The Heartbleed bug was created in December of 2011 and was activated in March of 2012, about two years ago. Thus, for two years, it has been used to gather information from the world’s biggest web sites. No traditional identity thefts have been linked to this bug during this time. In short, it seems to have been used solely for the purpose of gathering information. It wanted to remain quiet and unseen. Although now that traditional hackers are alerted to its presence, unpatched web sites might see an increase in hacking attacks and, indeed, we may see a rise in identity thefts or other cybercrime. In fact, Bitcoin transaction sites have already experienced attacks.
There are many suspicious qualities to this bug. It took advantage of a (serious? accidental?) design flaw in an SSL update. It had all the earmarks of a designed zero-day attack. It just ‘happened’ to be ‘discovered’ on the last day of support for Windows XP. I will be writing about designed zero-day attacks in my next regular post, but those who design them are paid to the degree to which the bugs they design can remain hidden. I will also give a price list for such attacks, how they are designed, and who can afford their very high prices. I can probably guess who the customer was, but I would rather not speculate at this time. I am not alone in being suspicious about the nature of this bug. Others have drawn connections between it and Microsoft. As is common in times of strife, conspiracy theories will abound, but the truth about this bug, if it ever is known, might prove to be quite interesting.
For now, all you need to know is that whoever may have wanted your password, already has it. My guess is, however, that they were looking for big game, not the average Joe. When your individual, sign-in web sites give you the OK, change your passwords. All mobile Android devices are vulnerable, so they, too, might have to be updated when patches arrive. Also, be careful of malware masquerading as an upgrade or Heartbleed fix. For now, remain vigilant and watch for what might be some revealing news on this bug in the near future.
note to InZero System’s customers: Zero-day attacks usually target specific sites to exploit their networks. Because InZero’s security is based on hardware separation, Android-based tablets and smartphones cannot be used as platforms to launch a zero-day attack on your company.