Human Behavior and Cyber Vulnerabilities - UMD - October 2014

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): VS Subrahmanian
Researchers: Richard Johnson, Sonam Sobti, Tudor Dumitras, Marshini Chetty, Aditya Prakash

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

Understanding and Accounting for Human Behavior; Security-Metrics-Driven Evaluation, Design, Development, and Deployment

PROJECT SYNOPSIS

When a vulnerability is exploited, software vendors often release patches fixing the vulnerability. However, our prior research has shown that some vulnerabilities continue to be exploited more than four years after their disclosure. Why? We posit that there are both technical and sociological reasons for this. On the technical side, it is unclear how quickly security patches are disseminated, and how long it takes to patch all the vulnerable hosts on the Internet. On the sociological side, users/administrators may decide to delay the deployment of security patches. Our goal in this task is to validate and quantify these explanations. Specifically, we seek to characterize the rate of vulnerability patching, and to determine the factors--both technical and sociological--that influence the rate of applying patches.

PUBLICATIONS
Papers published in this quarter as a result of this research. Include title, author(s), venue published/presented, and a short description or abstract. Identify which hard problem(s) the publication addressed. Papers that have not yet been published should be reported in region 2 below.

Liang Zhang, David Choffnes, Tudor Dumitras, Dave Levin, Alan Mislove, Aaron Schulman, and Christo Wilson. Analysis of SSL Certificate Reissues and Revocations in the Wake of Heartbleed. In Proceedings of the ACM Internet Measurement Conference (IMC'14), Vancouver, Canada, Nov 2014.

ACCOMPLISHMENT HIGHLIGHTS

We conducted a study to determine how SSL certificates were reissued and revoked in response to a widespread vulnerability, Heartbleed, that enabled undetectable key compromise. We conducted large-scale measurements and developed new methodologies to determine how the most-popular 1 million web sites reacted to this vulnerability in terms of certificate management, and how this impacts security for clients that use those web sites.

We found that the vast majority of vulnerable certificates have not been reissued; further, of those domains that reissued certificates in response to Heartbleed, 60% did not revoke their vulnerable certificates. If those certificates are not eventually revoked, 20% of them will remain valid (i.e., will not expire) for two or more years. The ramifications of this findings are alarming: users will remain potentially vulnerable to malicious third parties using stolen keys to masquerade as a compromised site for a long time to come. We analyzed these trends with vulnerable Extended Validation (EV) certificates as well, and found that, while such certificates were handled with better security practices, those certificates still remain largely not reissued (67%) and not revoked (88%) even weeks after the vulnerability was made public.