Heartbleed has not gone away

Heartbleed has not gone away. The famous bug found by a Google engineer two months ago, has for the moment been replaced in our consciousness and also the media by Gameover Zeus and CryptoLocker. So a little recap is necessary.

Heartbleed can exploit a vulnerability in the way your browser talks to a website over an encrypted channel. This can in theory let someone take advantage of the bug to unravel the encrypted secure channels used by banks, e-commerce sites and other sensitive locations to steal passwords and other sensitive information.

The security company Security company Codenomicon christened the bug Heartbleed and also gave it the logo below and set up a website  to raise public awareness about it.
Heartbleed.svg

Since Heartbleed was discovered two months ago, Errata Security’s Robert Graham stated that there are still over “300,000 unpatched servers that are vulnerable to it.” This is down from the 600,000 plus servers that Robert found in April that was vulnerable. This is still very worrying as it shows people have stopped trying to patch.

Robert also states “We should see a slow decrease over the next decades as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable.” Until these systems are replaced we can still expect some worrying times ahead.

You are probably thinking shouldn’t there be an online list with all the effected websites. If that was done, you would have a scenario similar to leaving all the shops in your area unlocked at night with their alarms switched off and hoping nothing is stolen. If you want to check the vulnerability of a website please go to Mcafee’s free online checker.

It was also revealed in April that smartphones and tablets are also vulnerable to Heartbleed. The only devices affected are ones that have Android Jellybean 4.1.1 as their operating system. The devices are vulnerable to a hack dubbed “reverse Heartbleed” – which is where a malicious server would be able to exploit the flaw in OpenSSL and take data from the phone’s browser like logins (usernames and passwords).

At least 4 million devices in America and over 50 million worldwide are susceptible to Heartbleed. Google has released a patch to all Android device manufacturers, which they pass on to all the phone carriers who test them before they release them to their users. It can be months before a carrier releases updates to its customers and also some manufacturers are not planning on updating their phones. You can of course add a custom version of Android onto your phone but that may not work with your phone.

The only Android devices that get updates directly from Google are their Nexus phones and tablets. Google also state “Devices may not receive the latest version of Android if they fall outside of the update window, traditionally around 18 months after a device release.” So your device may not get an update. If you also have a generic Chinese Android device i.e. one from a non-well known manufacturer you may have trouble updating your version of Android.

If you are wondering if your Android device is susceptible to Heartbleed, the security firm Lookout, who develop Android security software, have produced a downloadable Android app which lets people check whether their device is vulnerable and it can be found here.

If you are looking into buying an Android device don’t forget to check what version of Android it runs. If it is running on Jellybean 4.1.1., make sure it will get updated software as I have heard of certain phones which will not get an update and if you have bought that phone on a contract there is a good chance it can’t be replaced as Heartbleed is not seen as a major phone flaw according to phone carriers in Ireland.

As I have stated before in my post on eBay hacking make sure that you have a different password for each website you are a member off as well as your email accounts.

 

One thought on “Heartbleed has not gone away”

Leave a Reply

Your email address will not be published. Required fields are marked *

1 + 1 =