Ask HN: did hordes of hackers swoop in the first hours (minutes) of Heartbleed?

10 points by hoodoof ↗ HN
I have this idea that there are hordes of hackers who create a hitlist of target websites that they want to hack.

They then just wait until the next exploit comes along.

And within hours (or minutes) of the new exploit becoming public, they swoop, own their target site and rootkit it.

Does anyone else think this is true?

And if it is true, then has half the Internet been rootkitted long before the sites owner could update SSL?

AND......so you updated your website - good on you. Do you think you had already been rootkitted?

2 comments

[ 1.8 ms ] story [ 14.1 ms ] thread
Heartbleed wasn't a remote execution vulnerability. I am not a security expert, but I'm pretty sure that Heartbleed in and of itself wouldn't allow hackers to install a root kit.

In answer to your question, I have no idea how long it takes the bad guys to exploit newly revealed exploits. Probably a day or two on average (for the tools to be developed and then distributed). Also, different people have different agendas and motivations -- there are no doubt people out there desperate to jump on to certain high-profile sites at the first chance (Apple, Amazon, with their credit card data would be an obvious target, for instance), but I suspect most hackers just cast their net far and wide and take whatever they can. Mostly it'll be unpatched servers from years ago that aren't managed by a proper ops team, using exploits that should have been patched a long time ago.

The exploit only works on whatever data's in memory. If someone had started attacking servers when Heartbleed started being publicized, they'd be getting passwords and data from users who were active at that point in time.

Unfortunately (perhaps interestingly) right after the announcement I would imagine that much of this activity would be changing passwords. I'd like to think that they were good about telling people not to change passwords until the hole was patched, but presumably some people would still start to change their passwords. Ironically this hurts more than helps.