Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 6 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Many websites remain vulnerable to Heartbleed, a month after patch was released

by The Gurus
May 9, 2014
in Editor's News
Share on FacebookShare on Twitter

Many apparently “secure” websites remain vulnerable to the Heartbleed OpenSSL flaw a month on from it being widely reported and a patch being offered.
 
According to netcraft, although many secure websites reacted promptly to the bug by replacing their SSL certificates and revoking the old certificates, some made the critical mistake of reusing the potentially-compromised private key in the new certificate.
 
It determined that more than 30,000 affected certificates have been revoked and reissued without changing the private key and by reusing the same private key, a site that was affected by the Heartbleed bug still faces exactly the same risks as those who had not yet replaced their SSL certificates.
 
Commenting, TK Keanini, CTO of Lancope, said: “There are two critical changes that need to take place: the first is that a website using the vulnerable version of OpenSSL must replace this library and recompile the server; in addition they need to replace the key pairs both private and public for all website that were hosted on the vulnerable service.
 
“Some folks either don’t have the technical abilities to perform this type of maintenance and for those folks we ask that they find a hosting facility that can help them maintain security levels sufficient for being on the internet.”
 
In a separate analysis, Robert Graham at research firm Errata Security found that 318,239 of 600,000 previously vulnerable systems remained vulnerable.
 
“Last month, I found one million systems supporting the ‘heartbeat’ feature (with one third patched). This time, I found 1.5 million systems supporting the ‘heartbeat’ feature, with all but the 300,000+ patched ,” Graham said.
 
“This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL.”
 
Russ Spitler, vice president of product strategy at AlienVault, said: “This is really unfortunate news, though I suppose not terribly surprising. Heartbleed has been a really amazing event from a few different angles, the breadth of the exposure but also the speed and scope of the response.
 
“We have seen huge portions of the internet mobilised to react in a short amount of time which is largely unprecedented. However, we have a slightly different exposure than we have seen in the past. From a historical standpoint, most exposures of this scale were due to a single vendor’s operating system having an issue and the remediation was often as simple as applying a vendor supplied patch. Here, we have the same dynamic of a vendor supplied patch but the nature of the vulnerability requires additional steps to address the exposure – updating the certificates used in the vulnerable systems.
 
“It is amazing so many have taken this step, but the stat provided shows a failure of education. Those who understood the vulnerability were successful in convincing the world of its impact and the need to address it, but unfortunately those who understood completely failed at explaining what steps needed to be taken. Replacing the certificate without generating a new private key makes the effort completely wasted.
&
nbsp;
“It is not an issue of testing as the people who have done this just failed to understand why they were doing it, and those who instructed them to do it assumed that they were being clear enough. There was an education gap between the two and in that situation I blame the security experts not the people who tried to do the right thing. In this situation I would actually put the scrutiny on the certificate authorities, if a customer is resubmitting for a new certificate due to compromise but using the same private key the request should be rejected. This is not a problem of regulation but one of education.”

FacebookTweetLinkedIn
Tags: FlawHeartbleedOpenSSLPatchVulnerability
ShareTweetShare
Previous Post

Corporate networks infected every day by botnets

Next Post

Infecting DVRs with Bitcoin-mining malware even easier than you suspected

Recent News

Phone with app store open

$400,000 Fine for Stalkerware App Developer

February 6, 2023
london-skyline-canary-wharf

Ransomware attack halts London trading

February 3, 2023
Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

February 2, 2023
JD Sports admits data breach

JD Sports admits data breach

January 31, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information