Heartbleed Bug is Still a Security Issue

Mark Koschmeder
Posted by

The Heartbleed bug, an OpenSSL security hole that left nearly 66 percent of the Internet vulnerable to cybercriminals when it was discovered in April of 2014, may not be a thing of the past. Although the attention of the public has shifted in the months following the discovery, a number of servers and mobile devices are still vulnerable to this major security threat.

The world's IT administrators have had a difficult time dealing with the Heartbleed bug, which can be described as a programming mistake within the security library of OpenSSL. The Conversation estimates that repair costs have reached into the millions of dollars since the discovery, and security specialist Robert Graham has identified 600,000 vulnerable servers since that time. Another episode of Heartbleed vulnerability occurred in June of 2014 when six more bugs were discovered. In order to secure systems, administrators have been required to both update software and re-establish their online identities with new "master keys." Changing passwords has also been a necessity, with administrators and users alike being strongly encouraged to create new, secure passwords for sites and online platforms exposed to the vulnerabilities.

However, the battle with the Heartbleed bug is far from over for a number of reasons. First, many Internet users have not taken the necessary action to secure their personal information. An online study by Avast has discovered that out of nearly 268,000 respondents, only 40 percent had changed their passwords after hearing about the Heartbleed bug while 75 percent were not even aware of it. A second issue lies in older smartphones that continue to have vulnerable firmware. Although Google has made updates available for smartphones since the first Heartbleed discovery, manufacturers still need to apply these changes to the specific firmware of each model as well as test out the patched versions. However, carriers commonly sell phones with customized firmware, making it difficult to offer updates for each one. Older Android phones are especially vulnerable, and The Conversation recommends you to download the free Lookout Heartbleed Detector if you have a vulnerable smartphone.

According to Graham, nearly half of the 600,000 exposed servers are still vulnerable as of late June. The slow progress against this Internet security threat can also be seen in the Android example, as one of Australia's major carriers Vodafone has only revealed a fixed firmware for a certain model as of June 16, 2014. Fixing the software problem itself is not even the hardest part. Deploying the fix, testing it and watching for additional problems are some of the most time-consuming aspects of fighting the Heartbleed bug.

According to Jason Falck, CEO of Halon Security, the Internet can never be 100 percent secure, but the Heartbleed bug has served as a wake-up call for online communities. By remaining vigilant and securing high- and low-profile systems alike, network administrators can help to maintain Internet security and spot future bugs before they become a major threat.

Photo courtesy of samuiblue at FreeDigitalPhotos.net


Become a member to take advantage of more features, like commenting and voting.

Jobs to Watch