Blue Coat Labs

Labs Blog

SSL Visibility Appliance Defeats, Logs Heartbleed Attack Attempts

SSL Visibility Appliance Defeats, Logs Heartbleed Attack Attempts

Andrew Brandt

It's been a long couple of weeks as folks here at Blue Coat and elsewhere are working on various ways to prevent Heartbleed-driven data losses. We have been developing tools and techniques to enable our customers to detect attacks and determine what data may have been lost.

Meanwhile, people have been developing techniques that vastly expand the attack surface of devices and services. The initial proof-of-concept, for example, only explored a single attack methodology — launching the attack and stripping out data before the SSL handshake had been completed.

Since then, we’ve seen additional attack tools developed that mask the attack inside of the encrypted SSL flows after the handshake. In addition, there have been further attacks against VPN servers and embedded systems that use the vulnerable OpenSSL libraries. There are also reports where clients may be vulnerable to attacks if they visit dodgy Web sites, where the site might try to read memory off of the visitor's computer, phone or tablet. Ugh, it just gets worse and worse.

But, this morning I'm very happy to say that Blue Coat has a solution.

The developers of our SSL Visibility Appliance this morning released a new update that not only can detect the use of the exploit, but can also kill the session to prevent the exploit reaching the destination device -- and at the same time logs details of the affected flow in the session log.

We also add an entry to the SSL-VA log once every 30 minutes if we have seen the exploit in the past half hour.

The great thing about the solution is that, as long as you're inspecting SSL traffic with the Visibility Appliance, it doesn't matter whether the attack is inside or outside of the encrypted session flow. We'll halt the attack (at the Web server side of things) and prevent any data leakage. Bonus: We'll show you the IP address of the attacking computer, so you can see who's trying to steal from you.

Here is a screenshot of the SSL-VA user interface where such a packet is flagged by the appliance. And we're exploring using the SSL-VA to collect even more statistics as a way to provide a better view into instances of the Heartbleed exploit being used for real attacks in the wild.