Skip to content Skip to sidebar Skip to footer

Heartbleed: Rushed fixes leave thousands of previously unaffected systems ...


Rushed efforts to protect systems from the high-profile OpenSSL Heartbleed flaw have opened thousands of previously unaffected systems to attack.Opera Software developer Yngve Pettersen discovered the phenomenon while scanning 500,000 separate servers, using variations of 23 million host names in various domains to see whether they were still vulnerable to Heartbleed.'In my most recent scan 20 per cent of the currently vulnerable servers (as distinguished by IP addresses), and 32 per cent of the vulnerable powerful SSL/TLS accelerator (BigIP) servers, were not vulnerable when they were scanned previously,' wrote Pettersen in a blog post.'This means that thousands of sites have gone from not having a Heartbleed problem, to having a Heartbleed problem.'The Heartbleed security vulnerability, as discussed in the video below, was discovered by researchers with a Finnish company called Codenomicon at the start of April and is believed to affect millions of web servers around the world.Heartbleed is particularly dangerous as, if exploited, it could grant hackers access to key bits of information that could be used to mount follow-up cyber attacks on related corporate systems.Pettersen said that the increase in vulnerable systems is likely to be a consequence of pressure on IT managers to 'do something' to protect their systems from Heartbleed attacks.'It is difficult to definitely say why this problem developed, but one possibility is that all the media attention led concerned system administrators into believing their system was unsecure,' read the post.'This, perhaps combined with administrative pressure and a need to 'do something', led them to upgrade an unaffected server to a newer, but still buggy, version of the system.'Pettersen explained that the mistake is doubly damning as it could cost companies significant amounts of money to fix.'Assuming that each server patch, certificate replacement and test cycle consumes four hours for three system admins, each hour costing $40, the estimated extra cost for patching the 2,500 'Heartbroken' servers in my sample will be around $1.2m,' read the post.'As my sample is probably not more than 10 per cent of the secure servers on the net, the unnecessary patching cost could exceed $12m.'Despite the widespread significance of Heartbleed, only a select number of companies are known to have been targeted by attacks exploiting the vulnerability. The Canada Revenue Agency and Mumsnet networks confirmed that hackers had stolen data from their networks using the Heartbleed flaw in April.


Post a Comment for "Heartbleed: Rushed fixes leave thousands of previously unaffected systems ..."