A Case Study: Heartbleed Vulnerability Management and Swedish Municipalities

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10292)


In Sweden, the use of open source software (OSS) in public sectors has been promoted by the government in recent years. A number of Swedish municipalities forms interest communities to share OSS information and work together with OSS issues. However, it lacks of studies and evidences that these municipalities have adequate routines for managing warnings and advices from the communities on OSS security incidents. The Heartbleed vulnerability that occurred in April 2014 was a sudden case for these municipalities to take remedial actions to protect their information assets in a timely manner. This work aims to take a socio-technical study of how Swedish municipalities utilizes information channels to handle the OSS security incident and their security posture before, during and after the incident. We conducted a case study for Heartbleed incident management in Swedish municipalities, where three municipalities located in different regions of the country were studied. This study used a qualitative research method combining with Security-by-Consensus (SBC) analytical model as a research paradigm for data collection, and processing and analysis. The result suggests that the socio-technical aspects of open source security should be taken into account in Swedish municipalities for OSS adoption and security incident management.


Open source software Heartbleed Security incident Socio-technical Swedish municipalities SBC model 



The authors would like to thank Katinka Ruda and Armina Arazm for their assistance in this study and doctoral candidate Vasileios Gkioulos for his comments and suggestions.


  1. 1.
    Al Sabbagh, B., Kowalski, S.: A socio-technical framework for threat modeling a software supply chain. In: The 2013 Dewald Roode Workshop on Information Systems Security Research, 4–5 October 2013, Niagara Falls, New York, USA. International Federation for Information Processing (2013)Google Scholar
  2. 2.
    Alsabbagh, B., Kowalski, S.: A cultural adaption model for global cyber security warning systems. In: 5th International Conference on Communications, Networking and Information Technology Dubai, UAE (2011)Google Scholar
  3. 3.
    Andersson, C.: Öppen källkod inom kommuner-Analys av risker och möjligheter. Bachelor. Skövde Högskola, Sweden (2014)Google Scholar
  4. 4.
    Bider, I., Kowalski, S.: A framework for synchronizing human behavior, processes and support systems using a socio-technical approach. In: Bider, I., Gaaloul, K., Krogstie, J., Nurcan, S., Proper, H.A., Schmidt, R., Soffer, P. (eds.) BPMDS/EMMSAD-2014. LNBIP, vol. 175, pp. 109–123. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43745-2_8 Google Scholar
  5. 5.
    Bryman, A., Bell, E.: Business Research Methods. Oxford University Press, New York (2015)Google Scholar
  6. 6.
    CERT-SE: BM14-001 - Allvarlig sårbarhet i bash. Blixtmeddelande. 25 September 2014. https://www.cert.se/2014/09/bm14-001-allvarlig-sarbarhet-i-bash
  7. 7.
    CERT-SE: CERT-SE’s newsletter v. 17. CERT-SE, 25 April 2014. https://www.cert.se/2014/04/cert-se-s-veckobrev-v-17
  8. 8.
    Datatracker: TLS and DTLS Heartbeat Extension. Datatracker, February 2012. https://datatracker.ietf.org/doc/rfc6520/
  9. 9.
    Denscombe, M.: The Good Research Guide for Small-Scale Research Project, 4th edn. Open University Press, Maidenhead (2010)Google Scholar
  10. 10.
    Dickson, Å.: Buggen visar allt du vill skydda utan att det märks. SVT, 10 April 2014. http://www.svt.se/nyheter/buggen-visar-allt-du-vill-skydda-utan-att-det-marks
  11. 11.
