Why you should still worry about Heartbleed

Patching of Internet-connected systems that contain the Heartbleed bug has slowed to a snail's pace, and security experts are advising companies to take extra precautions to avoid a security breach.

Errata Security scanned the Internet late Friday and found roughly 309,000 sites with the bug, which is in the secure sockets layer (SSL) library of the OpenSSL Project. That number was only about 9,000 less than what Errata found a month ago.

When Hearbleed was discovered in April, Errata found more than 600,000 vulnerable systems on port 443, which is used by default for SSL-secured communications between clients and servers.

"This indicates people have stopped even trying to patch," Robert Graham, a security researcher at Errata, said Saturday in the company's blog. "We should see a slow decrease over the next decade as older systems are slowly replaced."

That's bad news for users of those sites. The Heartbleed bug could let attackers access some of the most sensitive information on a site, including encryption keys and usernames and passwords of users.

The slowdown in patching and the number of unfixed systems did not surprise experts, who said the remaining servers likely belong to small businesses or sites that cannot afford the cost of deploying the fix.

About a half million SSL certificates were affected by the bug, which means they eventually had to be revoked and then replaced, Robert Miller, senior consultant at SecureState, said.

"It's going to take time to do that and some small companies might not have the money," Miller said. In the meantime, "the risk is still very high."

Errata did not list the domain names of the vulnerable sites and did not try to call the contacts listed with the domains.

Reaching out to them "would cause more problems than it would solve," Robert Graham, security researcher for the company, said in the comments section of the Errata blog.

However, that isn't the case of another site called un1c0rn.net, pronounced "unicorn." The site is selling information on sites it found with the Heartbleed bug.

Robert Hansen, vice president of WhiteHat Security's advanced technology group, estimates that there are about 75,000 websites listed on un1c0rn.net. Hansen provides details on the site on the WhiteHat blog.

"Anybody who uses those sites is vulnerable as long as the attackers have that information," Hansen told CSOonline. "No one should be using any of the sites on unicorn."

Companies should use one of the free scanning tools made available by vendors to check their own servers and, if possible, the sites that they know employees use, experts say.

Businesses also need to contact partner sites and cloud service providers to ensure that they are not vulnerable to an attacker exploiting Heartbleed, Miller said.

"Organizations need to be asking those questions," he said.

Jody Brazil, chief technology officer of FireMon, believes the vast majority of the sites found by Errata was likely small and not used by too many enterprises.

However, companies should educate users about the dangers of unpatched sites and remind them not to use the username and password for accessing the corporate network on other sites.

"You can't enforce what they do outside the company, but you can at least educate them on what the impact is," Brazil said. "End user education is always a good recommendation."

Join the CSO newsletter!

Error: Please check your email address.

Tags Errata SecurityOpenSSLdata securityapplicationsWhiteHat SecuritysoftwareSecureStatedata protectionSSL vulnerabilitysecuritySSL securityHeartbleedSSL certificate security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place