Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 6 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Heartbleed tools often flag false negatives

by The Gurus
April 15, 2014
in Editor's News
Share on FacebookShare on Twitter

Tools being used to detect the OpenSSL vulnerability often contain bugs too.
 
According to research by CNS Security, methods for detecting whether your systems are affected have bugs themselves which is leading to false negative results.
 
Adrian Hayter, blogger and penetration tester at CNS Security, said: “I was called upon to perform checks against numerous systems during the week, and I noticed that some of the scripts would find a vulnerability whilst others would not. This behaviour often depended on the system in question, and upon reviewing the code behind the scripts, I uncovered a number of bugs.”
 
He said that there are three main bugs which he found whilst performing tests against various server configurations: TLS Version support; TLS Cipher Suite support; and payload detection. Setting up a server that was vulnerable to Heartbleed, but that was configured to demonstrate the bugs, Hayter said he ran 15 scripts and web-based detection tools at it, and only Hut3 Cardiac Arrest and Qualys SSL Labs detected it.
 
Among those who failed to detect it, was Rapid7’s Metasploit and Tenable’s Nessus scanner. Rapid7 were unable to comment at the time of writing, while Renaud Deraison, chief research officer and co-founder at Tenable Network Security, said: “The setup outlined in the April 14 blog in CNS Hut3 blog is interesting because it narrows down TLS so much that most web clients would not be able to connect to a server configured that way.
 
“While our original check failed at negotiating this particular cipher, we’ve since modified it to support more cases like this one. There are many other ways where a check could fail however, for instance a lot of the public proof of concepts only test https, but completely ignore other services using SSL such as SMTP, IMAP or OpenVPN. Our research team has been working around the clock to cover as many of these services as possible since day one, and we’re continuing to investigate other programs using SSL in a non-standard way.”
 
Hayter said: “On a broader level, these results show that whilst proof of concept scripts are great for demonstrating vulnerabilities, they should not be used as a tool for confirming whether your systems are vulnerable. Authors of these detection tools should take care not to rely too much on proof of concept scripts, as bugs can easily be carried over during development.”

FacebookTweetLinkedIn
Tags: HeartbleedSSL
ShareTweetShare
Previous Post

First victims of Heartbleed revealed

Next Post

Google updates terms of service to reflect its scanning of users' emails

Recent News

london-skyline-canary-wharf

Ransomware attack halts London trading

February 3, 2023
Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

February 2, 2023
JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information