    Drevfjäll, L.: Information från din e-port kan läcka ut. Expressen, 8 April 2014. http://www.expressen.se/nyheter/information-fran-din-e-post-kan-lacka-ut/
  12. 12.
    Durumeric, Z., Kasten, J., Adrian, D., Halderman, J.A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M.: The matter of Heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference. ACM (2014)Google Scholar
  13. 13.
    Eriksson, G.: Nätets “största säkerhetsläcka någonsin” upptäckt. Metro, 8 April 2014. http://www.metro.se/teknik/natets-storsta-sakerhetslacka-nagonsin-upptackt/EVHndh!Wcv38F6U6n8Es/
  14. 14.
    Github: OpenSSL heartbeat PoC. gist.github.com (2014). https://gist.github.com/takeshixx/10107280
  15. 15.
    Graziano, J.: Spam Campaign Spreading Malware Disguised as HeartBleed Bug Virus Removal Tool. Symantec Official Blog, 27 May 2014. http://www.symantec.com/connect/blogs/spam-campaign-spreading-malware-disguised-heartbleed-bug-virus-removal-tool
  16. 16.
    Grubb, B.: Heartbleed disclosure timeline: who knew what and when. Sydney Morning Herald, 15 April 2014. http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140414-zqurk.html
  17. 17.
    Heartbleed: The Heartbleed bug (2014). http://heartbleed.com/
  18. 18.
    Jackson, W.: Sonatype Open Source Development and Application Security Survey. Electronic document (2014). http://img.en25.com/Web/SonatypeInc/%7B138a2551-edac-46a3-bfcb-240352a42fed%7D_2014SurveyResults_july-14-14.pdf
  19. 19.
    Karokola, G., Kowalski, S., Yngstrom, L.: Secure e-government services: towards a framework for integrating it security services into e-government maturity models. In: Information Security South Africa (ISSA). IEEE (2011)Google Scholar
  20. 20.
    Karokola, G., Kowalski, S., Yngström, L.: Towards an information security maturity model for secure e-government services: a stakeholders view. In: HAISA (2011)Google Scholar
  21. 21.
    Karokola, G.R., Kowalski, S., Mwakalinga, G.J., Rukiza, V.: Secure e-government adoption: a case study of Tanzania. In: European Security Conference (2011)Google Scholar
  22. 22.
    Kihlström, S.: Bugg öppnade hål i Krypteringsprogram. Dagens Nyheter, 8 April 2014. http://www.dn.se/ekonomi/bugg-oppnade-hal-i-krypteringsprogram/
  23. 23.
    Kiss, B., Kosmatov, N., Pariente, D., Puccetti, A.: Combining static and dynamic analyses for vulnerability detection: illustration on heartbleed. In: Piterman, N. (ed.) HVC 2015. LNCS, vol. 9434, pp. 39–50. Springer, Cham (2015). doi: 10.1007/978-3-319-26287-1_3 CrossRefGoogle Scholar
  24. 24.
    Kowalski, S.: IT insecurity: a multi-discipline inquiry. Ph.D. thesis, Department of Computer and System Sciences, University of Stockholm and Royal Institute of Technology, Sweden (1994). ISBN: 91-7153-207-2Google Scholar
  25. 25.
    Kupsch, J.A., Miller, B.P.: Why do software assurance tools have problems finding bugs like heartbleed? Continuous Software Assurance Marketplace, 22 April 2014Google Scholar
  26. 26.
    Langley, A.: Time to update all OpenSSL 1.0.1 to 1.0.1g to fix CVE-2014-0160. Twitter, 7 April 2014. https://twitter.com/agl__/status/453235260520542208
  27. 27.
    Lee, C., Yi, L., Tan, L.-H., Goh, W., Lee, B.-S., Yeo, C.-K.: A wavelet entropy-based change point detection on network traffic: a case study of heartbleed vulnerability. In: 2014 IEEE 6th International Conference on Cloud Computing Technology and Science (CloudCom). IEEE (2014)Google Scholar
  28. 28.
    Lundell, B., Lings, B., Lindqvist, E.: Open source in Swedish companies: where are we? Inf. Syst. J. 20(6), 519–535 (2010)CrossRefGoogle Scholar
  29. 29.
    Lyne, J.: Heartbleed Roundup: Hacking Made Easy, First Victims Come to Light and Heartbleed Hacker Arrested. forbes.com, 17 April 2014. http://www.forbes.com/sites/jameslyne/2014/04/17/heartbleed-roundup-hacking-made-easy-first-victims-come-to-light-and-heartbleed-hacker-arrested/#3f8fe3e01fe6
