Vulnerabilities / Threats
4/18/2014
03:00 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Poll: Dark Reading Community Acts On Heartbleed

Roughly 60 percent of respondents to our flash poll have installed the Heartbeat fix or are in the process of doing so.

It will be some time before the full impact of the Heartbleed bug will be known, but in the Dark Reading security community, members are not dragging their feet about remedial action, according to our recent online flash poll Broken Heartbeat.

The danger was perceived immediately. "If you can spoof the server and step in as if you were that server, from a malicious standpoint, there is no end to the data that will be compromised," RyanSepe observed in a comment on our breaking story, Emergency SSL/TLS Patching Under Way. In the days since, more than 260 of you have weighed in on the steps your companies are taking to prevent cyberspies and criminals from gaining access to personal data on servers, networks, and devices through the flawed OpenSSL "Heartbeat" function of TLS.

Our poll allowed respondents to choose as many of the five responses as applied to their mitigation strategy. Six out of 10 of our respondents report that they have already installed the Heartbeat fix on their servers or are in the process of doing so. Only about 40 percent said they are replacing digital certificates.

The issue of what to do about passwords was raised by many readers, both on a personal level and in relation to the need to safeguard others' personal data on corporate servers. "As a developer I find it appalling that companies are not instituting a password black list for the 100 most common passwords by now," wrote jaingverda on Emergency SSL/TLS Patching Under Way. Yet, in our poll, only 30 percent of respondents said their organizations are requiring end users to change their passwords.

Not surprisingly, fewer than 8 percent of respondents said they are doing nothing about Heartbleed. But I take with a grain of salt the 17 percent who checked "What's Heartbleed?" -- a tongue-in-cheek response we included to underscore the fact that we recognize the limits of our online poll; it's anecdotal information, not pure research.

That said, I hope we can flesh out these data points with more detail in ongoing discussions. To quote Ed Moyle in a comment titled "Tip of the iceberg IMHO:"

What really concerns me is less the population of web servers that this impacts -- because, impactful as that is, they can at least upgrade fairly easily. What really makes me nervous is what else is vulnerable that can't be upgraded quite so easily. This code is in a lot of stuff, in particular embedded systems. Mark my words -- we'll be dealing with this one for a while.

I couldn't agree more. Let's begin by chatting about what strategies have been effective for you so far and what challenges have you stumped. And, if you still want to add your two cents to the online poll, it's still live, so click here.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 1:21:52 PM
Re: passwords -- in relation to the Heartbleed bug
Paul, In terms of our poll, do you think the fact that only 30 percent of respondents said their organizations are requiring end users to change their passwords, reflects a deeper problem -- that most organizations have given up on the idea that passwords are an effective end-users security strategy?
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
4/20/2014 | 6:50:04 PM
passwords

Passwords are the weak link to many things. How many people use that word for their password?  I bet it's a pretty large number. That being said what else can we do? Finger prints maybe? I realize that's much easier said than done.

 

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.