Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/18/2014
03:00 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Poll: Dark Reading Community Acts On Heartbleed

Roughly 60 percent of respondents to our flash poll have installed the Heartbeat fix or are in the process of doing so.

It will be some time before the full impact of the Heartbleed bug will be known, but in the Dark Reading security community, members are not dragging their feet about remedial action, according to our recent online flash poll Broken Heartbeat.

The danger was perceived immediately. "If you can spoof the server and step in as if you were that server, from a malicious standpoint, there is no end to the data that will be compromised," RyanSepe observed in a comment on our breaking story, Emergency SSL/TLS Patching Under Way. In the days since, more than 260 of you have weighed in on the steps your companies are taking to prevent cyberspies and criminals from gaining access to personal data on servers, networks, and devices through the flawed OpenSSL "Heartbeat" function of TLS.

Our poll allowed respondents to choose as many of the five responses as applied to their mitigation strategy. Six out of 10 of our respondents report that they have already installed the Heartbeat fix on their servers or are in the process of doing so. Only about 40 percent said they are replacing digital certificates.

The issue of what to do about passwords was raised by many readers, both on a personal level and in relation to the need to safeguard others' personal data on corporate servers. "As a developer I find it appalling that companies are not instituting a password black list for the 100 most common passwords by now," wrote jaingverda on Emergency SSL/TLS Patching Under Way. Yet, in our poll, only 30 percent of respondents said their organizations are requiring end users to change their passwords.

Not surprisingly, fewer than 8 percent of respondents said they are doing nothing about Heartbleed. But I take with a grain of salt the 17 percent who checked "What's Heartbleed?" -- a tongue-in-cheek response we included to underscore the fact that we recognize the limits of our online poll; it's anecdotal information, not pure research.

That said, I hope we can flesh out these data points with more detail in ongoing discussions. To quote Ed Moyle in a comment titled "Tip of the iceberg IMHO:"

What really concerns me is less the population of web servers that this impacts -- because, impactful as that is, they can at least upgrade fairly easily. What really makes me nervous is what else is vulnerable that can't be upgraded quite so easily. This code is in a lot of stuff, in particular embedded systems. Mark my words -- we'll be dealing with this one for a while.

I couldn't agree more. Let's begin by chatting about what strategies have been effective for you so far and what challenges have you stumped. And, if you still want to add your two cents to the online poll, it's still live, so click here.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 1:21:52 PM
Re: passwords -- in relation to the Heartbleed bug
Paul, In terms of our poll, do you think the fact that only 30 percent of respondents said their organizations are requiring end users to change their passwords, reflects a deeper problem -- that most organizations have given up on the idea that passwords are an effective end-users security strategy?
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
4/20/2014 | 6:50:04 PM
passwords

Passwords are the weak link to many things. How many people use that word for their password?  I bet it's a pretty large number. That being said what else can we do? Finger prints maybe? I realize that's much easier said than done.

 

COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.