The effect of Heartbleed attacks on IBM customers

The security industry is usually very quiet about how security affects their products.

So in the new 3rd Quarter IBM threat intelligence Quarterly for 3rd quarter.

the following 2 charts are very interesting:

heartbleed affects

heartbleed attack activity

April 8, 2014 is when Heartbleed vulnerability was revealed as one can see from the US-CERT.

Which stated that the OpenSSL versions 0.9.8 and 1.0.0 does not have the  vulnerability whereas the version 1.0.1g has the vulnerability, as well as 1.0.2 beta as in this Note.

Knowing when the heartbleed vulnerability came into being one sees an almost immediate scan activity from hackers.In fact in one week  by 4/15 the activity reached 300k scans/attacks.

In case you are in denial of potential Internet attacks to your infrastructure… here is some evidence that shows the attacks from hackers after a vulnerability was exposed. And the top graph shows the continuing attacks on infrastructure many months after the vulnerability was exposed.

New Fixvirus Logo


We are your network/Security shield. We defend your computer network and have done so for close to 20 years now – You will see our new logo placed in several spots from here on out.

Why spend money on Security prevention?

Hacker attacks occur for many reasons:

#1 Highest reason for an attack is to make money from the attack

8/19 Hackers hack Medical company – 4.5 million data sets stolen

8/5 Synology devices get ransomware

8/2 Jimmy John’s credit card breach investigation

7/15 NASDAQ was owned 2005 – 2012 Arstechnica story

#2 2nd reason to attack your systems and network is to use your computers on the network to attack other computers (to make money or for political ends)

7/28 elsticsearch vulnerability could cause DDOS attacks

3/15 WordPress vulnerability can be used to attack other sites

#3 next reason to hack computer networks:  Just because the hacker can -

The hacker may just want to test their computer skills


Can a business afford to take a chance?

As Bruce Schneier frequently talks about in his speeches and blog

The You tube video linked is a good review of the issues of incident response.

The most interesting item to me is the psychology of security that is included near the end of the video:

Humans are naturally risk averse in gains and risk seeking in losses.

This means that most people will not pay for a vulnerability scan or other security cost. The initial inclination is to take the risk.

Also if there is a risk in a potential gain we will not go the riskier route.


Here are the actual areas in Bruce Schneier’s web blog:

Prospect theory:

Prospect Theory

Here’s an experiment that illustrates a particular pair of heuristics.12 Subjects were divided into two groups. One group was given the choice of these two alternatives:

  • Alternative A: A sure gain of $500.
  • Alternative B: A 50% chance of gaining $1,000.

The other group was given the choice of:

  • Alternative C: A sure loss of $500.
  • Alternative D: A 50% chance of losing $1,000.

These two trade-offs aren’t the same, but they’re very similar. And traditional economics predicts that the difference doesn’t make a difference.”



People, Process, Technology = Security strategy

It is an old security  methodology to review what is necessary in a Security Strategy:


People = we know people can cause security holes, give out security secrets, or perform unknown(and known) security problems

Process = this is a set of events that hopefully will prevent some of the people problems, such as changing a critical system requires a second pair of eyes (peer review)

Technology = Use technology to prevent as many potential problems (including people).

we use Anti-virus, anti-malware, intrusion prevention, incident response software.

At Fixvirus, we have helped sompanies with all 3 pieces of a security strategy

Nasdaq Hack teaches network vigilance

BloombergBusinessweek article 7/17/2014

a. Discusses how Russian hackers infiltrated the NASDAQ network,

b. Placed malware on one of the NASDAQ webservers.Serversincage2

c. Thus creating a  classic “watering hole” attack – where customers of NASDAQ were attacked by malware as they navigated NASDAQ websites.

d. The malware used 0-day vulnerabilities to hack the servers and network. In fact the article mentioned (2) 0-day vulnerabilities being used.

A 0-day vulnerability is called that, because it has not been patched yet. I.e. a vulnerability was found and the manufacturer has not had time to patch it. So even if the IT department did it’s job and patched the new Microsoft patches on patch Tuesday (2nd Tuesday of the month)

So now there is a vulnerability that has no patch and the hackers can attack and own(hacker parlance for control) your computers at will.

heartbleed1Remember the heartbleed vulnerability?


This story makes one wonder if there is a third party doing any penetration testing for private company computers and networks.

Patch Tuesday is here 7/8/14

Patch Tuesday is the day Microsoft has deemed to give us their vulnerability fixes.

It has to be done some time and so it is done on a Tuesday  (right after Monday) and still in beginning of week. So the computer departments can schedule reboots and patching as soon as they are able.

the second Tuesday of the month is patch Tuesday

BetaNews discusses  6 bulletins, of which 2 are critical

Some affect different systems.

