After the discovery of Heartbleed, security researcher Robert David Graham found that over 600,000 web servers were exposed to vulnerability. Now, two months later, Graham has discovered that approximately 300,000 servers are still vulnerable.
By Alex Choros
After the discovery of Heartbleed, security researcher Robert David Graham found that over 600,000 web servers were exposed to vulnerability. Now, two months later, Graham has discovered that approximately 300,000 servers are still vulnerable.
Just as a refresher, Heartbleed is a security bug in the commonly used OpenSSL cryptography library which allows the interception of information normally protected by encryption. This vulnerability has the potential to expose data such as usernames, passwords and credit card numbers. Heartbleed has been considered the worst vulnerability ever found on the internet, with some even recommending users stay away from the Internet entirely before the initial wave of patches went live.
So why are there still so many web servers vulnerable to Heartbleed?
Tim Falinski, the Consumer Director for Australia and New Zealand at internet security manufacturer Trend Micro, said they have been doing a lot of testing themselves, and it appears that the majority of websites that haven't been patched yet are either defunct, or do not require users to login or provide personal details. Falinski added that key targets such as banks, Google and Tumblr were patched almost immediately. Despite this, Falinski reinforced the need for users to be "vigilant and aware", especially when on less popular websites. Trend Micro have browser plugins for Firefox, Chrome and Safari that check whether a website is still vulnerable to Heartbleed, and an app for Android phones.
Sieng Chye Oh, a researcher at security software manufacturer ESET said that Heartbleed is a "dream come true for hackers", and that it should not be underestimated. Oh recommended the use of unique passwords for websites and web services, and also suggested the use of a browser plugins to check whether or not a site is affected.
As with Falinski and Oh, our personal recommendation is to keep testing websites you're unsure about with a Heartbleed checker. If your browser doesn't have a compatible plugin, there are a number of web-based checkers available. This is especially important with smaller websites, which make up a great portion of those currently unpatched. Think twice before logging in to any website that hasn't been patched yet, especially if the password is the same that you use for other websites, online banking or email. Do not put in your credit card details into any website that has not yet been patched either.
We also recommend using a password manager such as 1Password. 1Password generates infinitely complex, unique passwords for each website you use, while providing you with one, simple password to remember. This password is completely local to your machine, so it is immune to any external encryption vulnerabilities.
Got any further questions on Heartbleed? Let us know on Facebook and Twitter!
Sources: Errata Security, TOR Project Blog
Comments