said.

The revelation was startling, not only because of the access this hole could allow, but because of its insidious nature, Chartier said. “On top of that, we couldn’t find any forensic trail that we were taking this data.” The hack was completely untraceable.

See also: Protect Yourself Against Heartbleed, The Web’s Security Disaster
But how did something this egregious and widespread go on undetected for two years? The error is buried in the code. The only reason Chartier’s team found the glitch is because Codenomicon uses a rigorous testing process using a very large number of test cases to find weaknesses, just like hardcore hackers do, Chartier explained.

“The vulnerabilities you find after many tests are often more interesting than the ones you find right away,” he said. “When you find one that’s difficult, it’s more interesting [to hackers] because they can write an exploit, and it will take more time to be found.”

The odds of finding the flaw were slight, yet Google’s Mehta discovered it practically simultaneously, during a routine security check in March. Chartier chalks it up to happenstance. “Google’s one of the leading companies in the world, and it’s constantly testing for vulnerabilities,” he said. The company has been known to take security testing very seriously, so much so that it even offers a bounty for exploits on projects like Chrome. This allows it to find flaws and fix them before hackers can take advantage of them.

But not every company takes security that seriously.

A Fail To Remember

Codenomicon, being a Finnish company, alerted the Finnish National Security Cyber Center of its findings. Commonly referred to as “CERT,” the group urged the OpenSSL Project to provide an update and release it to the public. This was just days after Mehta notified OpenSSL on April 1.

The news wasn’t broadcasted after the first discovery, as OpenSSL wanted “to give time for proper processes” to let vendors patch the hole before making it public. The plan was to make an announcement on April 9. But when two independent research teams coincidentally found the error, it suggested a greater risk, which prompted OpenSSL to accelerate the announcement to April 7.

The report blazed across both tech and mainstream media headlines. Chartier has been impressed with how online communities have disseminated the Heartbleed information. “We’re better off today than we were a week ago, because of getting the word out there,” he said. “It’s making the Internet safer and more secure.”

Unfortunately, the Web is not where this problem ends. Other networks also need to apply the software update in both server and client devices. This includes gadgets like phones, computers and other communication devices. It also include numerous other technologies in the broader world, particularly as it relates to the Internet of Things.

Because Heartbleed affects OpenSSL, which is widely adopted, it can affect an extensive range of categories, including connected homes, citywide transportation, emergency services, power grids and other utilities—pretty much any large scale, connected systems. But locking all of them down can be difficult. …

Chartier thinks it could take up to a year or two before all or most of the old versions of OpenSSL out there get updated.

=-=-=-= the gospel according to Mark J Cox of OpenSSL, Glasgow -=-=-=

https://plus.google.com/+MarkJCox/posts/TmCbp3BhJma

We’ve had more than a few press enquiries at OpenSSL about the timeline of the CVE-2014-0160 (heartbleed) issue. Here’s the OpenSSL view of the timeline:

April 01 – Google contact OpenSSL security team with details of the issue and a patch. We allocate CVE-2014-0160 to this issue. Original plan was to push that week, but it was postponed until April 09 to give time for proper processes. Google tell us they’ve notified some infrastructure providers under embargo, we don’t have the names or dates for these.

(Due to my unfortunate-timed holiday this week I used one of my Red Hat team to help co-ordinate this issue on behalf of OpenSSL)

April 07 (0556 UTC) OpenSSL (via me) notify Red Hat. Red Hat internal bug created. This is the time Red Hat was officially notified under embargo, engineers and the Red Hat Security Response Team started working on the issue.

April 07 (0610 UTC) Red Hat contact the private distros list (http://oss-security.openwall.org/wiki/mailing-lists/distros ) and let them know an OpenSSL issue is due on Wednesday (no details of the issue are given: just affected versions. Vendors are told to contact Red Hat for the full advisory under embargo.

April 07 – OpenSSL (via Red Hat) give details of the issue, advisory, and patch to the OS vendors that replied — under embargo, telling them the issue will be public on April 09. This was SuSE (0815 UTC), Debian (0816 UTC), FreeBSD (0849 UTC), AltLinux (1000 UTC). Some other OS vendors replied but we did not give details in time before the issue was public, these included Ubuntu (asked at 1130 UTC), Gentoo (1414 UTC), Chromium (1615 UTC).

