Sign In

Communications of the ACM

ACM TechNews

Umd Cyber Experts Discover Lapses in Heartbleed Bug Fix

View as: Print Mobile App Share:
Logo of the Heartbleed bug.

Cybersecurity experts suggest some website administrators may not have done enough to correct security holes exploited by the Heartbleed bug.

Credit: UMD Right Now

The efforts of website administrators tasked with correcting security holes exploited by the Heartbleed bug may have fallen short, according to analysis by University of Maryland (UMD) cybersecurity experts.

The team's assessment analyzed more than 1 million popular U.S. sites to better comprehend the degree to which systems administrators went to address Heartbleed by following specific protocols. They found about 93 percent of the websites analyzed had patched their software properly within three weeks of the bug's announcement, but just 13 percent followed up with other security measures to ensure complete protection.

UMD researcher Dave Levin says once Heartbleed was publicized, administrators everywhere should have immediately patched their OpenSSL software, revoked their current certificates, and reissued new ones. He warns the failure to follow through with both revocation and reissue means hackers who already had a site's private key could still masquerade as that site, even with appropriate software patches implemented.

Meanwhile, UMD professor Tudor Dumitras notes the analysis found certificate revocation rates declined significantly on weekends. He and Levin hope the team's conclusions will prompt discussion about the various factors that shape computer security, and how they can interact to better fortify systems.

From UMD Right Now
View Full Article


Abstracts Copyright © 2014 Information Inc., Bethesda, Maryland, USA


No entries found