Over 300,000 Servers Remain Vulnerable To Heartbleed 74
An anonymous reader writes Even though it's been a couple months since the Heartbleed bug was discovered, many servers remain unpatched and vulnerable. "Two months ago, security experts and web users panicked when a Google engineer discovered a major bug — known as Heartbleed — that put over a million web servers at risk. The bug doesn't make the news much anymore, but that doesn't mean the problem's solved. Security researcher Robert David Graham has found that at least 309,197 servers are still vulnerable to the exploit. Immediately after the announcement, Graham found some 600,000 servers were exposed by Heartbleed. One month after the bug was announced, that number dropped down to 318,239. In the past month, however, only 9,042 of those servers have been patched to block Heartbleed. That's cause for concern, because it means that smaller sites aren't making the effort to implement a fix."
Better Career Path (Score:5, Funny)
Re:Better Career Path (Score:4, Funny)
You bleeding heart liberals never know when to change.
Re:Better Career Path (Score:4, Insightful)
300,000 seems like a small number, if you stop and consider how many sub amateurs setup web servers.
You were told that Linux is very secure and you don't have to worry about hacks and viruses. You installed your favorite distribution, and got what ever web stuff you wanted and then you left the server running ranking up Uptime and not touching the server ever again. Heck I am willing to bet for some of these systems the Hard Drive failed years ago, and they are running off of ram alone.
Web Page still works, everything is A-OK.
Hosting? (Score:5, Insightful)
Hosting? (Score:1)
Maybe some of them are patched but nobody restarted apache/nginx/lighttpd/whatever so they still use old and vulnerable openssl version
Re: (Score:2)
Re: (Score:2)
Also, the laws are a bit idiotic. It's not like the ones actually exploiting the vulnerability will care that it's illegal. :)
They need a whistleblower exception
Re:and yet cryptocurrencies remain immune...! (Score:5, Insightful)
You've packed a lot of wrong into such a short post. If a system is insecure a "good" architecture is irrelevant - you're still screwed. And either way, neither architecture nor cryptocurrencies have anything to do with this problem, which is unpatched OpenSSL.
Re: (Score:1, Insightful)
If a system is insecure a "good" architecture is irrelevant - you're still screwed.
Dear John
Please can you explain how BitCoin is vulnerable to Heartbleed?
I think good architecture is essential to good security. That's why I posted.
Many Thanks
Jawad Yaqub
Online wallet (Score:3)
Re:and yet cryptocurrencies remain immune...! (Score:5, Informative)
Re: (Score:2)
Yeah, unfortunate reality of infosec (Score:2)
what about the Bob and Joe's Bait Shop (Score:2)
who does not want to pay the X3 rate to get some out there now to fix it and will just wait for the next visit in there plan with there Outsourced IT plan.
Re: (Score:2)
Or the "smart" software developer who sees Apples and Googles and Microsfots charging 30%
Different websites, different passwords (Score:1)
This is why at different websites, you need different passwords. This way, it minimizes damage when it's not patched.
Just watch the video at http://www.komonews.com/news/consumer/Getting-passwords-under-control-261725121.html
Let's put teenagers in jails (Score:3, Insightful)
Why would someone patch the web server?
We don't like smart and taking initiative teenagers, here in the USA
1. Teenager sends email to administrators advising them about unpatched server.
2. SWAT raids the home of the kid.
3. DA sends the kid to private jail for life and announces running for another term.
4. ?
5. Profit or reality of life in the USA
Re: (Score:2)
It seems you don't actually understand the topic you're speaking on here. Various bridged (inline) WAFs are capable of blocking Heartbleed attacks; Imperva [imperva.com] offers one such solution. It is not necessary for the WAF to operate in a conventional proxy mode to accomplish this task, and there is no race condition involved. Why are you posting in an authoritative tone when you have no idea what you're talking about?
Re: (Score:1)
To be perfectly clear, I am making the assertion that you're completely unqualified to speak on network security in general. You started off with "I don't understand how ..." and then trailed off into a series of statements which demonstrated a complete lack of understanding of fundamentals in this field. Please stop posting. Thanks.
Re: (Score:2)
they should have been using mac servers! they come with X and remote desktop and art so you don't have to break a nail doing command line like a neanderthal!
servers of what? (Score:2)
most servers on the internet don't do anything important. this is sensationalist tripe.
Re: (Score:2)
does slashdot even kick into https for passwords?
any slashdotter who uses the same password as for banking or auction or bitcoin site deserves what they get
Re: (Score:2)
aw too bad, I was hoping my account would be hijacked by mean spirited trolling sociopath, and no one would notice
Re: (Score:2)
Re: (Score:2)
Nope, and to be honest, they even have a handy "auto login" link that puts your password in the URL.
To be certain, well, there's nothing at risk for /. - so what - someone can post as yourself? I've been to worse sites that demanded way more stringent policies for far less than what /. offers.
Re: (Score:2)
So why are they using SSL in the first place?
Re: (Score:2)
So why are they using SSL in the first place?
Looking for the "lock symbol" is the one thing the masses have managed to learn about Internet security.
People (the inexperienced ones) cause customer service headaches when they can't / won't learn that this system doesn't need it. "Where is the lock?" "How come you don't have a lock?" "My grandson says the lock means you are secure." etc.
For $40 a year, a company can head off 40 tech support calls with the worst type of users (the ones that don't even understand enough to put the answers in context a
As expected (Score:3)
Only 50% found it critical enough to deal with the problem quickly. The rest either have embedded systems or dependencies that are preventing them from upgrading or they aren't savvy enough to know that they're system is vulnerable. For example systems on Ubuntu 13.04 didn't get the heartbleed fix because 13.04 is at end of support, necessitating to first upgrade to 13.10 before getting the fix. You can of course roll your own and build it yourself etc. but most organizations aren't going to do that. There's also that small percentage that will never upgrade no matter what because they're is some other reason not to, org blow back or systems are near end of life for example.
Re: (Score:2)
For example systems on Ubuntu 13.04 didn't get the heartbleed fix because 13.04 is at end of support, necessitating to first upgrade to 13.10 before getting the fix. .
End of life'd after just a year. Just wow. That would really want me to put Ubuntu into a production environment. Not.
Re:As expected (Score:5, Informative)
13.04 wasn't an LTS release. LTS releases come out every 2 years and are supported for 5 years (12.04, 14.04, etc). The non-LTS releases can be thought of as betas for the LTS releases.
Re: (Score:2)
Re: (Score:2)
Not suprising... (Score:2)
There are servers out there still broadcasting the "code red" worm...
Certificate renewal (Score:2)
Certificate Authorities (CA) could help here: if a secured server was mandatory to get certificate renewal, things would be cleaned up.
Problem is: each CA has no interest into doing this extra work, and no central authority can force them to do so. Major browsers could push them, though, by telling users that some CA are more trustable than others.
Re: (Score:3)
LOL. Most certificate authorities are just saying 'here's what this guy told us his name is'. Basically worthless.
But it's nice to have a near monopoly service that's no better than a self signed certificate.
Re: (Score:2)
Update in haste? (Score:2)