Heartbleed is not dead. And isn't likely to be any time soon

200,000+ vulnerable devices on the internet.

Heartbleed is not dead. And isn't likely to be any time soon

It's almost three years since the Heartbleed vulnerability gave sysadmins palpitations, potentially leaking millions of passwords and exposing private SSL keys from vulnerable web servers.

By September 2015, I hoped that the situation would have improved. After all, system administrators had had plenty of time to apply OpenSSL patches and secure their systems. However, that hope was forlorn - over 200,000 devices were found to be still vulnerable.

So what now?

John Matherly, founder of Shodan, revealed the current sorry state of affairs via a tweet announcing their report on Heartbleed's continued existence:

Here's my prediction. In a year's time, we won't see any significant reduction in the number of Heartbleed vulnerable websites and devices connected to the internet.

This is as good as it's going to get. The people who cared about fixing their systems against the Heartbleed vulnerability did it long ago.

The others simply don't give a damn.

(Visited 1,644 times, 1 visits today)

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

3 Responses

  1. drsolly

    January 23, 2017 at 8:12 pm #

    It could be worse than that.

    To determine what version of OpenSSL is in use, you do

    curl –head http://localhost/ (or whichever URL you're testing).

    The response you get will incvlude something like:

    Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8g

    Version 0.9.8g is, of course, vulnerable to the Heartbleed vul. You fix it by updating your OpenSSL, recompiling Apache and restarting Apache. Which, I have to add, is a bit of a pain in the arse if you have to do it each month.

    But if you don't want people to know which version of Apache and OpenSSL you're running (which seems like a sensible thing to do, why give out information that could help an attacker?) you set ServerTokens to reduce the info that you're giving out.

    So for servers who have this set to anything other that "Full", you don't know the version of OpenSSL. Which means that they'll pass the DSS PCI even if they're vulnerable to heartbleed.

    And no-one will know.

    • Bob in reply to drsolly.

      January 24, 2017 at 12:26 am #

      I know and it's a real problem.

      PCI DSS is strict compared to other countries standards but when you think about how old some banks TLS certificates are (and they pass PCI DSS) you begin to realise that the Payment Card Industry are paying lip service to security.

      • drsolly in reply to Bob.

        January 24, 2017 at 6:38 pm #

        80% of merchants fail PCI DSS compliance.

        http://securityaffairs.co/wordpress/34768/security/80-percent-failure-pci-dss.html

        PCI DSS is a fine example of security theatre.

Leave a Reply