April 07 (1519 UTC) – CERT-FI contact me and Ben Laurie by encrypted email with details of the same issue found by Codenomicon. This was forwarded to the OpenSSL core team members (1611 UTC)

April 07 – The coincidence of the two finds of the same issue at the same time increases the risk while this issue remained unpatched. OpenSSL therefore released updated packages that day.

April 07 (1725 UTC) OpenSSL updates, web pages including vulndb, and security advisory (1839 UTC) gets made public.

Mark J Cox
Apr 12, 2014

Akamai note on their blog that they were given advance notice of this issue by the OpenSSL team. This is incorrect. They were probably notified directly by one of the vulnerability finders.

Mark J Cox
Yesterday 1:08 PM

I’ve filled in some more blanks, made it clear who OpenSSL notified in advance. There are still a few more times to put in here which I’ll do this week.

Mark J Cox
Yesterday 11:01 PM
I’ve added the times that Red Hat on behalf of OpenSSL notified various distro vendors

Mani Gandham
4:49 PM

Hi Mark,

This bugzilla report shows a patch for RedHat on March 21, 2014 by Bodo Moeller and Adam Langley: https://bugzilla.redhat.com/attachment.cgi?id=883475

Does this mean RedHat already knew of this issue before April 7? It seems their patch was included directly into OpenSSL right?

So to be clear, OpenSSL notified only the following organisations prior to the public release of the issue: Red Hat, SuSE, Debian, FreeBSD, AltLinux.

[[no clarification from Mark as of midnight 14 Apr 14]]

/=/=/= the fix from Moeller and Langley dted Fri 21 Mar 14 /=/=/=

https://bugzilla.redhat.com/attachment.cgi?id=883475

commit 5e5f9bb1fe5587ccd26f108c3e98811546ccaef6
Author: Bodo Moeller and Adam Langley
Date: Fri Mar 21 10:23:12 2014 -0400

heartbeat_fix

Add missing bounds checks for Heartbeat messages.

diff –git a/ssl/d1_both.c b/ssl/d1_both.c
index 7a5596a..2e8cf68 100644
— a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -1459,26 +1459,36 @@ dtls1_process_heartbeat(SSL s)
unsigned int payload;
unsigned int padding = 16; / Use minimum padding */

• if (s->msg_callback)
• s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
• &s->s3->rrec.data[0], s->s3->rrec.length,
• s, s->msg_callback_arg);
• /* Read type and payload length first */
• if (1 + 2 + 16 > s->s3->rrec.length)
• return 0; /* silently discard */
  hbtype = *p++;
  n2s(p, payload);
• if (1 + 2 + payload + 16 > s->s3->rrec.length)

•  return 0; /* silently discard per RFC 6520 sec. 4 */
  

  pl = p;

• if (s->msg_callback)

• s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
• &s->s3->rrec.data[0], s->s3->rrec.length,
• s, s->msg_callback_arg);
• if (hbtype == TLS1_HB_REQUEST)
  {
  unsigned char *buffer, *bp;
• unsigned int write_length = 1 /* heartbeat
  etc etc

tom • April 15, 2014 9:46 AM

Nice effort by Ben to put together a timeline. He’s looking for additions and corrections if you have any. bgrubb@fairfaxmedia.com.au

https://www.schneier.com/blog/archives/2014/04/friday_squid_bl_419.html

Heartbleed disclosure timeline: who knew what and when
April 15, 2014 by Ben Grubb

Ever since the “Heartbleed” flaw in encryption protocol OpenSSL was made public on April 7 in the US there have been various questions about who knew what and when.

Fairfax Media has spoken to various people and groups involved and has compiled the below timeline.

If you have further information or corrections – especially information about what occurred prior to March 21 at Google – please email the author: bgrubb@fairfaxmedia.com.au. Click here for his PGP key.

All times are in US Pacific Daylight Time

Friday, March 21 or before: Neel Mehta of Google Security discovers Heartbleed vulnerability.

Friday, March 21 10.23: Bodo Moeller and Adam Langley of Google commit a patch for the flaw (This is according to the timestamp on the patch file Google created and later sent to OpenSSL, which OpenSSL forwarded to Red Hat and others). The patch is then progressively applied to Google services/servers across the globe.

Monday, March 31 or before: Someone tells content distribution network CloudFlare about Heartbleed and they patch against it. CloudFlare later boasts on its blog about how they were able to protect their clients before many others. CloudFlare chief executive officer Matthew Prince would not tell Fairfax how his company found out about the flaw early. “I think the most accurate reporting of events with regard to the disclosure process, to the extent I know them, was written by Danny over at the [Wall Street Journal],” he says. The article says CloudFlare was notified of the bug the week before last and made the recommended fix “after signing a non-disclosure agreement”.

