OpenSSL Heartbleed bug sniff tools are 'BUGGY' – what becomes of the broken hearted?

  • 18 April 2014
  • 1 reply
  • 2789 views

Userlevel 7

Hayter's gonna hate

By John Leyden, 17 Apr 2014  Software that claims to detect the presence of OpenSSL's Heartbleed bug in servers, PCs and other gear may falsely report a system to be safe when users are actually in danger, according to a security consultancy.
This finding is disputed by developers publishing tools that test for the vulnerability.
 The teams behind Nessus, Metasploit, Nmap and others have each released utilities for sensing whether or not computers and gadgets are affected by the password-leaking Heartbleed flaw. "The problem is, most of them have bugs themselves which lead to false negatives results: that is, a result which says a system is not vulnerable when in reality it is," claimed Adrian Hayter, senior penetration tester at security consultancy CNS Hut3.
 
"With many people likely running detection scripts or other scans against hosts to check if they need to be patched, it is important that these bugs be addressed before too many people develop a false sense of security regarding their infrastructure," he added.
 
 
Full Article
 
 
And guess what?  Now we find out that the tools to detect this nasty are...well, suspect...what an almight c@#k up of the first order :S

1 reply

Userlevel 7
Uh oh! Now what do we do?

Reply