Slashdot Mirror
Over 300,000 Servers Remain Vulnerable To Heartbleed
An anonymous reader writes Even though it's been a couple months since the Heartbleed bug was discovered, many servers remain unpatched and vulnerable. "Two months ago, security experts and web users panicked when a Google engineer discovered a major bug — known as Heartbleed — that put over a million web servers at risk. The bug doesn't make the news much anymore, but that doesn't mean the problem's solved. Security researcher Robert David Graham has found that at least 309,197 servers are still vulnerable to the exploit. Immediately after the announcement, Graham found some 600,000 servers were exposed by Heartbleed. One month after the bug was announced, that number dropped down to 318,239. In the past month, however, only 9,042 of those servers have been patched to block Heartbleed. That's cause for concern, because it means that smaller sites aren't making the effort to implement a fix."
If those servers would have studied engineering instead of history, they probably would not be servers and not be suffering from broken hearts.
Time Bomber the Book coming soon.
I wonder how many of these are dirt cheap hosting servers, and no one who should care even knows the hosting company is asleep at the switch...
good architecture => good security
This is to be expected, the only organizations that were going to aggressively patch HB were going to be the googles, the microsofts, the ones with millions of assets and awareness of how much damage that it can cause. The ones that aren't going to patch are going to be your Bob and Joe's Bait Shop with the inexplicable online shop that's being managed by their nephew whenever he's in town from college, if he knows to.
This is why at different websites, you need different passwords. This way, it minimizes damage when it's not patched.
Just watch the video at http://www.komonews.com/news/consumer/Getting-passwords-under-control-261725121.html
In the video, they show as a more secure password for Amazon.com to be B@aseball9amazon
I don't think we should trust the video.
Why would someone patch the web server?
We don't like smart and taking initiative teenagers, here in the USA
1. Teenager sends email to administrators advising them about unpatched server.
2. SWAT raids the home of the kid.
3. DA sends the kid to private jail for life and announces running for another term.
4. ?
5. Profit or reality of life in the USA
It does not allow for a "patching virus" that uses the exploit to fix it.
Some folks are using IDS+IPS and other mitigation to prevent the problem, vs. patching.
For using open sores! Go with Windows and be safe! Be secure! Microsoft protects and serves!
most servers on the internet don't do anything important. this is sensationalist tripe.
Bitcoin itself is not vulnerable, as I understand it. But an online wallet using HTTPS with certain heartbeat-enabled TLS stacks may be vulnerable.
For some places they won't patch because they don't understand their systems.
They don't understand because they assumed, like a fridge or an oven, you plug it in and it goes.
These places didn't retain their staff so now no-one maintains them.
It's bit rot. These servers need taking out of the DNS and putting on poxnet. If you can't learn to stay squeaky clean and behave yourselves then you don't deserve to mingle with the general populace.
Maybe some of them are patched but nobody restarted apache/nginx/lighttpd/whatever so they still use old and vulnerable openssl version
Maybe the remaining servers aren't affected
- because they implement another layer of security on top of SSL
- because their data doesn't actually need to be secure
- because they only use SSL as a wrapper, and they use form-based login further in
Why assume everybody is actually relying on SSL just because they have it turned on?
who does not want to pay the X3 rate to get some out there now to fix it and will just wait for the next visit in there plan with there Outsourced IT plan.
Only 50% found it critical enough to deal with the problem quickly. The rest either have embedded systems or dependencies that are preventing them from upgrading or they aren't savvy enough to know that they're system is vulnerable. For example systems on Ubuntu 13.04 didn't get the heartbleed fix because 13.04 is at end of support, necessitating to first upgrade to 13.10 before getting the fix. You can of course roll your own and build it yourself etc. but most organizations aren't going to do that. There's also that small percentage that will never upgrade no matter what because they're is some other reason not to, org blow back or systems are near end of life for example.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
See? Told you all so, long ago, that this kind of shit would happen what with all the "open sores is best, linux is secure and windows is not secure" crap propoganda that flew around here on slashdot for years. Android, heartbleed, and who knows what is next. Here 'tis boys!
I just went through this with several shops where they refused to activate simple tools to make specific patches. Excuses included:
1) If someone is inside our network, we have much bigger problems.
2) We need to have a complex fully featured system that manages all the packages (but we don't allow any actual time to write it.)
3) The service manager installs that, just tweak that. (Most service managers could not care less about versions rewriting them to do so requires re-engineering extremely unstable code written by people who just do "install the ruby gem/CPAN module/python module/maven jar file", and can't be bothered to keep track of minor releases.
4) Oh, no, the service might restart!!!! (It restarts all the time anyway. Get over your preci0ous selves, and learn how to do failover correctly.)
5) We have to have a meeting. And a release plan. And we're in code freeze due to deployment. And we can't spend time on system testing, that's your problem. And the testing system is supposed to be automated, and the guy in Kamchatka is almost done!!!
There are servers out there still broadcasting the "code red" worm...
Do not look at laser with remaining good eye.
I use plaintext for everything!
Certificate Authorities (CA) could help here: if a secured server was mandatory to get certificate renewal, things would be cleaned up.
Problem is: each CA has no interest into doing this extra work, and no central authority can force them to do so. Major browsers could push them, though, by telling users that some CA are more trustable than others.
The bug doesn't make the news much anymore
See even the article says so, its patched, it was patched before the immoral marketing company gave it a name and got paid by microsoft but we have to have fud dont we.
Open source is more secure, does get bugs sometimes but it gets fixed almost immediately. closed source ie microsoft gets fixed after the NSA get in to your computer and company information.
Many smaller companies have servers, but have no in-house sysadmins.
They use third party IT companies to fix their servers WHEN needed.
The average CEO of a small company is very much unaware of any heartbleeds, thus there's nothing to fix as far as they know.
They'll call for help when shit hits the fan.
Also, I have SSH locked down to specific IP address, no Web service of any kind -- indeed, it's a "mostly closed" system with public-facing holes only for SSH (limited by tcpwrappers), SMTP (not SMTPS or SUBMISSION), DOMAIN (severely rate-limited and with blocks for ANY), NTP, and TRACEROUTE. This effectively blocks any access to heartbleed.
When the first alerts came out, the first thing I did was run the web-based exploit detectors. They didn't get through. At that time, I reviewed the services not blocked by the firewall, and to the best of my knowledge, none of the services I list above use the Secure Shell library. So I satisfied myself that my mail server was tight.
Everything else on my network is behind the same firewall, using NAT to gain access to the outside world. There is no open path to my desktop computers or internal-only servers.
I'm very much of the school "if it ain't broke, don't fix it in a hurry." In my case, I'm rebuilding servers (some celebrating 10 years of service or more) with the latest proven software one at a time, with the mail server being last in the chain. I'm replacing hardware as well as software, one by one. (I'm probably going to update the old hardware so I have standbys if the new hardware experiences infant mortality, but that's a detail.)
So, in come cases carefully researched, there isn't any need to take action against Heartbleed, because the exploits are blocked upstream.
its brcause Canonical never updates their fucking repositories.
Ill bet in most cases, there is no IT person paid to even watch over those systems. This is just a symptom of cut throat economics that is the order of the day.