US govt agencies quick to act on Heartbleed

US government agencies were quick to respond to the Heartbleed bug, patching more than half of government website vulnerabilities within six days, a US subcommittee has heard.

It took less than three weeks to patch nearly all of the 270 discovered occurrences of vulnerability, according to Larry Zelvin, director of the National Cybersecurity and Communications Integration Center (NCCIC) within the Homeland Security Department’s National Protection and Programs Directorate.

Zelvin testified that the government’s Heartbleed team has scanned around 15.5 million government IPs for vulnerabilities, and the number of instances of vulnerabilities has been reduced to around two.

In a prepared statement, Zelvin said the NCCIC sprang into action as soon as the Heartbleed SSL bug was discovered.

“NCCIC learned of the Heartbleed vulnerability on April 7, 2014,” he said. “Less than 24 hours later, NCCIC released alert and mitigation information on the US-CERT website. In close coordination with the Departments of Defense and Justice, as well as private sector partners, the NCCIC then created a number of compromise detection signatures.”

The scanning was conducted using the National Cybersecurity Protection System (NCPS), specifically the intrusion detection, analysis and prevention component EINSTEIN.

While Zelvin said there had been “rapid and coordinated federal government response to Heartbleed,” he complained that the incident response had been unnecessarily delayed by “the lack of clear and updated laws reflecting the roles and responsibilities of civilian network security”.

Heartbleed is a vulnerability in some unpatched versions of OpenSSL that potentially allows attackers to read the memory of sites usually protected by the SSL encryption protocol.

Image courtesy of Global Panorama under CC