Tuesday, April 1: Google Security notifies OpenSSL about the flaw it has found in OpenSSL, which later becomes known as “Heartbleed”. Mark Cox at OpenSSL says the following on social network Google Plus: “Original plan was to push [a fix] that week, but it was postponed until April 9 to give time for proper processes.” Google tells OpenSSL, according to Cox, that they had “notified some infrastructure providers under embargo”. Cox says OpenSSL does not have the names of providers Google told or the dates they were told. Google declined to tell Fairfax which partners it had told. “We aren’t commenting on when or who was given a heads up,” a Google spokesman said.

Wednesday, April 2 ~23:30 – Finnish IT security testing firm Codenomicon separately discovers the same bug that Neel Mehta of Google found in OpenSSL. A source inside the company gives Fairfax the time it was found as 09:30 EEST April 3, which converts to 23:30 PDT, April 2.

Thursday, April 3 04.30 – Codenomicon notifies the National Cyber Security Centre Finland about its discovery of the OpenSSL bug. Codenomicon tells Fairfax in a statement that they’re not willing to say whether they disclosed the bug to others. “We have strict [non-disclosure agreements] which do not allow us to discuss any customer engagements. Therefore, we do not want to weigh in on the disclosure debate,” a company spokeswoman says. A source inside the company later tells Fairfax: “Our customers were not notified. They first learned about it after OpenSSL went public with the information.”

Friday, April 4 – Content distribution network Akamai patches its servers. They initially say OpenSSL told them about bug but the OpenSSL core team denies this in an email interview with Fairfax. Akamai updates its blog after the denial – prompted by Fairfax – and Akamai’s blog now says an individual in the OpenSSL community told them. Akamai’s chief security officer, Andy Ellis, tells Fairfax: “We’ve amended the blog to specific [sic] a member of the community; but we aren’t going to disclose our source.” It’s well known a number of OpenSSL community members work for companies in the tech sector that could be connected to Akamai.

Friday, April 4 – Rumours begin to swirl in open source community about a bug existing in OpenSSL, according to one security person at a Linux distribution Fairfax spoke to. No details were apparent so it was ignored by most.

Saturday, April 5 15:13 – Codenomicon purchases the Heartbleed.com domain name, where it later publishes information about the security flaw.

Saturday, Apr 5 16:51 – OpenSSL (not public at this point) publishes this (since taken offline) to its Git repository.

Sunday, Apr 6 ~22:56 – Mark Cox of OpenSSL (who also works for Red Hat and was on holiday) notifies Linux distribution Red Hat about the Heartbleed bug and authorises them to share details of the vulnerability on behalf of OpenSSL to other Linux operating system distributions.

Sunday, Apr 6 22.56 – Huzaifa Sidhpurwala (who works for Red Hat) adds a (then private) bug to Red Hat’s bugzilla.

Sunday, April 6 23.10 – Huzaifa Sidhpurwala sends an email about the bug to a private Linux distribution mailing list with no details about Heartbleed but an offer to request them privately under embargo. Sidhpurwala says in the email that the issue would be made public on April 9. Cox of OpenSSL says on Google Plus: “No details of the issue are given: just affected versions [of OpenSSL]. Vendors are told to contact Red Hat for the full advisory under embargo.”

Sunday, April 6 ~23:10 – A number of people on the private mailing list ask Sidhpurwala, who lives in India, for details about the bug. Sidhpurwala gives details of the issue, advisory, and patch to the operating system vendors that replied under embargo. Those who got a response included SuSE (Monday, April 7 at 01:15), Debian (01:16), FreeBSD (01:49) and AltLinux (03:00). “Some other [operating system] vendors replied but [Red Hat] did not give details in time before the issue was public,” Cox said. Sidhpurwala was asleep during the time the other operating system vendors requested details. “Some of them mailed during my night time. I saw these emails the next day, and it was pointless to answer them at that time, since the issue was already public,” Sidhpurwala says. Those who attempted to ask and were left without a response included Ubuntu (asked at 04:30), Gentoo (07:14) and Chromium (09:15), says Cox.

Prior to Monday, April 7 or early April 7 – Facebook gets a heads up, people familiar with matter tell the Wall Street Journal. Facebook say after the disclosure: “We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed, and we’re continuing to monitor the situation closely.”

