Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/18/2014
03:00 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Poll: Dark Reading Community Acts On Heartbleed

Roughly 60 percent of respondents to our flash poll have installed the Heartbeat fix or are in the process of doing so.

It will be some time before the full impact of the Heartbleed bug will be known, but in the Dark Reading security community, members are not dragging their feet about remedial action, according to our recent online flash poll Broken Heartbeat.

The danger was perceived immediately. "If you can spoof the server and step in as if you were that server, from a malicious standpoint, there is no end to the data that will be compromised," RyanSepe observed in a comment on our breaking story, Emergency SSL/TLS Patching Under Way. In the days since, more than 260 of you have weighed in on the steps your companies are taking to prevent cyberspies and criminals from gaining access to personal data on servers, networks, and devices through the flawed OpenSSL "Heartbeat" function of TLS.

Our poll allowed respondents to choose as many of the five responses as applied to their mitigation strategy. Six out of 10 of our respondents report that they have already installed the Heartbeat fix on their servers or are in the process of doing so. Only about 40 percent said they are replacing digital certificates.

The issue of what to do about passwords was raised by many readers, both on a personal level and in relation to the need to safeguard others' personal data on corporate servers. "As a developer I find it appalling that companies are not instituting a password black list for the 100 most common passwords by now," wrote jaingverda on Emergency SSL/TLS Patching Under Way. Yet, in our poll, only 30 percent of respondents said their organizations are requiring end users to change their passwords.

Not surprisingly, fewer than 8 percent of respondents said they are doing nothing about Heartbleed. But I take with a grain of salt the 17 percent who checked "What's Heartbleed?" -- a tongue-in-cheek response we included to underscore the fact that we recognize the limits of our online poll; it's anecdotal information, not pure research.

That said, I hope we can flesh out these data points with more detail in ongoing discussions. To quote Ed Moyle in a comment titled "Tip of the iceberg IMHO:"

What really concerns me is less the population of web servers that this impacts -- because, impactful as that is, they can at least upgrade fairly easily. What really makes me nervous is what else is vulnerable that can't be upgraded quite so easily. This code is in a lot of stuff, in particular embedded systems. Mark my words -- we'll be dealing with this one for a while.

I couldn't agree more. Let's begin by chatting about what strategies have been effective for you so far and what challenges have you stumped. And, if you still want to add your two cents to the online poll, it's still live, so click here.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 1:21:52 PM
Re: passwords -- in relation to the Heartbleed bug
Paul, In terms of our poll, do you think the fact that only 30 percent of respondents said their organizations are requiring end users to change their passwords, reflects a deeper problem -- that most organizations have given up on the idea that passwords are an effective end-users security strategy?
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
4/20/2014 | 6:50:04 PM
passwords

Passwords are the weak link to many things. How many people use that word for their password?  I bet it's a pretty large number. That being said what else can we do? Finger prints maybe? I realize that's much easier said than done.

 

For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17537
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
CVE-2019-17538
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
CVE-2019-17535
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-17536
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17533
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.