  30. 30.
    May, T.: Social Research. Open University Press, Buckingham (2011)Google Scholar
  31. 31.
    MSB: Att lära stort från små incidenter, July 2012. https://www.msb.se/RibData/Filer/pdf/26272.pdf
  32. 32.
    Myers, M.D.: Qualitative Research in Business and Management. SAGE, Thousand Oaks (2013)Google Scholar
  33. 33.
    NIST: Vulnerability Summary for CVE-2014-0160. NVD, 7 April 2014. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
  34. 34.
    O’Reilly, T.: Ten Myths About Open Source Software (1999). http://archive.oreilly.com/lpt/a/2019
  35. 35.
    Persson, I.: Skatteuppgifter stulna i Kanada efter Heartbleed. Omni, 15 April 2014. http://www.aftonbladet.se/nyheter/article18688985.ab
  36. 36.
    Project, O.: OpenSSL Security Advisory. Mail-Archive, 7 April 2014. http://www.mail-archive.com/openssl-users@openssl.org/msg73408.html
  37. 37.
    Project, O.: OpenSSL Version 1.0.1g Released. Mail-Archive, 7 April 2014. http://www.mail-archive.com/openssl-users@openssl.org/msg73407.html
  38. 38.
    Ramanathan, L., Iyer, S.K.: A qualitative study on the adoption of open source software in information technology outsourcing organizations. In: Damiani, E., Frati, F., Riehle, D., Wasserman, Anthony I. (eds.) OSS 2015. IAICT, vol. 451, pp. 103–113. Springer, Cham (2015). doi: 10.1007/978-3-319-17837-0_10 Google Scholar
  39. 39.
    Regeringen: Från IT-politik för samhället till politik för IT-samhället. Digital document (2004). http://www.regeringen.se/rattsdokument/proposition/2005/07/prop.-200405175/
  40. 40.
  41. 41.
    Riksrevisionen: Riksrevisionens rapport om informationssäkerhet i den civila statsförvaltningen, March 2015. https://data.riksdagen.se/fil/BE7AD878-9C78-4756-95B0-F1617EAB2241
  42. 42.
    Sambrk: Municipalities for Joint Development of e-Services. http://www.sambruk.se/ovrigt/inenglish.4.72ebdc8412fd172bb7480001338.html
  43. 43.
  44. 44.
    Torres, G., Liu, C.: Can data-only exploits be detected at runtime using hardware events? A case study of the Heartbleed vulnerability. In: Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. ACM (2016)Google Scholar
  45. 45.
    Tosi, D., Lavazza, L., Morasca, S., Chiappa, M.: Surveying the adoption of FLOSS by public administration local organizations. In: Damiani, E., Frati, F., Riehle, D., Wasserman, Anthony I. (eds.) OSS 2015. IAICT, vol. 451, pp. 114–123. Springer, Cham (2015). doi: 10.1007/978-3-319-17837-0_11 Google Scholar
  46. 46.
    Wikipedia: Heartbleed. CERT-SE, 25 April 2014. https://en.wikipedia.org/wiki/Heartbleed
  47. 47.
    Williams, C.: Anatomy of OpenSSL’s Heartbleed: just four bytes trigger horror bug. TheRegister, 9 April 2014. http://www.theregister.co.uk/2014/04/09/heartbleed_explained/
  48. 48.
    Winter, J.S.: Upphandlare missar inlåsningseffekter. Upphandling24, 18 June 2014. http://sverigesradio.se/sida/artikel.aspx?programid=83&artikel=5834048
  49. 49.
    Wu, H.: Heartbleed OpenSSL vulnerability: a Forensic Case Study at Medical School. NJMS Advancing Research IT, May 2014. http://research.njms.rutgers.edu/m/it/Publications/docs/Heartbleed_OpenSSL_Vulnerability_a_Forensic_Case_Study_at_Medical_School.pdf
  50. 50.
    Zhang, L., Choffnes, D., Levin, D., Dumitras, T., Mislove, A., Schulman, A., Wilson, C.: Analysis of SSL certificate reissues and revocations in the wake of Heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference. ACM (2014)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Faculty of Information Technology and Electrical EngineeringNorwegian University of Science and TechnologyGjøvikNorway

Personalised recommendations