BELMONT, CALIF.—April 9, 2014 – Defense.Net, the only company designed to mitigate the increasing scale and sophistication of modern Distributed Denial of Service (DDoS) attacks, today released statements from the company’s founder, Barrett Lyon on the “Heartbleed” vulnerability announced last night that has exposed more than half a million websites and may be one of the most catastrophic bugs in secure computing history.
Lyon, whose pursuit of hackers operating as part of the Russian mob was chronicled in the best-selling book Fatal System Error, and who created what is now the $1 billion DDoS mitigation industry more than 10 years ago, noted the following:
• “Unless an OpenSSL implementation has been patched, anyone can remotely view 64K chunks of memory. Said another way, whatever was left behind in the memory of the vulnerable server… becomes public data… This could be passwords, accounts, personal data, and the SSL private keys of the server itself! To give you an idea of how big of a problem this is, this software is used in everything from web sites, VPNs, specialized networking equipment, email communications, phones apps, you name it.”
• “Whether or not this is a bug or an intentional addition is all speculation at this point and it’s been in the software for over two years, exposing anyone using OpenSSL.”
• “To make matters worse, once the bug has been patched globally, it’s highly likely that every SSL certificate that has been on an exposed server will have to be re-issued creating an absolute logistical and security nightmare. The cost of replacing half a million SSL certificate could range in the several hundreds of millions of dollars and it’s unclear when this can or will happen.”
• “But there is an immediate solution that has already been protecting millions of websites from Heartbleed. A side benefit of Defense.Net’s DDoS mitigation is a better and more protected network. In the process of cleaning up invalid bots and removing attack traffic, Defense.Net’s DDoS mitigation also validates legitimate network protocols against illegitimate ones. This is achieved through a process where on one layer of our network we create a proprietary SSL/TLS implementation, and on another layer of our network we monitor and block the behavior of traffic that attempts to exploit the Heartbleed bug.”
More details can be found on Lyon’s blog which will be updated as more is uncovered about this vulnerability.
Addendum: F5 Networks acquired Defense.Net in May, 2014
F5 (NASDAQ: FFIV) makes apps go faster, smarter, and safer for the world’s largest businesses, service providers, governments, and consumer brands. F5 delivers cloud and security solutions that enable organizations to embrace the application infrastructure they choose without sacrificing speed and control. For more information, go to f5.com. You can also follow @f5networks on Twitter or visit us on LinkedIn and Facebook for more information about F5, its partners, and technologies.
F5 is a trademark or service mark of F5 Networks, Inc., in the U.S. and other countries. All other product and company names herein may be trademarks of their respective owners.
# # #
This press release may contain forward looking statements relating to future events or future financial performance that involve risks and uncertainties. Such statements can be identified by terminology such as "may," "will," "should," "expects," "plans," "anticipates," "believes," "estimates," "predicts," "potential," or "continue," or the negative of such terms or comparable terms. These statements are only predictions and actual results could differ materially from those anticipated in these statements based upon a number of factors including those identified in the company's filings with the SEC.