May 14, 2014 By Jason Kravitz 2 min read

Heartbleed vs. Heartblead

What difference does an “a” make? To our malleable, creative brains, a typo might not really change the meaning of a word or sentence too much. But to our trusty security systems that process packets at wire speed, pulling out patterns and payloads, it could make the difference between blocking malicious traffic and leaking sensitive data.

There’s a long-standing debate in security circles about the effectiveness of pattern matching signatures. Some security products continue to subsist on pattern-based signatures as the sole source of protection. This quite often lulls one into a false sense of security which, in many cases, is worse than no security at all.

Not Another Post About Heartbleed, Please!

Heartbleed does make for an interesting case study and, in this case, a perfect example of the ineffectiveness of pattern matching signatures to protect against real-world threats.

The day the OpenSSL Heartbleed vulnerability was publicly disclosed, ICS-CERT and the FBI published a list of recommended Snort signatures that could be used to prevent an exploit from plundering private data. There were a large number of signatures, in fact, and one might think that after the painstaking process of copying and pasting them into place, you could check the box for Heartbleed protection and go about your day.

The problem is that these signatures are more or less ineffective against any kind of “mutated exploit,” a variation of an attack that changes an “e” to an “a,” for example, and slides through completely undetected. Security and networking guru Robert Graham posted an excellent blog about how a slight tuning of his masscan tool was able to easily evade this kind of pattern-based detection by changing the timing of packets and the position of the payload.

An even simpler and more relevant evasion has to do with ports. The ICS-CERT signatures hard code a specific set of ports which, while common listeners for SSL connections, are by no means comprehensive. Take for example Plesk Control Panel, which runs on port 8443 and is used by tens if not hundreds of thousands of websites that employ virtual hosting for their server. All of these sites would still be quite vulnerable to a Heartbleed exploit despite having these intrusion prevention system (IPS) rules in place.

Granted, when these signatures were released, most security vendors were scrambling to add protection; as an emergency stopgap, sometimes some protection is better than none at all. Still, those who rely on this type of technology without updating to something more comprehensive would still be open to attack.

Increase Your IPS Protection

As Graham points out in his post, the solution is to use a security system with true protocol analysis decodes. Rather than looking for patterns, protocol analysis can decode the SSL packets and determine where the actual payloads are, regardless of how the packets are sent or received. This type of protection is much more robust and much less susceptible to evasion.

The lesson to remember is that while people are great at spotting patterns without the limitations of a fixed set of rules, IPS devices do far better when they aren’t solely reliant on pattern matching signatures and instead use technology like true protocol analysis decodes as well as heuristic signatures and other behavioral modeling.

More from Mainframe

How dangerous is the cyberattack risk to transportation?

4 min read - If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible. Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause…

Low-code is easy, but is it secure?

4 min read - Low-code and no-code solutions are awesome. Why? With limited or no programming experience, you can quickly create software using a visual dashboard. This amounts to huge time and money savings. But with all this software out there, security experts worry about the risks. The global low-code platform market revenue was valued at nearly $13 billion in 2020. The market is forecast to reach over $47 billion in 2025 and $65 billion in 2027 with a CAGR of 26.1%. Very few,…

Starting From Scratch: How to Build a Small Business Cybersecurity Program

4 min read - When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today