Almost 200,000 websites and connected systems remain vulnerable to the Heartbleed OpenSSL bug. That's according to the Shodan Report 2017, based on scans conducted by the search engine that enables used to scour the internet for specific types of computers.
The systems will be wide open to a range of exploits that have been around almost since the bug was first publicised. The US is far out in front with 42,032 systems still vulnerable, according to Shodan, followed by South Korea with 15,380, China with 14,116, Germany with 14,072 and France with 8,702. The UK has some 6,491 systems and servers vulnerable to Heartbleed connected to the internet.Read more
It’s December, and in the security industry that means one thing: predictions from experts about what trends will emerge in the next year. As always, some stuff is new, while other items show up on these lists every year.
Criminal groups will increasingly adopt nation-state tactics. There are a couple of ways that I see this potentially working: the nation-state groups could work together with criminal groups towards a common goal. State groups could also contract their espionage activities out to criminal groups, that will use criminal tools and expertise to perform spying activities, steal intellectual property or gather intelligence about vulnerabilities. Below there are nine predictions from experts.Read more
A new tool called Password Changer is designed to change multiple passwords for different websites all at once – especially useful in light of Heartbleed and other security threats.
A new product from Dashlane could take much of the hassle out of changing your major website passwords, which could be particularly handy in the event of a security breach. Cyberattacks and hacks against major websites seem to have turned into a daily occurrence, often leaving user log-in credentials exposed. And people who use the same password at all or most of the sites they visit can be particularly vulnerable.Read more
A detailed analysis by cybersecurity experts from the University of Maryland found that website administrators nationwide tasked with patching security holes exploited by the Heartbleed bug may not have done enough.
First disclosed Heartbleed presents a serious vulnerability to the popular OpenSSL software, allowing anyone on the Internet to read the memory of systems that are compromised by the malicious bug. Experts analyzed the most popular websites in the United States to better understand the extent to which systems administrators followed specific protocols to fix the problem. Website administrators everywhere should have immediately taken three steps to regain better control and security over their systems.Read more
In what seems like the most impactful security vulnerability since the OpenSSL Heartbleed affair, a new Internet-wide bug emerged this week in the Bourne again shell (Bash).
While its true severity remains unknown, the Bash vulnerability (also known as “shell shock”) is being talked about everywhere, and you may have even seen your local news anchors discussing the story in front of a green-screen covered in fast-scrolling computer code on last night’s evening news. Bash is present in a very large number of Web-servers and in-home appliances. What is Bash?Read more
What caused the Heartbleed Bug that endangered the privacy of millions of web users this week? On one level, it looks like a simple case of human error. A software developer from Germany contributed code to the popular OpenSSL software that made a basic, but easy-to-overlook mistake.
The OpenSSL developer who approved the change didn't notice the issue either, and (if the NSA is telling the truth) neither did anyone else for more than 2 years. It's hard to blame those guys. OpenSSL is an open source project. As the Wall Street Journal describes it, the project is "managed by four core European programmers, only one of whom counts it as his full-time job." The OpenSSL Foundation had a budget of less than $1 million in 2013.Read more
The NSA knew about and exploited the Heartbleed vulnerability for two years before it was publicly exposed this week, and used it to steal account passwords and other data.
Speculation had been rampant this week that the spy agency might have known about the critical flaw in OpenSSL that would allow hackers to siphon passwords, email content and other data from the memory of vulnerable web servers and other systems using the important encryption protocol. That speculation appears to be confirmed by two unnamed sources who told Bloomberg that the NSA discovered the flaw shortly after it was accidentally introduced into OpenSSl in 2012 by a programmer.Read more
Tens of millions of servers were exposed to a security vulnerability called “Heartbleed” in OpenSSL, software used to encrypt much of the internet. While an emergency patch has been released, sites like Yahoo have raced to fortify security.
The open-source OpenSSL project released an emergency security advisory warning of “Heartbleed,” a bug pulls in private keys to a server using vulnerable software, allowing operators to suck in data traffic and even impersonate the server. The server's private encryption keys are a particular target, since they're necessarily kept in working memory.Read more