Why you should still worry about Heartbleed
- 25 June, 2014 00:41
Patching of Internet-connected systems that contain the Heartbleed bug has slowed to a snail's pace, and security experts are advising companies to take extra precautions to avoid a security breach.
Errata Security scanned the Internet late Friday and found roughly 309,000 sites with the bug, which is in the secure sockets layer (SSL) library of the OpenSSL Project. That number was only about 9,000 less than what Errata found a month ago.
When Hearbleed was discovered in April, Errata found more than 600,000 vulnerable systems on port 443, which is used by default for SSL-secured communications between clients and servers.
"This indicates people have stopped even trying to patch," Robert Graham, a security researcher at Errata, said Saturday in the company's blog. "We should see a slow decrease over the next decade as older systems are slowly replaced."
That's bad news for users of those sites. The Heartbleed bug could let attackers access some of the most sensitive information on a site, including encryption keys and usernames and passwords of users.
The slowdown in patching and the number of unfixed systems did not surprise experts, who said the remaining servers likely belong to small businesses or sites that cannot afford the cost of deploying the fix.
About a half million SSL certificates were affected by the bug, which means they eventually had to be revoked and then replaced, Robert Miller, senior consultant at SecureState, said.
"It's going to take time to do that and some small companies might not have the money," Miller said. In the meantime, "the risk is still very high."
Errata did not list the domain names of the vulnerable sites and did not try to call the contacts listed with the domains.
Reaching out to them "would cause more problems than it would solve," Robert Graham, security researcher for the company, said in the comments section of the Errata blog.
However, that isn't the case of another site called un1c0rn.net, pronounced "unicorn." The site is selling information on sites it found with the Heartbleed bug.
Robert Hansen, vice president of WhiteHat Security's advanced technology group, estimates that there are about 75,000 websites listed on un1c0rn.net. Hansen provides details on the site on the WhiteHat blog.
"Anybody who uses those sites is vulnerable as long as the attackers have that information," Hansen told CSOonline. "No one should be using any of the sites on unicorn."
Companies should use one of the free scanning tools made available by vendors to check their own servers and, if possible, the sites that they know employees use, experts say.
Businesses also need to contact partner sites and cloud service providers to ensure that they are not vulnerable to an attacker exploiting Heartbleed, Miller said.
"Organizations need to be asking those questions," he said.
Jody Brazil, chief technology officer of FireMon, believes the vast majority of the sites found by Errata was likely small and not used by too many enterprises.
However, companies should educate users about the dangers of unpatched sites and remind them not to use the username and password for accessing the corporate network on other sites.
"You can't enforce what they do outside the company, but you can at least educate them on what the impact is," Brazil said. "End user education is always a good recommendation."