Heartbleed still causing heartburn

IMG_1290.JPGI recently estimated that within three weeks of the release of the Heartbleed security vulnerability, roughly 70 percent of organizations would have it resolved. It’s a good thing I wasn’t in Vegas when I made that prediction because I’d have lost that bet.  Roughly six weeks later, over half still haven’t corrected the problem. Some organizations simply might not need to implement the fix (or at least think they don’t) because the data does not require protection.  Some might not be aware they are vulnerable. Some might no longer support that implementation. But I suspect for most of the laggards, the complexity of their implementations is slowing down the fix rate, and that it’s not a lack of desire. Here are a couple of examples that shows the true scope of implementing the fix.  And of course, they just happen to reflect critical infrastructure.

 

This is a very perilous time for organizations who are vulnerable as knowledge of the attack is widespread and affected sites are actively being hunted.  It’s a dangerous time for users, too.  A recent survey found that 47 percent of people who heard of Heartbleed and knew of the danger still haven’t changed passwords.  It’s counterintuitive, but this is actually an instance when laziness is not necessarily a bad thing. If the fix hasn’t been implemented, then changing your password does no good. In fact, it could do harm by revealing your new password.

 

There is no doubt users are eventually going to be tasked with having to protect themselves to a much larger extent than they do now.  That job becomes exceedingly harder, though, when timing needs to be part of the decision.  The waiting really is the hardest part.  And when corporations and security experts can’t agree about what users should do, it becomes that much more confusing. For my part, I changed all my passwords upon release of the vulnerability, and have been doing so again as each impacted site releases their fix information.  Put simply, we’ve got a long way to go before we are out of the woods on this one.  Stay tuned.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.