Monday, April 7 08.19 – The National Cyber Security Centre Finland reports Codenomicon’s OpenSSL “Heartbleed” bug to OpenSSL core team members Ben Laurie (who works for Google) and Mark Cox (Red Hat) via encrypted email.

Monday, April 7 09.11 – The encrypted email is forwarded to the OpenSSL core team members, who then decide, according to Cox, that “the coincidence of the two finds of the same issue at the same time increases the risk while this issue remained unpatched. OpenSSL therefore released updated packages [later] that day.”

Monday, April 7 09:53 – A fix for the OpenSSL Heartbleed bug is committed to OpenSSL’s Git repository (at this point private). Confirmed by Red Hat employee: “At this point it was private.”

Monday, April 7 10:21:29 – A new OpenSSL version is uploaded to OpenSSL’s web server with the filename “openssl-1.0.1g.tgz”.

Monday, April 7 10:27 – OpenSSL publishes a Heatbleed security advisory on its website (website metadata shows time as 10:27 PDT).

Monday, April 7 10:49 – OpenSSL issues a Heartbleed advisory via its mailing list. It takes time to get around.

Monday, April 7 11:00 – CloudFlare posts a blog entry about the bug.

Monday, April 7 12:23 – CloudFlare tweets about its blog post.

Monday, April 7 12:37 – Google’s Neel Mehta comes out of Twitter hiding to tweet about the OpenSSL flaw.

Monday, April 7 13:13 – Codenomicon tweets they found bug too and link to their Heartbleed.com website.

Monday, April 7 ~13:13 – Most of the world finds out about the issue through heartbleed.com.

Monday, April 7 15:01 – Ubuntu comes out with patch.

Monday, April 7 23.45 – The National Cyber Security Centre Finland issues a security advisory on its website in Finnish.

Monday, April 8 ~00:45 – The National Cyber Security Centre Finland issues a security advisory on its website in English.

Tuesday, April 9 – A Red Hat technical administrator for cloud security, Kurt Seifried, says in a public mailing list that Red Hat and OpenSSL tried to coordinate disclosure. But Seifried says things “blew up” when Codenomicon reported the bug too. “My understanding is that OpenSSL made this public due to additional reports. I suspect it boiled down to ‘Group A found this flaw, reported it, and has a reproducer, and now Group B found the same thing independently and also has a reproducer. Chances are the bad guys do as well so better to let everyone know the barn door is open now rather than wait 2 more days’. But there may be other factors I’m not aware [of],” Seifried says.

Wednesday, April 9 – A Debian developer, Yves-Alexis Perez, says on the same mailing list: “I think we would have managed to handle it properly if the embargo didn’t break.”

Wednesday, April 9 – Facebook and Microsoft donate $US15,000 to Neel Mehta via the Internet Bug Bounty program for finding the OpenSSL bug. Mehta gives the funds to the Freedom of the Press Foundation.

Who knew of heatbleed prior to release? Google (March 21 or prior), CloudFlare (March 31 or prior), OpenSSL (April 1), Codenomicon (April 2), National Cyber Security Centre Finland (April 3), Akamai (April 4 or earlier) and Facebook (no date given)

Who knew hours before public release? SuSE, Debian, FreeBSD and AltLinux.

Who didn’t know until public release? Many, including Amazon Web Services, Twitter, Yahoo, Ubuntu, Cisco, Juniper, Pinterest, Tumblr, GoDaddy, Flickr, Minecraft, Netflix, Soundcloud, Commonwealth Bank of Australia (main website, not net banking website), CERT Australia website, Instagram, Box, Dropbox, GitHub, IFTTT, OKCupid, Wikipedia, WordPress and Wunderlist.

Many thanks to: Nik Cubrilovic, Yves-Alexis Perez, public mailing lists, emails with OpenSSL core team, emails with the National Cyber Security Centre Finland, Google Plus posts, and emails with people who volunteer at Linux distributions.

Correction: Some Codenomicon dates were wrong. They have been fixed.

tom • April 15, 2014 12:26 PM

@Benni Thanks for neat link there, fun to watch the attacks roll in against Deutsche Telecom in real time. Looks like about one per second.

But why is Chile among the leaders? And shouldn’t the UK be a lot higher?

Nice of them to provide everything you need to add your own honeypot to their collection of 180.

http://www.sicherheitstacho.eu/

“Instructions for connecting a mod_security sensor to the Deutsche Telekom AG early warning system
http://www.sicherheitstacho.eu/pdf/HowTo_mod_security_1.2_en.pdf