Forgot your password?
typodupeerror
Encryption Security IT

One Month Later: 300,000 Servers Remain Vulnerable To Heartbleed 60

Posted by Soulskill
from the server-security-hipsters-don't-follow-the-crowd dept.
DavidGilbert99 writes: "The Heartbleed Bug cause widespread panic from internet users around the world worried their sensitive information was being targeted. While system administrators were warned to patch their systems, a security researcher notes that 300,000 servers remain vulnerable to the heartbleed flaw a full month later. He said, 'Last month, I found 1-million systems supporting the "heartbeat" feature (with one third patched). This time, I found 1.5-million systems supporting the "heartbeat" feature, with all but the 300k patched. This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL.' A developer at Vivaldi Technologies AS also pointed out that a significant number of server administrators botched their response, going from safe to vulnerable."
This discussion has been archived. No new comments can be posted.

One Month Later: 300,000 Servers Remain Vulnerable To Heartbleed

Comments Filter:
  • The SSL problems. (Score:5, Insightful)

    by jellomizer (103300) on Friday May 09, 2014 @09:33AM (#46959123)

    I am not a systems administrator (I am a software designer, when I do administration it requires a lot of trail and error.), I do however have to setup an SSL site once every few years. And because of the rarity of this action this is one of those jobs that are difficult to do, compared to other jobs. Sure if your web browser is installed via an Apt-get you are good. However there are times where you need to install it manually, and then you fight and tinker until SSL works, when it does work, your tendency is not to tinker with it anymore.
    The issue with Heart Bleed is that it effects open SSL, one of the trouble maker libraries, that require more then just the Basic make config & make & make install.

    Now there are a lot of sites setup my armature system admins, many who are less technical then I am, who will get it going and let it run. There isn't any enterprise architecture, the web site is running on a single PC with a single hard drive, chances are the hard drive had already died, and the site is just running from active memory.

  • by XanC (644172) on Friday May 09, 2014 @09:36AM (#46959165)

    You should be fired.

  • by swb (14022) on Friday May 09, 2014 @10:17AM (#46959567)

    As I understand this, a vulnerable server can expose its private SSL key to an attacker. With this private key, I can decrypt all of its encrypted SSL traffic.

    This correct so far?

    Now, as I understand this so far, having the private key is great, but I need to be able to MITM the connection to decrypt anything.

    How hard is this? At the transport layer, this would require snooping the network connection of the server; someplace locally on the LAN (easiest, port mirror, maybe) or at the ISP (harder, maybe less likely).

    The other option would be some kind of DNS spoofing/vulnerability/cache poisoning, redirecting all the server traffic to a system I controlled and then piping it back out. How likely is this?

  • by Qzukk (229616) on Friday May 09, 2014 @10:30AM (#46959699) Journal

    a vulnerable server can expose its private SSL key to an attacker

    A vulnerable server can expose anything in the server process's memory space to the attacker. Obligatory: http://xkcd.com/1354/ [xkcd.com]

  • by tlhIngan (30335) <.slashdot. .at. .worf.net.> on Friday May 09, 2014 @11:28AM (#46960291)

    Perhaps a lot of server administrators are simply tired of dealing with the unending farce that constitutes modern internet security, and have simply decided to give in. What's the use in spending time and effort on security measures which frequently fail, sometimes spectacularly so in the case of heart-bleed. In particular, what's the point of protecting customer data if organizations like the NSA can simply walk in and take it, or if you're already selling it en-masse to marketers.

    I suspect a lot of them are like that. Or rather, the devs are too lazy. One of the reasons is simple - the 30% that Apple, Google, Microsoft, Valve etc., take for product distribution. Why do that when you can just set up your own Linux server, write a bit of code to get personal information and then use Paypal to handle the money?

    Of course, such systems remain vulnerable because it's too expensive to maintain (you want to write product software, not maintain the damn website) - forgetting part of that 30% is so you don't have to hire someone to keep up to date on security patches and other flaws.

    Meanwhile your customer's data remains vulnerable, and most likely since it was hacked together, lacks any detection to know if it was broken into and data stolen.

    Yes, a lot of people feel the likes of Google/Apple/Microsoft/Valve/Shopify/Amazon/etc take too much money as their "cut" and want it all for themselves, without realizing it's actually a lot of ongoing full-time work, and the services take that cut so you can concentrate on more important things.

"It's when they say 2 + 2 = 5 that I begin to argue." -- Eric Pepke

Working...