Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Heartbleed still causing heartburn

markpainter ‎05-22-2014 07:34 AM - edited ‎07-06-2015 01:13 PM

I recently estimated that within three weeks of the release of the Heartbleed security vulnerability, roughly 70 percent of organizations would have it resolved. It’s a good thing I wasn’t in Vegas when I made that prediction because I’d have lost that bet.  Roughly six weeks later, over half still haven’t corrected the problem. Some organizations simply might not need to implement the fix (or at least think they don’t) because the data does not require protection.  Some might not be aware they are vulnerable. Some might no longer support that implementation. But I suspect for most of the laggards, the complexity of their implementations is slowing down the fix rate, and that it’s not a lack of desire. Here are a couple of examples that shows the true scope of implementing the fix.  And of course, they just happen to reflect critical infrastructure.

 

This is a very perilous time for organizations who are vulnerable as knowledge of the attack is widespread and affected sites are actively being hunted.  It’s a dangerous time for users, too.  A recent survey found that 47 percent of people who heard of Heartbleed and knew of the danger still haven’t changed passwords.  It’s counterintuitive, but this is actually an instance when laziness is not necessarily a bad thing. If the fix hasn’t been implemented, then changing your password does no good. In fact, it could do harm by revealing your new password.

 

There is no doubt users are eventually going to be tasked with having to protect themselves to a much larger extent than they do now.  That job becomes exceedingly harder, though, when timing needs to be part of the decision.  The waiting really is the hardest part.  And when corporations and security experts can’t agree about what users should do, it becomes that much more confusing. For my part, I changed all my passwords upon release of the vulnerability, and have been doing so again as each impacted site releases their fix information.  Put simply, we’ve got a long way to go before we are out of the woods on this one.  Stay tuned.

0 Kudos
About the Author

markpainter

Events
Each Month in 2016
Online
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
Sep 30
Seattle, WA
OpenStack Days Seattle
OpenStack Days Seattle, September 30, is the largest gathering of OpenStack users and prospective users in the Pacific Northwest region.
Read more
View all