Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Testing your website for the heartbleed vulnerability with nmap

Published: 2014-04-18
Last Updated: 2014-04-18 17:08:52 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
5 comment(s)

We have received reports by many readers about buggy tools to test for the heartbleed vulnerability. Today I want to show you how easy it is to check for this vulnerability using a reliable tool as nmap.

You just need to trigger a version scan (-sV) along with the script (ssl-heartbleed). The following example with show a command that will scan 192.168.0.107 for this bug:

nmap -sV 192.168.0.107 --script=ssl-heartbleed

This will be the output for a non-vulnerable website. As you can see, no warnings are shown:

ssl-heartbleed output

If you are vulnerable, you will get the following:

Vulnerable message for heartbleed

For vulnerability testing, always use reliable tools which won't contain malicious code infecting your computer and won't give you false positive messages.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Keywords:
5 comment(s)

Heartbleed CRL Activity Spike Found

Published: 2014-04-16
Last Updated: 2014-04-18 01:51:02 UTC
by Alex Stanford (Version: 1)
9 comment(s)

Update: CloudFlare posted in their blog twice today claiming responsibility for the majority of this spike. Quoting: "If you assume that the global average price for bandwidth is around $10/Mbps, just supporting the traffic to deliver the CRL would have added $400,000USD to Globalsign's monthly bandwidth bill."

Update: We've also seen articles from ZDNet and WIRED today in response to the below insights, with further analysis therein.

It looks like, as I had suspected, the CRL activity numbers we have been seeing did not reflect the real volume caused by the OpenSSL Heartbleed bug.

This evening I noticed a massive spike in the amount of revocations being reported by this CRL: http://crl.globalsign.com/gs/gsorganizationvalg2.crl

The spike is so large that we initially thought it was a mistake, but we have since confirmed that it's real! We're talking about over 50,000 unique revocations from a single CRL:

This is by an order of magnitude the largest spike in revocation activity seen in years, according to our current data.

I have set up a new page for everyone to monitor the activity as well as see how we are obtaining this data. The page can be found at https://isc.sans.edu/crls.html.

How will you use this page in your projects or general analysis? We'd love to hear some ideas.

If you know of other CRLs that we can add, please let us know in the comments! Additionally, if you would like to see an API call added so that you can automatically query us for this information, please let us know so that we are aware of the demand.

On a side note, we can see a clear upward trend in revocations over the past 3 or 4 years:

What do you attribute this consistent growth in revocations to? What do you think caused the previous spikes?

-- 
Alex Stanford - GIAC GWEB,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford | @alexstanford

Keywords:
9 comment(s)
ISC StormCast for Friday, April 18th 2014 http://isc.sans.edu/podcastdetail.html?id=3941

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Testing your website for the heartbleed vulnerability with nmap
published 1 day ago by Manuel Humberto Santander Pelaacuteez (4 comments)

Looking for malicious traffic in electrical SCADA networks - part 2 - solving problems with DNP3 Secure Authentication Version 5
published 2 days ago by Manuel Humberto Santander Pelaacuteez (1 comment)

Heartbleed CRL Activity Spike Found
published 3 days ago by Alex Stanford (9 comments)

WinXP and/or Win2003 hanged systems because of SC Forefront Endpoint Protection faulty update
published 3 days ago by Manuel Humberto Santander Pelaacuteez (1 comment)

Oracle Critical Patch Update for April 2014
published 3 days ago by Dr. J (0 comments)

Looking for malicious traffic in electrical SCADA networks - part 1
published 4 days ago by Manuel Humberto Santander Pelaacuteez (0 comments)

INFOCon Green: Heartbleed - on the mend
published 5 days ago by Kevin Shortt (8 comments)

Reverse Heartbleed Testing
published 6 days ago by Kevin Shortt (4 comments)

View All Diaries →

Latest Discussions

Script kiddie scan
created 1 week ago by Anonymous (0 replies)

Russia and DoS
created 1 month ago by Peter P (0 replies)

Suspiciously quiet on DNS scan activity
created 1 month ago by Thomas (1 reply)

Outbound 6000/TCP traffic to multiple Chinese IPs?
created 1 month ago by SniffingShadow (4 replies)

principle for designing a pen test testing workbencg
created 2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →