Vulnerabilities / Threats
4/18/2014
03:00 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Poll: Dark Reading Community Acts On Heartbleed

Roughly 60 percent of respondents to our flash poll have installed the Heartbeat fix or are in the process of doing so.

It will be some time before the full impact of the Heartbleed bug will be known, but in the Dark Reading security community, members are not dragging their feet about remedial action, according to our recent online flash poll Broken Heartbeat.

The danger was perceived immediately. "If you can spoof the server and step in as if you were that server, from a malicious standpoint, there is no end to the data that will be compromised," RyanSepe observed in a comment on our breaking story, Emergency SSL/TLS Patching Under Way. In the days since, more than 260 of you have weighed in on the steps your companies are taking to prevent cyberspies and criminals from gaining access to personal data on servers, networks, and devices through the flawed OpenSSL "Heartbeat" function of TLS.

Our poll allowed respondents to choose as many of the five responses as applied to their mitigation strategy. Six out of 10 of our respondents report that they have already installed the Heartbeat fix on their servers or are in the process of doing so. Only about 40 percent said they are replacing digital certificates.

The issue of what to do about passwords was raised by many readers, both on a personal level and in relation to the need to safeguard others' personal data on corporate servers. "As a developer I find it appalling that companies are not instituting a password black list for the 100 most common passwords by now," wrote jaingverda on Emergency SSL/TLS Patching Under Way. Yet, in our poll, only 30 percent of respondents said their organizations are requiring end users to change their passwords.

Not surprisingly, fewer than 8 percent of respondents said they are doing nothing about Heartbleed. But I take with a grain of salt the 17 percent who checked "What's Heartbleed?" -- a tongue-in-cheek response we included to underscore the fact that we recognize the limits of our online poll; it's anecdotal information, not pure research.

That said, I hope we can flesh out these data points with more detail in ongoing discussions. To quote Ed Moyle in a comment titled "Tip of the iceberg IMHO:"

What really concerns me is less the population of web servers that this impacts -- because, impactful as that is, they can at least upgrade fairly easily. What really makes me nervous is what else is vulnerable that can't be upgraded quite so easily. This code is in a lot of stuff, in particular embedded systems. Mark my words -- we'll be dealing with this one for a while.

I couldn't agree more. Let's begin by chatting about what strategies have been effective for you so far and what challenges have you stumped. And, if you still want to add your two cents to the online poll, it's still live, so click here.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 1:21:52 PM
Re: passwords -- in relation to the Heartbleed bug
Paul, In terms of our poll, do you think the fact that only 30 percent of respondents said their organizations are requiring end users to change their passwords, reflects a deeper problem -- that most organizations have given up on the idea that passwords are an effective end-users security strategy?
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
4/20/2014 | 6:50:04 PM
passwords

Passwords are the weak link to many things. How many people use that word for their password?  I bet it's a pretty large number. That being said what else can we do? Finger prints maybe? I realize that's much easier said than done.

 

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!