Latest posts by Alvin Bryan (see all)
- Millionaire Tyupkin Malware ATM Hackers May Come to US, India After Hitting Europe - October 23, 2014
- BitLicense Will Allow Bitcoin Spying in New York - October 22, 2014
- Australians are Fighting Data Retention Laws - October 22, 2014
Many companies and individuals have been using free tools to check website vulnerabilities. But 95% of these free Heartbleed tools are defective. They can be giving website owners and users false comfort, putting them at even greater risk.
Defective Heartbleed Tools Leave More Customer Data Exposed
When most people check the websites they manage and use for Heartbleed, they use free tools. The problem is that most of the free online Heartbleed tools are defective. People who have used these tools have been given a false sense of security. They check the websites and are given a thumbs up. They then go ahead and log in to change their account passwords to safeguard them. But with faulty tools, they may be giving up their passwords instead of securing them. Their accounts and all the data in them are therefore exposed.
95% of the tools that have been developed to detect Heartbleed have bugs. These defects mean that they can’t properly detect the Heartbleed bug. Affected websites are therefore declared clean when they are actually still vulnerable to Heartbleed. These website are therefore likely to be leaking customer data. Passwords are still exposed, and encryption keys can still be stolen.
Hut3 Penetration Tests
Hut3, a security company, has conducted penetration testing to determine the reliability of Heartbleed testing tools. They worry that many website users and administrators are feeling confident in the security of their systems. Edd Hardy of Hut3 says that companies could be reporting that their servies are secure when they really are not.
The tools that were developed to check for the Heartbleed vulnerability are based on code that was created to reveal the Heartbleed vulnerability. But this revealing code has its own bugs according to Hut3. Even the tools that were released by large Internet companies are defective. One of these bugs is in compatibility with SSL versions. The checking tools have problems with common system configurations, causing detection failures.
The problem is that the tools are checking for TLSv1.1 only. If the server that you are checking doesn’t support this version, the test will fail. No other version will be tested, so the tool will declare that the Heartbleed vulnerability is not present. The same failure will occur with unsupported cipher suites, of which there are 267 out of 318. Another false result happens when Internet connections are slow and the tool times out.
Hut3 has developed its own Heartbleed detection tool that they say works better. It can be found on https://gist.github.com/ah8r/10632982, and can be run using Python. For average Internet users, this will be a very difficult test to run. Internet companies and website administrators need to take initiative and responsibility to properly test their services.