Technet advance discussion

Microsoft Security Bulletin

This one could be the bad one:


Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689) 

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Please plan and patch accordingly


Serversincage pluggedinwiressmall

New PCI DSS v3.0 released Nov 2013

DARKReading has the highlights of the changes of v3.0 compared with v2.0

SearchSecurity also has a synopsis – with the 5 most important changes:

1. Pentesting (Penetration testing)

2. inventory system components

3. Vendor relationships

4. Antimalware

5. Physical access

All of the changes make sense in light of the Target breach which we will review in more detail on a separate post. the most important is the Pentesting and segmentation of networks from your vendors.  It is likely that one of the vendors at Target caused the breach, or at least helped the exfiltration of the Credit card data.

Here is a snapshot from the actual v3.0 PCI DSS doc


4 Future Internet trends and how they affect Security

RealclearTechnology  has an interesting article

(the 4 headings below is my synthesis of the article)

It is based out of the Cisco projections (linked in article).

#1 issue  there will be 4Billion Internet users, and 52% will be in Asia. (2.1Billion)


(image from the Cisco site).


This means that there will be more security issues, as there will be more criminals and teenagers trying to prove themselves.  If you are having 10 scans per day today by 2018 that will Quadruple.

#2 There will be a marked increase in machine to machine traffic (M2M), “robots” is my interpretation.  “Globally, machine-to-machine connections will grow 3-fold, from 2.3 billion in 2013 to 7.3 billion by 2018.”

This means that criminals will try to find the robot weaknesses and take them over for their purposes. yes you guessed it – testing and Security compliance is not going away.

#3 The PC will shrink in relevance, this is already happening, and in fact the prediction is ” the PC will shrink to just 50.5 percent in 2018″, this means Security folks have to get their mobile device strategy up to speed quickly, if you are not doing so already.

#4 There will be more videos streamed and watched on the Internet (this may mean many other things for media companies) But we are focused on Security here:  What does this mean for Security? It means you have to detect the bad guys’ activity within a lot of other good traffic, specifically streaming video, sort of like we have to have voice over IP(VOIP) now. (not a show stopper)

Testing Cloud services

Since we advocate testing your IT services and devices, what if your organization has cloud services?

How about Amazon EC2?  AWS compliance  keep this in mind.

It is as Amazon AWS(Amazon Web Services) says it is a shared responsibility.

Rackspace has a security page – Rackspace Security   rackspace says it is a shared responsibility as well.

There are different cloud providers with specific missions and infrastructure services.


Let’s say you need PCI compliance completed for your website. That is on a cloud provider.

Rackspace has scanning rootkits among other links in a search.

As a computer professional in the Security field, one cannot just scan or perform penetration tests on any computer on the Internet, in fact we must get written approval to perform a scan on a computer.

Why? How about this example:

Internet Storm Center example

“However, their implementation of SSL is fragile enough that scanning them for the Heartbleed vulnerability will render them inoperable.  This affects Proliants from G1 all the way up to G6, as well as many of the HP Bladesystems.”

So when scanning for heartbleed on HP Proliant hardware iLO cards have a problem:

An iLO card allows a specific system administration remote ability:

“Before using an ILO card you must plug an Ethernet cable in to the server’s ILO Ethernet jack. Once the ILO card is connected to the Internet, you must set up an ILO user account and IP network address in the server’s BIOS menu”

This capability of the iLO card has a drawback, its software actually caused the server to crash, with a hard boot to recover (must press the power button). This side effect of a heartbleed scan is a disaster to many cloud providers. As a reboot of a hypervisor server may cause a loss of service in 10-30 minutes or more if the system has to be manually reset in some way by a technician.
All Certified Ethical Hackers must be aware of the problems  that can arise.
we must test for compliance and to uncover vulnerabilities, but it must be done in a way that does not affect services if at all possible.



National Institute of Standards and Technology (NIST) has new standards

NIST has a computer Security division and they have revamped their

The On-line Database: Access and Control policy and procedures

There are many good areas to review in this website, including:

Don’t forget the home workers:

An important part of telework and remote access security is applying security measures to the personal computers (PC) and consumer devices using the same wired and wireless home networks to which the telework device normally connects. If any of these other devices become infected with malware or are otherwise compromised, they could attack the telework device or eavesdrop on its communications. Teleworkers should also be cautious about allowing others to place devices on the teleworkers’ home networks, in case one of these devices is compromised.

Teleworkers should also apply security measures to the home networks to which their telework devices normally connect. One example of a security measure is using a broadband router or firewall appliance to prevent computers outside the home network from initiating communications with telework devices on the home network. Another example is ensuring that sensitive information transmitted over a wireless home network is adequately protected through strong encryption
Anybody that connects to your network can cause unforeseen mayhem.
In Computer Security  there is a method we use to get better security.
After a security policy or method is instituted it must be tested using an independent thought (red team- versus blue team). This methodology is used to create a stronger and more effective defense of network assets.
Contact Us to discuss this in depth. is a website.