Vulnerabilities / Threats
4/18/2014
03:00 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Poll: Dark Reading Community Acts On Heartbleed

Roughly 60 percent of respondents to our flash poll have installed the Heartbeat fix or are in the process of doing so.

It will be some time before the full impact of the Heartbleed bug will be known, but in the Dark Reading security community, members are not dragging their feet about remedial action, according to our recent online flash poll Broken Heartbeat.

The danger was perceived immediately. "If you can spoof the server and step in as if you were that server, from a malicious standpoint, there is no end to the data that will be compromised," RyanSepe observed in a comment on our breaking story, Emergency SSL/TLS Patching Under Way. In the days since, more than 260 of you have weighed in on the steps your companies are taking to prevent cyberspies and criminals from gaining access to personal data on servers, networks, and devices through the flawed OpenSSL "Heartbeat" function of TLS.

Our poll allowed respondents to choose as many of the five responses as applied to their mitigation strategy. Six out of 10 of our respondents report that they have already installed the Heartbeat fix on their servers or are in the process of doing so. Only about 40 percent said they are replacing digital certificates.

The issue of what to do about passwords was raised by many readers, both on a personal level and in relation to the need to safeguard others' personal data on corporate servers. "As a developer I find it appalling that companies are not instituting a password black list for the 100 most common passwords by now," wrote jaingverda on Emergency SSL/TLS Patching Under Way. Yet, in our poll, only 30 percent of respondents said their organizations are requiring end users to change their passwords.

Not surprisingly, fewer than 8 percent of respondents said they are doing nothing about Heartbleed. But I take with a grain of salt the 17 percent who checked "What's Heartbleed?" -- a tongue-in-cheek response we included to underscore the fact that we recognize the limits of our online poll; it's anecdotal information, not pure research.

That said, I hope we can flesh out these data points with more detail in ongoing discussions. To quote Ed Moyle in a comment titled "Tip of the iceberg IMHO:"

What really concerns me is less the population of web servers that this impacts -- because, impactful as that is, they can at least upgrade fairly easily. What really makes me nervous is what else is vulnerable that can't be upgraded quite so easily. This code is in a lot of stuff, in particular embedded systems. Mark my words -- we'll be dealing with this one for a while.

I couldn't agree more. Let's begin by chatting about what strategies have been effective for you so far and what challenges have you stumped. And, if you still want to add your two cents to the online poll, it's still live, so click here.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 1:21:52 PM
Re: passwords -- in relation to the Heartbleed bug
Paul, In terms of our poll, do you think the fact that only 30 percent of respondents said their organizations are requiring end users to change their passwords, reflects a deeper problem -- that most organizations have given up on the idea that passwords are an effective end-users security strategy?
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
4/20/2014 | 6:50:04 PM
passwords

Passwords are the weak link to many things. How many people use that word for their password?  I bet it's a pretty large number. That being said what else can we do? Finger prints maybe? I realize that's much easier said than done.

 

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2808
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Bionic in Android before 4.1.1 incorrectly uses time and PID information during the generation of random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a rel...

CVE-2014-9713
Published: 2015-04-01
The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.

CVE-2015-0259
Published: 2015-04-01
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

CVE-2015-0800
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fennec) before 37.0 on Android does not properly generate random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a related issue to CVE-2...

CVE-2015-0801
Published: 2015-04-01
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.