How long the vulnerability had remained totally unknown and whether any hackers had exploited it as a so-called “zero-day exploit,” is a tantalizing mystery with potentially widespread implications. In hacker terminology, a zero-day exploit is when a programmer or IT system hasn't had time to fix a computer vulnerability to attack.
In the criminal hacker community, “zero-days” are “most often thought to be used for corporate espionage” or other “highly targeted attacks,” according to a RAND Corp. report (PDF).
When Heartbleed was first made public in early April, its potential for mischief was only hypothetical. That changed quickly.
“Attackers were actually exploiting it almost as soon as it went public,” said David Kennedy, founder and CEO of security firm TrustedSec, Strongsville, Ohio. Kennedy's firm linked Heartbleed to the CHS data hack.
A little more than two weeks after the initial Heartbleed announcement, the Canadian Mounties announced they had nabbed a 19-year-old hacker who had already used it to pluck the Social Insurance Numbers of about 900 taxpayers from the Canada Revenue Agency, that country's version of the IRS.
Experts say it's hard to detect whether a Heartbleed intrusion has occurred. Persistent monitoring and analysis of inflows and related outflows from a system is one suggested strategy to determine whether a system is being hit.
But that's tedious stuff, and with Heartbleed's potential, it's the health information technology equivalent of paddling around in a sea kayak waiting to get bit by a great white shark so you can definitively determine a great white is swimming in your waters.
Follow Joseph Conn on Twitter: @MHJConn