Heartbleed Fallout: Thousands of Systems Still Exposed

ItEUs been more than two months since the Heartbleed bug rocked the Internet world. Although some rushed to patch their systems, a new report reveals that many are still vulnerable to what has been called one of the worst-ever vulnerabilities.

First revealed in April, Heartbleed could give hackers access to user passwords and even trick people into using fake versions of popular Web sites. According to the security engineers at Codenomicon who found the bug, the vulnerability is in the OpenSSL cryptographic software library. The weakness, they said, steals information typically protected by the SSL/TLS encryption used to secure the Internet.

EUThe Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,EU according to the Web site dedicated to providing information about the bug. EUThis compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.EU

A Decade From Now . . .

Robert Graham, an analyst at advanced persistent cybersecurity solutions Errata Security, is now offering some new facts and figures on Heartbleed. When the vulnerability was announced, the firm found 600,000 systems vulnerable.

EUA month later, we found that half had been patched, and only 300k were vulnerable,EU Graham wrote in a blog post. EULast night, now slightly over two months after Heartbleed, we scanned again, and found 300k (309,197) still vulnerable. This is done by simply scanning on port 443, I haven't check other ports.EU

As Graham sees it, the stats indicate that IT admins have stopped even trying to patch against Heartbleed. He also predicted a slow decrease over the next decade...

Comments are closed.